Posted on

Encrypting the Non-Encrypted Cloud Drive Services

EncryptedCloudDrive

In this article in my series of “Encrypt All The Things!”, I’ll show how to fully encrypt your files on popular cloud drive services that do not support zero knowledge encryption.  Such services that do NOT support zero knowledge encryption are:

  • Google Drive
  • Microsoft OneDrive
  • DropBox
  • Box.Net
  • Amazon Cloud Drive

That is obviously not a comprehensive list.  Some that DO support zero knowledge encryption:

  • Mega
  • Spider Oak

That is also not a comprehensive list.  The problem with Mega is that it’s closed source, so you can’t confirm that everything’s on the up and up.  In fact, Kim Dot Com, the creator of Mega, was/is wanted by the United States government for hosting pirated material.  That’s why he created Mega, so he’d have zero ability to decrypt the data, which was a great big middle finger to the U.S. government.  He’s since left the company and now claims it can’t be trusted, but we don’t know if that’s just sour grapes from him, or if there’s a legitimate reason for him to say that.  At any rate, it’s closed source, so there’s no way to confirm.

Spider Oak is also closed source AND it costs money.  It’s not a free service.

But, there are plenty of free cloud drive services (listed above at the top of this article), but none of them support zero knowledge encryption.  But, there’s now a fairly easy way to encrypt those.

Download and install the free, open source software called Cryptomator.  You can get it here:

https://cryptomator.org/

As of this writing, they only have a Linux, Windows, and Mac version, but they are actively working on Android and iOS versions.

How it works

Once you install CryptoMator on your PC, you configure it to access each of your cloud drive services.  At the time of this writing, Cryptomator supports 4 of the popular cloud drive services.

  • Google Drive
  • Microsoft OneDrive
  • DropBox
  • (I can’t find information on the 4th one)

But, it should work with any cloud drive as long as you have a synced folder on your PC to that cloud drive service.  It doesn’t have to directly support your cloud drive service AS LONG AS your cloud drive software provides a local sync folder that other apps on your PC can access.

Below, I give general instructions.  The exact steps are clearly outlined in the CryptoMator documentation.  This will give you the basic idea of what you’re trying to accomplish…

Once installed, you add a “vault” to Cryptomator, create a password, and point CryptoMator to your local sync folder.  It will then create a virtual drive (using an unused drive letter) and store some encrypted files in your local sync folder.

Now, with your new drive letter, just put any files you want encrypted into there and NOT directly in your local sync folder.  If you put anything directly in your local sync folder IT WILL NOT BE ENCRYPTED!!!!  If you put files in your virtual drive that CrytpMator created for you and gave it a drive they, those files will appear as unencrypted to you as long as you have the “vault” unlocked with CryptoMator.  The actual encrypted bytes of the files are stored in the local sync folder associated with your cloud drive service.  If you open the sync folder, you’ll see meaningless file names and meaningless folder names with encrypted files in them.  That’s the encrypted data.  To have an unencrypted window into that encrypted data, simply open the new drive letter that CryptoMator created for you when you unlocked the vault with your password.

Since the encrypted bits are stored in your sync folder, they get synchronized with your cloud server and it’s those encrypted bits that are stored on the cloud drive servers.

Once you get that working, it’s a good idea to drag and drop all your previously existing NON ENCRYPTED files and folders from your local sync folder into your vault virtual drive.  Once you’ve confirmed they’re in the vault, BACK UP YOUR FILES, then you can safely delete them from your sync folder, which will delete the unencrypted files from your remote cloud drive, leaving only the encrypted bits.  Cryptomator will automatically encrypt them and store the encrypted bits back into your local sync folder, which your cloud drive software will then upload to your cloud drive service.

Caveats

  • Errors with large folders: I have about 64GB in my Microsoft One Drive.  When I tried moving my camera roll folder into my Cryptomator virtual drive associated with OneDrive, it kept failing.  I presume it wasn’t designed for folders with that many files or that many bytes.  After many days of effort, I finally did get it working.  I do not know if it was a OneDrive problem or a Cryptomator problem.  I had no issues encrypting my Google Drive nor my DropBox, but neither of them had as much data.
  • No Mobile (yet): Right now, there’s no mobile access to your encrypted data.  They’re actively working on both Android and iOS apps, so that may change by the time you see this.
  • No browser access: Since the web interfaces of these cloud services simply show you the files as they are on their services, after you encrypt your files and folders, when viewing them with a web browser on those services, you’ll only see the encrypted data.  This makes sense because the cloud drive services are unaware of the encryption switch-aroo you’ve done.  Don’t expect this to change.
  • Your Key: With zero knowledge encryption, you keep your key locally, but Cryptomator stores your key ON your remote cloud drive.  Don’t fret too much though.  It’s encrypted with your password that you made when you created your vault.  Technically, your password is your key.  In my judgment, it’s fairly safe.  Though, I wouldn’t be storing my archives of my classified State Department e-mail on any of these public cloud drives, even with Cryptomator. Winking smile
  • Meta data: The contents of your files are encrypted as well as the file and folder names, but the timestamps are NOT encrypted and neither are the number of files, the number of folders, nor the sizes of the files.  The timestamps are left as is in order for your cloud drive software (OneDrive, Google Drive, DropBox, etc…) to know when things have changed so it can sync properly.  The file sizes are a result of how many bytes you’re encrypting.  The number of encrypted files will be roughly equal to the number of files as they were before they were encrypted (but the contents will be fully encrypted).  This too is a side effect of how the syncing works.
  • Mobile still unencrypted: You should probably turn off or uninstall the cloud drive software on your mobile devices because you won’t be able to see anything but encrypted data.  Also, any files you have locally on your mobile device that you have set to sync will be uploaded UNENCRYPTED.  Then you’ll have a mix of both encrypted and unencrypted files on your cloud drive.  Remember, CryptoMator is actively working on Android and iOS apps.  When they’re available, you can install those and follow Cryptomator’s recommendations on what to do with your cloud drive provider software.

Use this information about the caveats

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Posted on

Encrypting Your Cloud Storage

image

This is the sixth entry in my “Encrypt All The Things!” series.

Let’s face it.  Cloud storage SUX!  Why?  Because all of the most popular cloud storage services do NOT provide end to end encryption.  Oh sure, you’re files travel over an https connection from your PC to their server, but your files are not encrypted with a public key from a private key that only YOU have access too.  Sure, the cloud storage providers may encrypt your files (with THEIR keys) AFTER they receive your upload and before they store them on their own drives.

BUT!

THEY have access to the contents of your files.  They can see the file names in clear text.  They have access to the entire contents.  THEY own the encryption keys on their end and you sent them your files without encrypting them first.  Therefore, you are NOT in control of your data.  If that cloud service gets hacked or if there’s a bad employee, or they get subpoena’d, other people can (and likely WILL) gain access to your personal data.  It’s simply NOT protected.

There’s only ONE option

When it comes to cloud storage, you have only one option for realistic security.  That is, your files MUST be encrypted ON YOUR END before they’re sent over the wire to the cloud storage provider and that encryption on your end MUST be done with your public key and your private key MUST be a key that ONLY YOU have access to.  It should exist ONLY on your own PC or phone.  PERIOD.  There are no if, ands, or buts about it.  This is called “zero knowledge” encryption.

Please see “Understand Encryption” on a discussion of public/private keys.  It’s kind of critical to your understanding of how to judge whether a cloud storage service is doing it right.

Zero Knowledge

Spideroak.com has this to say about zero knowledge encryption:

“Zero Knowledge means we know nothing about the encrypted data you store on our servers. This unique design means nothing leaves your computer until after it is encrypted and is never decrypted until it is unlocked with your password on your computer. It’s not just “end to end encryption;” it’s a Zero Knowledge System.”

Spideroak.com, by the way, is a cloud drive service provider.  Though, there are some critiques of the way they password protect your local key on your own PC, it is far more secure than Google Drive, Microsoft One Drive, Amazon cloud storage, DropBox, Box.Net, etc…

Another one with zero knowledge is Mega.co.nz.  This cloud storage provider was created by the infomous Kim DotCom who’s wanted by the United States government for hosting a similar service for copyright pirates.  So, some reasonable questions have arisen as to the true privacy of this site.  And recently Kim DotCom has come out and said he’s no longer affiliated with Mega and that you shouldn’t trust it, that it’s not safe (but can you trust HIM?)

Anyway, the point is, you need to either encrypt your own files BEFORE uploading them to a cloud service or use a cloud service that does it for you (ON YOUR END!).

Home Brew

Alternatively, you can do it yourself by manually encrypting your Individual Files then upload the encrypted files to any cloud storage provider you want.  It’s a bit of a hassle, but it will provide you actual protection.  You should note that if you upload your encrypted files, but keep the file names, a LOT can be known about what you’re storing.  Best to zip up the file first (storing the name in the zip file), giving the zip file an arcane name, like the date and time it was zipped, encrypt the zip file (not with the weak ass encrypting provided in the zip products, but with how I describe to encrypt Individual Files), THEN upload it.

Conclusion

    1. Save yourself some headaches and use only “zero knowledge” cloud services and thoroughly research what others have to say about their encryption.
    2. Hide your meta-data (file names, folder names, folder structures, etc…) if you’re going to home-brew it.

Do you have any experience with encrypted cloud storage?  Please share your experience in the comments.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.