Leo, would you consider doing a webinar on TrueCrypt and Dropbox? I always
search Ask Leo! before I ask you a question, however, the hits that came up when
I searched for TrueCrypt/Dropbox were so numerous and the external sites often
so wordy that I thought… Ask Leo! So maybe you could do a webinar on
that.
In this excerpt from Answercast #17,
I talk about encrypting Dropbox files with TrueCrypt and the concepts that need
to be understood before proceeding.
]]>
TrueCrypt and Dropbox
So I don’t think it’s really worthy of a full webinar; the concept is actually very simple and somewhat… well, I’ll just say frustrating!
What most people would love is an integrated solution where the files you place into Dropbox are automatically encrypted before they are uploaded. Unfortunately, TrueCrypt won’t really do that.
TrueCrypt creates encrypted containers that you mount and deal with as a separate drive letter.
I happen to use TrueCrypt and Dropbox together. Don’t get me wrong. It’s certainly possible, but I want to explain how that’s set up, and how it works, and what it doesn’t do.
TrueCrypt containers
So I have Dropbox.
In Dropbox, I have a TrueCrypt container; call it “container.tc.” Whenever I fire up Dropbox, that container is automatically synchronized across all the machines that I happen to have Dropbox installed on:
- It’s up in the cloud.
- It’s on my laptop.
- It’s on my desktop.
- And so forth.
Now, as a separate step: I then mount that container in TrueCrypt and it appears as a separate drive.
So, for example, I happen to mount mine as the drive P. Now what I see on my machine is that drive P contains all of these personal files of mine. They are available to me, decrypted, just like you would use TrueCrypt normally. But the container file in which they reside sits within Dropbox.
A mounted container is locked
Now, here’s where the problem is. Here’s where things kinda sorta break down.
As long as the container is mounted; as long as the files are accessible to you, so that you can make changes to those files in the encrypted container, the file is locked:
- Dropbox cannot update the file as changes are made.
- It can’t upload it or synchronize it.
- It’s blocked from being able to do that.
It’s only when you dismount the container that Dropbox can finally say, “Oh, I can get these things. Hey, it’s changed. I’ll go ahead and upload it and synchronize it with the other PCs.”
Adjusting how you use Dropbox
The reason this tends to be somewhat frustrating is you have to adjust how you use Dropbox, the encrypted container, and the files in the encrypted container in order to use them in Dropbox.
Normally with Dropbox, you make a change to a file, you save it, and it automatically gets synchronized.
If that file is within a TrueCrypt container that is in Dropbox, that doesn’t happen. You can change all of the files in the encrypted container, but it’s not until the encrypted container gets dismounted that Dropbox can actually do its work.
I’ve heard of a couple of add-ons that may do some kind of transparent on-the-fly encryption at the file level. I’ve not tried any of them, but that’s the kind of the thing it would take to work seamlessly in Dropbox.
Usage pattern for encrypted files
The model that I just described works really well for me. I tend to only use my encrypted container on one machine for a lengthy period of time. I literally end up dismounting it and going to another machine to mount it again if I’m going to switch machines. I can also mount it “read only” if I need to on other machines to avoid any kind of simultaneous update problem.
If you make a change on machine A and a change on machine B to the encrypted container at the same time, Dropbox won’t know which one it’s supposed to keep. Now, of course, it has no way to merge. It turns out to be something that you have to resolve yourself. So, it’s not transparent; it’s not as pretty as we’d like it to be.
I use an encrypted container for some stuff; then I have the stuff that is seriously private stuff that I really want to be encrypted. But I’ve got hundreds, maybe thousands, of other files in Dropbox that are not encrypted, that operate as Dropbox normally does.
So TrueCrypt and Dropbox together – it’s not really a marriage made in heaven. It’s sort of a forced relationship; it can work, but it’s not necessarily as clean as we might want it to be.
Next from Answercast #17 – Is there a way to run a DVD disc off my hard drive?
There are a couple of other important points regarding DropBox and TrueCrypt.
1. The default for TrueCrypt is to ‘Preserve modification time stamp of file containers’. This means that the date modified of the TrueCrypt container never changes and DropBox won’t realize that file has been modified. Therefore, it will not sync it unless, this default is deselected under Settings->Preferences->’Preserve modification time stamp of file containers’.
2. If you access the Internet through your phone or any other service which limits your data transfer, a large TrueCrypt container can eat up a lot of Bandwidth.
*** Since this article has come out, I’ve switched to using BoxCrypt to encrypt my DropBox files. Only the changed files are synchronized with DropBox or which ever cloud service you are using. This solves the bandwidth problem and the time stamp problem. In the free version the file names are not encrypted which is enough for me. If you want to encrypt the file names, you can use the paid version of BoxCrypt.
BoxCryptor – Secure Your Data in the Cloud
Why not use a cloud storage space that does not have encryption backdoor instead? Probably Leo knows some of those services.
I’ve looked at a couple of services that operate on what Steve Gibson refers to as “TNO”, or “Trust No One” where even they cannot get at your data, and cannot reset a forgotten password. SpiderOak is one such alternative. Each alternative, however, has an issue or two that make it significantly less usable than DropBox, or problematic in some other way. I agree there’s a huge opportunity for these services to provide ultimate security. In fact I’d love to see DropBox offer it as an option.
Finally, I’m currently testing something called BoxCryptor which can be used with any service to encrypt files locally before they are placed into the cloud. I’m using it with DropBox. Again, there’s a bit of a hassle and mindset change to set it up, but so far I think it’s workable.
14-May-2012
first, there is no magic; shared-files, and security, are essentially antonyms in the cloud. if you want to share files, security is sacrificed.
truecrypt and dropbox are excellent companions, when you want to secure files, yet access them across machines, when YOU aer the ONLY ONE who is going to make the modifications, on ONE MACHINE at a time.
If I have secure data, I’m the on ly one whom I want to look at it.
if I want to SHARE secure data, I have several options; encrypt it with truecypt; zip it with an encryption key; etc, etc; then SENDsuch a file to a friend, and CALL them with the encryption code.
I’ve used (and am using ) jungle disk, which encrypts from my machine, on upload; it works, but it does not seem that they are working on further development of this.
spider oak, I’ve looked at, and am testing; seems solid, and is in development.
anyway, just my two cents
nick
I downloaded CloudFogger, but had a problem because they sent me a verification code and i never got the email, so I deleted the program, and contacted them. They told me they have a problem with hotmail addresses but I spoke with the team and they seem to really have good encryption, I’m not yet at the point to recommend it, but it is there if anyone wants to try it out.