In this article in my series of “Encrypt All The Things!”, I’ll show how to fully encrypt your files on popular cloud drive services that do not support zero knowledge encryption. Such services that do NOT support zero knowledge encryption are:
- Google Drive
- Microsoft OneDrive
- Amazon Cloud Drive
That is obviously not a comprehensive list. Some that DO support zero knowledge encryption:
- Spider Oak
That is also not a comprehensive list. The problem with Mega is that it’s closed source, so you can’t confirm that everything’s on the up and up. In fact, Kim Dot Com, the creator of Mega, was/is wanted by the United States government for hosting pirated material. That’s why he created Mega, so he’d have zero ability to decrypt the data, which was a great big middle finger to the U.S. government. He’s since left the company and now claims it can’t be trusted, but we don’t know if that’s just sour grapes from him, or if there’s a legitimate reason for him to say that. At any rate, it’s closed source, so there’s no way to confirm.
Spider Oak is also closed source AND it costs money. It’s not a free service.
But, there are plenty of free cloud drive services (listed above at the top of this article), but none of them support zero knowledge encryption. But, there’s now a fairly easy way to encrypt those.
Download and install the free, open source software called Cryptomator. You can get it here:
As of this writing, they only have a Linux, Windows, and Mac version, but they are actively working on Android and iOS versions.
How it works
Once you install CryptoMator on your PC, you configure it to access each of your cloud drive services. At the time of this writing, Cryptomator supports 4 of the popular cloud drive services.
- Google Drive
- Microsoft OneDrive
- (I can’t find information on the 4th one)
But, it should work with any cloud drive as long as you have a synced folder on your PC to that cloud drive service. It doesn’t have to directly support your cloud drive service AS LONG AS your cloud drive software provides a local sync folder that other apps on your PC can access.
Below, I give general instructions. The exact steps are clearly outlined in the CryptoMator documentation. This will give you the basic idea of what you’re trying to accomplish…
Once installed, you add a “vault” to Cryptomator, create a password, and point CryptoMator to your local sync folder. It will then create a virtual drive (using an unused drive letter) and store some encrypted files in your local sync folder.
Now, with your new drive letter, just put any files you want encrypted into there and NOT directly in your local sync folder. If you put anything directly in your local sync folder IT WILL NOT BE ENCRYPTED!!!! If you put files in your virtual drive that CrytpMator created for you and gave it a drive they, those files will appear as unencrypted to you as long as you have the “vault” unlocked with CryptoMator. The actual encrypted bytes of the files are stored in the local sync folder associated with your cloud drive service. If you open the sync folder, you’ll see meaningless file names and meaningless folder names with encrypted files in them. That’s the encrypted data. To have an unencrypted window into that encrypted data, simply open the new drive letter that CryptoMator created for you when you unlocked the vault with your password.
Since the encrypted bits are stored in your sync folder, they get synchronized with your cloud server and it’s those encrypted bits that are stored on the cloud drive servers.
Once you get that working, it’s a good idea to drag and drop all your previously existing NON ENCRYPTED files and folders from your local sync folder into your vault virtual drive. Once you’ve confirmed they’re in the vault, BACK UP YOUR FILES, then you can safely delete them from your sync folder, which will delete the unencrypted files from your remote cloud drive, leaving only the encrypted bits. Cryptomator will automatically encrypt them and store the encrypted bits back into your local sync folder, which your cloud drive software will then upload to your cloud drive service.
- Errors with large folders: I have about 64GB in my Microsoft One Drive. When I tried moving my camera roll folder into my Cryptomator virtual drive associated with OneDrive, it kept failing. I presume it wasn’t designed for folders with that many files or that many bytes. After many days of effort, I finally did get it working. I do not know if it was a OneDrive problem or a Cryptomator problem. I had no issues encrypting my Google Drive nor my DropBox, but neither of them had as much data.
- No Mobile (yet): Right now, there’s no mobile access to your encrypted data. They’re actively working on both Android and iOS apps, so that may change by the time you see this.
- No browser access: Since the web interfaces of these cloud services simply show you the files as they are on their services, after you encrypt your files and folders, when viewing them with a web browser on those services, you’ll only see the encrypted data. This makes sense because the cloud drive services are unaware of the encryption switch-aroo you’ve done. Don’t expect this to change.
- Your Key: With zero knowledge encryption, you keep your key locally, but Cryptomator stores your key ON your remote cloud drive. Don’t fret too much though. It’s encrypted with your password that you made when you created your vault. Technically, your password is your key. In my judgment, it’s fairly safe. Though, I wouldn’t be storing my archives of my classified State Department e-mail on any of these public cloud drives, even with Cryptomator.
- Meta data: The contents of your files are encrypted as well as the file and folder names, but the timestamps are NOT encrypted and neither are the number of files, the number of folders, nor the sizes of the files. The timestamps are left as is in order for your cloud drive software (OneDrive, Google Drive, DropBox, etc…) to know when things have changed so it can sync properly. The file sizes are a result of how many bytes you’re encrypting. The number of encrypted files will be roughly equal to the number of files as they were before they were encrypted (but the contents will be fully encrypted). This too is a side effect of how the syncing works.
- Mobile still unencrypted: You should probably turn off or uninstall the cloud drive software on your mobile devices because you won’t be able to see anything but encrypted data. Also, any files you have locally on your mobile device that you have set to sync will be uploaded UNENCRYPTED. Then you’ll have a mix of both encrypted and unencrypted files on your cloud drive. Remember, CryptoMator is actively working on Android and iOS apps. When they’re available, you can install those and follow Cryptomator’s recommendations on what to do with your cloud drive provider software.
Use this information about the caveats
Thank you for sharing this article. See this image?
You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.