One of the hidden issues in online storage is privacy. Specifically, almost all online storage providers have the ability to examine your data or hand it over to law enforcement, even if the provider has encrypted your data.
Hopefully, most of us will never have to deal with the law-enforcement scenario, but even the realization that a rogue employee at an online data storage provider could peek into what we keep online can cause concern. For some, it’s enough concern to avoid using cloud storage at all.
The solution is simple: encrypt the data yourself.
Unfortunately, implementing that “simple” solution isn’t always that simple or transparent, and can add a layer of complexity to online storage some find just as intimidating.
Become a Patron of Ask Leo! and go ad-free!
The hidden issue
Online1 storage is powerful when used properly. By “properly,” I mean the account used is set up with appropriate security, and the data you place online is backed up somewhere else as well. Ignoring either of those items can lead to permanent data loss or worse.
Even with those basics covered, though, a potential privacy issue remains. Unless you take additional steps of your own, the provider of that online service has the ability to view your data.
In reality, the folks at major online storage providers are professionals, with no interest in snooping around in your data. Instances of the so-called “rogue employee” are rare. But of course, it’s still possible.
More legitimately, the service provider may be required to turn over your unencrypted data to law enforcement should the appropriate court orders be presented.2
For whatever reason, you might consider all of this a problem. Fortunately, this problem has a solution: encryption.
The hidden cost of doing your own encryption
There’s actually one good reason to allow your online storage provider to have the ability to decrypt your data: web access.
If your online storage provider encrypts your data when it’s stored on their servers, they must be able to decrypt it to provide you the ability to access the data via a web interface. Dropbox, for example, allows you to log in to your account from any machine and access the files stored in your account via the web.
If you encrypt the data yourself using BoxCryptor, the online storage provider can only access your data in its encrypted form. You’ll need BoxCryptor on your computer (and of course, your password) to decrypt it before you’ll be able to use that data.
Traditional encryption solutions
The idea here is simply that if you encrypt your data before it gets uploaded to any online storage provider, then they have no ability to decrypt it. You, and only you3, control the access to your actual data.
Traditionally, that works this way:
- You have a file or set of files that you want to store online.
- You use a program such as 7-zip, Axcrypt, TrueCrypt, or similar to create a new file or files containing encrypted versions of the files.
- You place those files into online storage.
Now, when you want to actually use those files on any machine where you don’t have the original, or want to make sure you have the most current copy, you need to:
- Retrieve the encrypted files from online storage.
- Decrypt the files.
- Make your changes.
Then, finally, to update the online copies of the files (if you made any changes), you would:
- Re-encrypt the files as you did originally.
- Upload the encrypted file or files into online storage.
As you can see, that’s a lot of work just to update, for example, a single file.
That’s where BoxCryptor comes in.
The BoxCryptor model
In a sense BoxCryptor operates in a manner very similar to programs like TrueCrypt.
To use TrueCrypt, you create a special container and tell TrueCrypt to mount that container as a virtual drive, supplying the correct passphrase to do so. A new drive appears on your system – say drive T: – and the contents of the encrypted container appear as unencrypted files. As long as the container is mounted, the contents of the “vault” are directly accessible to any and all programs running on your machine. Dismount or fail to mount the container, and all that’s visible is the vault file itself, which appears to contain only random noise.
BoxCryptor works similarly, except that the container is nothing more than a source folder: any other folder on your machine. You mount that folder in BoxCryptor and another drive – I’ll call it L: – appears on your machine. Anything written to drive L: is encrypted and written to the folder you specified when mounting. Anything read from that drive causes the corresponding encrypted file in the source folder to be read and decrypted on the fly.
While technically slightly inaccurate, you can think of BoxCryptor as operating like TrueCrypt, but at the encrypted file, rather than encrypted container, level.
The files in the original source folder are always encrypted. It’s only when the folder is mounted in BoxCryptor that the files are visible in their decrypted form in the virtual drive.
An example of BoxCryptor in use
Let’s say I use Dropbox. On my machine, I have a folder:
In that folder, I have many other files and folders that automatically synchronize with the Dropbox servers and any other machines on which I have Dropbox installed.
One of the folders in my Dropbox folder is:
C:\My Dropbox\Boxcryptor Files
I don’t place any files in the Boxcryptor Files folder directly. It starts out empty.
Next, I install BoxCryptor, and configure it to mount “C:\My Dropbox\Boxcryptor Files” as drive L:. I set up the password that’s required to mount it again in the future.
Drive L: appears on my machine.
I create a Word document on drive L:
As soon as I save that document to drive L: using Word, a new file appears on C::
C:\My Dropbox\Boxcryptor Files\MyPrivateInformation.docx
The file that was saved to L: is automatically encrypted and placed in the BoxCryptor folder. Dropbox then notices a new file has appeared, and the encrypted file is also uploaded and distributed to all my machines running Dropbox. Note that only the encrypted version of the file has been uploaded.
I can continue to work on the file on L: to my heart’s content. In a very real sense, it’s just a file, and can be manipulated like any other. As changes are saved to disk, the corresponding encrypted version of the file is updated appropriately.
Once I dismount the BoxCryptor folder, drive L: – along with the unencrypted versions of the files – disappears. All that remains are the encrypted versions stored in the BoxCryptor folder within the Dropbox folder.
All that has been uploaded to your online storage provider are the encrypted versions of your files.
TrueCrypt or BoxCryptor?
There’s a reasonable argument that you can use BoxCryptor for almost anything you might use a standard TrueCrypt vault for.
The practical differences boil down to this:
Monolithic versus incremental update: the biggest drawback to using TrueCrypt with a service such as Dropbox is that it’s a single file. Any changes to any of the files contained within it means that the entire file may be considered changed, and may need to be uploaded or downloaded. BoxCryptor maintains individual files as individual files and thus, only files actually modified need updating.
Open- versus closed-source: TrueCrypt is an open-source project, and its source code can be examined and audited. BoxCryptor is a commercial product by a German company, so using BoxCryptor requires that you implicitly trust this company.
It’s also my understanding that TrueCrypt, besides having more encryption options, has more highly-tuned performance.
TrueCrypt is free no matter what you do with it. While BoxCryptor’s base version is free, there are licensing levels for additional features that may be important, as well as for commercial use.
In short, BoxCryptor is an excellent solution for encrypting files that are going to be placed in online storage management utilities such as DropBox. In my opinion, TrueCrypt remains the better choice for encrypting offline data. And of course, it’s entirely possible to use both side by side.
It’s for more than PCs
Like many online services similar to Dropbox, BoxCryptor supports multiple platforms.
BoxCryptor is available for:
- Apple OSX
- iPad & iPhone
That means you can continue to share your documents across all the platforms and devices supported by your online storage provider, but now you can easily encrypt the data you share.
It’s free for personal use, but…
I actually recommend you spring for the personal license.
Besides better support, it includes a feature that I suspect many people might want: filename encryption.
As you saw above, my example document:
Was saved as:
C:\My Dropbox\Boxcryptor Files\MyPrivateInformation.docx
In other words, the name of the file remains visible.
For many, that might not be a problem, but for others, names of files (and folders) represent an unexpected way sensitive information can leak out, even if the contents of those documents are encrypted.
When you purchase the “Unlimited Personal” license, file names are instead stored encrypted. For example, my example document might appear as:
C:\My Dropbox\Boxcryptor Files\gVbJ27u6-VMQ
Only when successfully mounted will the file names once again appear unencrypted (on drive L:, to continue the example above).
And of course, there’s a commercial license as well.
How I use BoxCryptor
As I update this, I’ve been using BoxCryptor for a couple of years now.
Much like in the example above, I have a folder in my cloud synchronization4 folder dedicated to the files I wish BoxCryptor to store encrypted.
I have BoxCryptor installed on my Windows PCs, as well as my Macs.
Using BoxCryptor allows me to feel secure leveraging online storage and using it for even more things – things I wouldn’t necessarily place into a large monolithic TrueCrypt container, but still hesitate to upload unencrypted.
BoxCryptor is a convenient solution for making sure the data you place in online storage services remains secure and is accessible only by you.
I recommend it.