Encrypting Degoo Cloud Drive With Cryptomator

In this article in my series of “Encrypt All The Things!”, I’ll show you the specifics of encrypting a cloud drive using the Degoo.com cloud drive service. For a generic overview, that’s not Degoo specific, see:

If you use cloud drive services, of any kind, it’s critical that you do so ONLY with data that YOU have encrypted on YOUR END and that YOU are in control of the keys. Any service that handles the keys for you is NOT SECURE! The ONLY way your own data is secure is if YOU are in control of the keys. Some cloud drive services offer encryption at an extra price, which is crazy because you can do it FOR FREE with the added benefit of YOU being in control, NOT THEM!

The best way to ensure that you’re in control is for you to do the encryption yourself with software NOT provided by your cloud drive service.

In this article, I’ll show exactly how to do this with a commercial cloud drive service called Degoo.com and a free and open source encryption application called Cryptomator.

Create a Degoo account and install the software

First, you’ll need to sign up for the Degoo.com cloud drive service here.

100 GB Free Backup

Be sure to download and install the software. Don’t set up the download or sync folders yet. We need to get the encryption app installed first. BTW, Degoo has both free and paid options.

Install the Encryption App

Go to Cryptomator.org and download and install the software (It’s free and open source!). Once installed, you’ll need to setup one or more “vaults”, which are simply nothing more than a folder on your hard drive where encrypted files will be stored.

Set up a Cryptomator vault

First, you need to understand how Cryptomator works. DO NOT SKIP THIS!

The first time you run it, you will not have any vaults (encrypted folders). First, create a new folder on your drive in whatever way suits you best. This is where you’re going to have encrypted versions of your sync files stored.

  1. Click the “+” sign in the lower left and choose “Create New Vault” to create a vault.
  2. Navigate to the folder you want to store your encrypted files (the folder should be blank, right now) and give it a name, here I Cryptomator.
  3. Then create a password for it. DO NOT FORGET THE PASSWORD OR YOUR DATA WILL BE LOST FOREVER!!!!!
    1. I Highly recommend saving it in a password manager like LastPass.com. I also recommend using that password manager’s password generator to generate a long, random password for you.
  4. Create the Vault by clicking the “Create Vault” button. This stores a couple of small files in there that cryptomator needs.
    You’ll be prompted for the password again. This is not part of the vault creation process. You’re done. Now you’re ready to use it like you will everyday. Now you unlock the vault by entering your password.
  5. Click the “more options” button to see what you have available. Those options are pretty self-explanatory. I’ll skip those and let you choose how you want to configure it.

Your vault is now unlocked and is opened in a Windows Explorer window, usually as drive letter Z:.

The real folder on the real drive is here (below) (depending on where YOU chose to create it… this one is mine):

Now, I can store files in my Z: drive (as long as my vault is unlocked) and I can use any apps I want to read and write to the Z: drive. Everything works normally. Apps that read and write there have NO IDEA that they’re reading and writing to an encrypted folder.

You’ll notice that in Documents\deleteme\test (again, that’s where I created mine; yours will be where ever you put yours), you’ll see a “d” folder and 2 masterkey files. Those masterkey files have an ENCRYPTED version of your key. No one can decrypt it without knowing YOUR password that you just created.  This masterkey file WILL BE ON THE REMOTE SERVER, so this is why you need a STRONG password, preferably random characters generated by a password manager.

As you save more files into your Z: drive, you’ll see more files show up somewhere under Documents\deleteme\test (again, MY folder is here, YOURS is where ever you put yours). The files that show up here have unreadable filenames and if you try to open them, they will have what appears to be garbage in them. These are the files you stored in your Z: drive, but these are encrypted.

Think of your Cryptomator unlocked vault Z: drive as a decrypted, magic window into your physical, encrypted files stored in their encrypted state in your Documents\deleteme\test (again, MY folder name I chose, YOURS will be different).

One caveate: Files in your Z-Drive CANNOT be larger than 2GB! That’s a limitation with the current version of Cryptomator.

I created a text file in my new Z: drive. As you can see below, Cryptomator created a file in the Documents\deleteme\test\d\WQ folder with a funky name. That’s what’s REALLY stored on my REAL hard drive. If I try to open the funky named file, it looks like garbage bytes. Both of those windows are showing the SAME data, it’s just that the REAL data is encrypted (top window). The bottom window is a VIRTUAL drive with an decrypted view of the data. ALWAYS remember this! You will NOT back up your Z drive! EVER! You’ll back up and/or sync your Documents\deleteme\test folder. More on that later.

Now, how to sync your encrypted files with Degoo.com

Now that you have a folder that contains your encrypted files and an easy way to use the the encrypted files (your cryptomator Z-drive), you need to sync the encrypted files to your Degoo.com account. DO NOT SYNC OR BACK UP YOUR Z: DRIVE!!!!!!

  • If you haven’t already, download and install the software on Degoo.com and create an account.
  • When you open it, click on the “Choose what to backup” tab. The actual folders on disk that are being backed up are each in their own cryptomator vault folder with encrypted files.
  • Click the “Add folder to backup…” button and navigate to your Cryptomator vault folder… the one with the unreadable encrypted files NOT YOUR Z-DRIVE!!!! and click “Add folder to backup”
  • Your folder will be added to your list of folders to be backed up.

Now, you’re all set. Anything you put into your Z-Drive is automatically encrypted at the time it’s written and since the real folder with the encrypted files is the one that’s backed up, you automatically get your data backed up in addition to automatically encrypted. Now, no matter how malicious anyone at Degoo may be (I have to reason to believe the are (or aren’t)), your privacy is safe. They cannot see anything other than what you see when looking at the encrypted version of your folder. Unless they have your password to your vault (which, of course, should be DIFFERENT from your Degoo password), they’ll never be able to see the contents.

But that was hard!

No it wasn’t! And, the small amount of work you did above is only done when creating a new vault and installing everything for the first time. Once it’s done, here’s all you need to do moving forward:

  • Turn on your PC and log into Windows (or Mac or Linux)
  • Start Cryptomator and unlock your vault.

That’s it! You can even shorten that to not have to start cryptomator setting up your vault to save your password and auto-unlock on start.

You can also add more cryptomator vaults at any time.

Quick review:

In this tutorial you did the following simple steps:

  • Signed up with and installed Degoo.
  • Downloaded and installed Cryptomator.
  • Created a vault with Cryptomator.
  • Told Degoo to sync the encrypted version of your cryptomator vault.

That’s really all you did. And now, you’re protected both with encryption and with an automatic, encrypted backup.

What’s Next?

Just continue to use your computer with your Z-Drive as your unencrypted version of your data. You can even lock your vault and Degoo will continue to back up your data. Degoo doesn’t need you to have it unlocked because it’s NOT backing up the unencrypted files. It’s only backing up the encrypted bits.  Degoo isn’t even aware of the Cryptomator software.  From Degoo’s software’s point of view, all that matters is that folder with the encrypted files in it.

Conversely, the Cryptomator software is unaware of Degoo.  All Cryptomator knows is that you have a folder with encrypted files and it provides the means to unlock and use them.

You can create more vaults with Cryptomator, if you like and add them to Degoo as well.

You can create vaults inside your Google Drive sync folder, your Microsoft One-Drive sync folder, your DropBox sync folder, etc, etc… As many or as few as you want.  Cryptomator works by encrypting any folder and providing an unencrypted view of it.  Cloud drives work by backing up and/or syncing a folder.  Put the two of them together and you’ve got a robust and secure backup strategy.

I do strongly recommend you make a cryptomator vault in EVERY cloud drive sync folder and move all your non-encrypted files INTO your virtual drive letter created for that vault.

WARNINGS!

You MUST obey the following rules!!!

  • Don’t write files directly into your real folder that contains the encrypted files. If you do that, it will be backed up AS-IS… WITHOUT ENCRYPTION!
  • Do NOT backup your Z: drive (or whatever drive letter cryptomator makes for you). That is DECRYTPED and if you back THAT up, you’ve wasted all your time and effort and are NOT storing an encrypted version of your files. Your Z: drive should ONLY be used for your normal work. DO NOT BACK IT UP!!!!

You are, of course, free to break these rules, but your secure backup is not going to be encrypted if you do break them.

Facebook is *NOT* Decrypting Your Secure Messages!

FacebookDecrypt

Today, a story broke, claiming that

FACEBOOK TO DECRYPT “SECURE” MESSAGES OVER CYBER-BULLYING ACCUSATIONS

This appeared to originate on the InfoWars.com site.  While that site has some interesting stuff and breaks some stories, it also over hypes much of it and posts an amazing amount of conspiracy theory stuff.

But, none of that is reason to automatically disbelieve this claim.  But this is… the first paragraph of the story, explains it all.  I hate facebook for many reasons, especially for its privacy violations, so I can’t believe I’m defending them on this, but this has been blown all out of proportion.  Specifically…

“When you report a secret conversation, recent messages from that conversation will be decrypted and sent securely from your device to our Help Team for review,”

Facebook  DOES NOT DECRYPT the secret messages!!!. YOU DO!  And then you voluntarily SEND IT to facebook.

Now, that’s not to say that they don’t do other nefarious stuff, because they DO!  But this is not one of them.  The ONLY way Facebook can see the encrypted conversation is if someone in the conversation MAKES A CONSCIOUS CHOICE to send it to facebook.  And that conversation is decrypted by that participant’s phone, NOT by facebook themselves.

So, step back, take a breath, and brow beat facebook for their many other privacy violations that actually do exist.

Disclaimer:  If Facebook is decrypting messages, this InfoWars story’s first paragraph text refutes that, in spite of all the hype later.

Lawsuit claims Facebook illegally scanned private messages

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Encrypt Individual Files (Desktop)

image

This is the 3rd article in a series of articles about encrypting your entire digital life

Encrypt All The Things! [A Guide]

…from end to end.  Click here for the lead article.  This article is about encrypting individual files on your desktop computer.  I’ll be giving specific instructions for Windows, but Mac & Linux steps are similar.

Short (VERY short version)

    1. Install encryption software.
    2. Create your encryption keys.
    3. Encrypt a file.
    4. Decrypt a file.

The rest of this shows you the details of those steps.

Review or brush up

Before you go any further, it’s really important that you are familiar with the basics of modern day encryption.  Please review this article on understanding encryption:

Understanding Encryption

 

I will be using terminology that won’t make sense to you if you have not read the “Understand Encryption” article or are not already fairly familiar with encryption and how it’s implemented in modern technology.

Let’s begin

    1. Download and install Gpg4win from http://www.gpg4win.org/
    2. Once installed, you’ll need to import your friends’ public keys (if you plan on sending them anything encrypted) and create your own (if you don’t already have any).
      1. Open Kleopatra (it’s installed with Gpg4win).  It’s a key management application.
      2. Click the “Lookup Certificates on server” button and enter your friends’ names and/or e-mail addresses to see if they have public keys.  If they’re not published, you can easily ask them directly.  Most likely, most of your friends do not yet.  I’d encourage you to get them started on this.
      3. Now, create or import YOUR key pair.  Close Kleopatra and open GPA.  Yes, it’s almost a clone of Kleopatra.  No, I don’t know why there are two of these tools.  But Gpa will let you create key pairs.
      4. Open the “Keys” menu and choose “New Key”.
      5. Enter your name (you can’t change this, so choose wisely), then “Next”, then your e-mail address.
      6. Yes, you want a backup copy.
      7. Enter your passphrase… DO NOT EVER FORGE IT!  DON’T BE STUPID – MAKE IT COMPLEX!  I recommend saving it in LastPass.com (get set up with LastPass.com if you’re not already.  It’s TOTALLY worth it (free)).
      8. Right-click your new key and choose “Export Certificate to Server” which will export your public key to a public key server for others to find so they can send you encrypted data.
    3. Now that your contacts’ keys are imported and you’ve created your own key, let’s encrypt a file.
      1. Open Windows Explorer (I said _Windows_ Explorer, NOT _Internet_ explorer!) and find some file that you’d like to encrypt.
      2. Right-click the file and choose “Sign & Encrypt” (You don’t have to do both signing AND encrypting.  You can do just one, if you like).
      3. In the dialog box, make sure “Encrypt” is selected.  If you’d like to compress it before you encrypt it, be sure to check “Archive files with”.  Because you can’t compress it AFTER you encrypt it!
      4. Click “Next” then pick your recipient (who you want to be able to decrypt the file).  If it’s just you, then choose your own key.

To decrypt the file, just right-click it and choose decrypt.  It will know which key was used and will prompt you for the passphrase.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Understanding Encryption

Encryptoin

The topic of encrypting is wide and deep, so I’ll narrow this discussion to the basics of what you need to understand about E-Mail encryption and I’ll be as concise as possible.  This also begins a series of articles on encryption I’ll be writing over the next week or two explaining everything you need for end-to-end encryption for everything in your digital life from files on your mobile device to phone calls to everything on your PC.  All software in my series will be free and open source.

Encryption and Decryption

When you send an encrypted message to someone else, you must have that person’s public key.  This is an encryption key that they publish on public key servers for anyone and everyone to have access to.  These public keys can only encrypt messages.  They cannot decrypt messages.  If you encrypt a message with a friend’s public key, there is NO WAY you can decrypt it, not even with the public key you just used to encrypt it.

Why?  Because the public key was created with a complex mathematical formula that actually created TWO keys that work together.    Anything encrypted with ONE key can ONLY be decrypted with its pair key.  When you use your friend’s public key to encrypt a message before sending it to them, ONLY your friend can decrypt that message and they must do it with their private key.

Conversely, when someone sends YOU an encrypted message, they MUST encrypt it with YOUR public key.  ALL encrypted messages YOU receive MUST have been encrypted with YOUR public key.

YOU create a public/private key pair with a key generator.  There are many apps that can generate key pairs.  OpenPGP is a popular standard for keys.  That simply means that software designed to encrypt or decrypt has been written for standardized encrypting algorithms.  OpenPGP is a very popular algorithm.

When your friend sends you an encrypted message, encrypted with YOUR public key, only YOU can decrypt that message and ONLY with your private key that was created along with your public key.

Your public key is meant to be shared.  That’s how people encrypt messages intended for you.  Your private key is exactly that:  Private.  You MUST protect is and never, EVER give anyone access to it.  This means do NOT store it on a cloud drive.  Do NOT EVER e-mail it to anyone, not even yourself, because as soon as you hit “send”, it’s now passing through the internet, unencrypted.  If you ever make the mistake of e-mailing your private key or storing it on a cloud drive, you should consider that key compromised.  You’ll have to revoke the key and create a new pair.  It’s now well known that the NSA intercepts all e-mail traffic.  If you EVER e-mail your private key, there’s a nearly 100% chance that the government now has your private key and has the ability to decrypt any and all content encrypted for you with your public key.

Digitally Signing content.

A neat side effect of having public/private key pairs is that you can reverse how you use them.  For example, instead of encrypting a message with people’s public keys, you could encrypt a message with your PRIVATE key.  Under normal circumstances, you’d NEVER do this because 100% of the population has access to your PUBLIC key and ANYTHING encrypted with your PRIVATE key can be decrypted with your PUBLIC key.

So, why would you do this?

Simple, if you want to PROVE that a document was actually created or sent by YOU.  Encrypting data with your PRIVATE key (instead of your public key) is called “Digitally signing” the content.  Even though, mathematically, it’s the same thing as encrypting, in practice, that encryption is useless for secrets because the decryption key (your public key) is well known.  But, just like data encrypted with your public key can only be decrypted with your private key, data encrypted with your private key can ONLY be decrypted with your public key.

So, if you ever want to prove you’re the sender of an e-mail message, you will digitally sign it before sending it (or encrypt it with your private key).  The receiver can get your public key from any number of public key rings and decrypt your message, proving that it had to have been encrypted (or “signed”) with ONLY your private key.

Let me reinforce that “encrypting” with your private key is NOT considered “encrypting” since anyone can decrypt it.  It’s considered “digitally signing”.

Got it?  Good!  Now, go encrypt all the things!

See these images?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!

Next, be sure to read the next article in this encryption series: