One of the hidden issues in online storage is privacy. Almost all online storage providers have the ability to examine your data or hand it over to law enforcement even if the provider has encrypted your data.
Hopefully, most of us will never have to deal with the law-enforcement scenario, but even the realization that a rogue employee at an online data storage provider could peek into what we keep online can cause concern. For some, it’s enough concern to avoid using cloud storage at all.
The solution is simple: encrypt the data yourself.
Unfortunately, implementing that “simple” solution isn’t always that simple or transparent, and can add a layer of complexity to online storage some find intimidating.
Become a Patron of Ask Leo! and go ad-free!
The hidden issue
Online1 storage is powerful when used properly. By “properly”, I mean the account is set up with appropriate security, and the data you place online is backed up somewhere else as well. Ignoring either of those items can lead to permanent data loss.
Even with those basics covered, a potential privacy issue remains. Unless you take additional steps of your own, the provider of that online service has the ability to view your data.
- Your data may not be encrypted, and is stored in view of anyone with administrative access to the service provider’s servers.
- Your data may be encrypted by the service provider, but since it’s encrypted by the service provider, it can also be decrypted by the service provider. As a result, those with administrative access still have access to your data.
In reality, the folks at major online storage providers are professionals who have no interest in snooping around in your data. Instances of the so-called “rogue employee” are rare. But, of course, it’s still possible.
More legitimately, the service provider may be required to turn over your unencrypted data to law enforcement should appropriate court orders be presented.2
For whatever reason, you might consider all of this a problem. Fortunately, this problem has a solution: encryption.
The hidden cost of doing your own encryption
There’s at least one good reason to allow your online storage provider the ability to decrypt your data: web access.
Some online storage providers encrypt your data when it’s stored on their servers. However, whether or not they do they must be able to decrypt it to provide you the ability to access the data via a web interface. For example, even though Dropbox encrypts your data on their servers, it also allows you to log in to your account from any machine and access the files stored in your account via the web.
If you encrypt the data yourself using BoxCryptor, the online storage provider can only access your data in its encrypted form. You’ll need BoxCryptor (and of course, your password) on every device to decrypt it before you’ll be able to use that data.
Traditional encryption solutions
The idea here is that if you encrypt your data before it gets uploaded to any online storage provider, they have no ability to decrypt it. You, and only you3, control the access to your data.
Traditionally, it works this way:
- You have a file or set of files you want to store online.
- You use a program such as 7-zip, VeraCrypt, or similar to create a new file or files containing encrypted versions of the files.
- You place those encrypted files into online storage.
Now, when you want to use those files on any machine that doesn’t hold the originals, or want to make sure you have the most current copy, you need to:
- Retrieve the encrypted files from online storage.
- Decrypt the files.
- Make your changes.
Then, finally, to update the online copies of the files (if you made any changes), you would:
- Re-encrypt the files as you did originally.
- Upload the encrypted file or files into online storage.
As you can see, that’s a lot of work just to update, for example, a single file.
That’s where BoxCryptor comes in.
The BoxCryptor model
In a sense, BoxCryptor operates similarly to programs like VeraCrypt.
To use VeraCrypt, you create a special container and tell VeraCrypt to mount that container as a virtual drive, supplying the correct passphrase to do so. A new drive appears on your system — say drive T: — and the contents of the encrypted container appear as unencrypted files. As long as the container is mounted, the contents of the “vault” are directly accessible to any and all programs running on your machine. Dismount or fail to mount the container, and all that’s visible is the vault file itself, which appears to contain random noise.
BoxCryptor works similarly, except that the container is nothing more than a source folder: any other folder on your machine. You mount that folder in BoxCryptor, and another drive — I’ll call it L: — appears on your machine. Anything written to drive L: is encrypted and written to the folder you specified when mounting. Anything read from that drive causes the corresponding encrypted file in the source folder to be read and decrypted on the fly.
While technically slightly inaccurate, you can think of BoxCryptor as operating like VeraCrypt, but at the encrypted file, rather than encrypted container, level.
The files in the original source folder are always encrypted. It’s only when the folder is mounted in BoxCryptor that the files are visible in their decrypted form in the virtual drive.
An example of BoxCryptor in use
Let’s say I use Dropbox. On my machine, I have a folder:
In that folder, I have many other files and folders that automatically synchronize with the Dropbox servers and any other machines on which I have Dropbox installed.
One of the folders in my Dropbox folder is:
C:\My Dropbox\Boxcryptor Files
I don’t place any files in the Boxcryptor Files folder directly. It starts out empty.
Next, I install BoxCryptor, and configure it to mount “C:\My Dropbox\Boxcryptor Files” as drive L:. I set up the password required to mount it again in the future.
Drive L: appears on my machine.
I create a Word document on drive L:
As soon as I save that document to drive L:, a new file appears on C::
C:\My Dropbox\Boxcryptor Files\MyPrivateInformation.docx
The file that was saved to L: is automatically encrypted and placed in the BoxCryptor folder. Dropbox then notices a new file has appeared, and the encrypted file is also uploaded and distributed to all my machines running Dropbox. Note that only the encrypted version of the file has been uploaded.
I can continue to work on the file on L: to my heart’s content. It’s just a file, and can be manipulated like any other. As changes are saved to disk, the corresponding encrypted version of the file is updated.
Once I dismount the BoxCryptor folder, drive L: — along with the unencrypted versions of the file — disappears. All that remains are the encrypted versions stored in the BoxCryptor folder within the Dropbox folder.
All that has been uploaded to my online storage provider are the encrypted versions of my files.
VeraCrypt or BoxCryptor?
There’s a reasonable argument that you can use BoxCryptor for almost anything you might use a standard VeraCrypt vault for.
The practical differences boil down to this:
Monolithic versus incremental update: the biggest drawback to using VeraCrypt with a service such as Dropbox is that it’s a single file. Any changes to any of the files contained within it means that the entire file is considered changed and must be uploaded or downloaded. BoxCryptor maintains individual files as individual files; only files actually modified need updating.
Open- versus closed-source: VeraCrypt is an open-source project4, and its source code can be examined and audited. BoxCryptor is a commercial product by a German company, so using BoxCryptor requires that you implicitly trust this company.
VeraCrypt is free no matter what you do with it. While BoxCryptor’s base version is free, there are licensing levels for additional features that may be important, as well as for commercial use (more on that below).
In short, BoxCryptor is an excellent solution for encrypting files that are going to be placed in online storage management utilities such as DropBox. In my opinion, VeraCrypt, or Windows own encryption, Bitlocker, remain better choices for encrypting offline data or entire hard drives.
It’s for more than PCs
Like many online services similar to Dropbox, BoxCryptor supports multiple platforms.
BoxCryptor is available for:
- iPad & iPhone
That means you can continue to share your documents across all the platforms and devices supported by your online storage provider, but now you can easily encrypt the data you share.
It’s free for personal use, but…
I recommend you spring for a BoxCryptor personal license.
Besides better support, it includes a feature I suspect many people might want: filename encryption.
As you saw above, my example document:
was saved as:
C:\My Dropbox\Boxcryptor Files\MyPrivateInformation.docx
In other words, the name of the file remains visible.
For many, that might not be a problem, but for others, names of files (and folders) represent an unexpected way sensitive information can leak, even if the contents of those documents are encrypted.
When you purchase the “Unlimited Personal” license, file names are instead stored encrypted. For example, my example document might appear as:
C:\My Dropbox\Boxcryptor Files\怐栶旵樍椌憲歃晗怐栶旵樍椌憲歃晗
— where the Chinese characters above represent the encrypted filename. Only when successfully mounted do the file names once again appear unencrypted (on drive L:, to continue the example above).
How I use BoxCryptor
As I update this, I’ve been using BoxCryptor for many years.
Much like the example above, I have a Dropbox folder dedicated to the files I wish BoxCryptor to store encrypted. I have BoxCryptor installed on my Windows PCs, as well as my Macs and my Android phone.
Using BoxCryptor allows me to feel secure leveraging online storage and using it for even more things — things I wouldn’t necessarily place into a large monolithic VeraCrypt container, but still hesitate to upload unencrypted.
BoxCryptor is a convenient solution for making sure the data you place in online storage services remains secure, and is accessible only by you.
I recommend it.
August 22, 2012