Encrypting Degoo Cloud Drive With Cryptomator

In this article in my series of “Encrypt All The Things!”, I’ll show you the specifics of encrypting a cloud drive using the Degoo.com cloud drive service. For a generic overview, that’s not Degoo specific, see:

If you use cloud drive services, of any kind, it’s critical that you do so ONLY with data that YOU have encrypted on YOUR END and that YOU are in control of the keys. Any service that handles the keys for you is NOT SECURE! The ONLY way your own data is secure is if YOU are in control of the keys. Some cloud drive services offer encryption at an extra price, which is crazy because you can do it FOR FREE with the added benefit of YOU being in control, NOT THEM!

The best way to ensure that you’re in control is for you to do the encryption yourself with software NOT provided by your cloud drive service.

In this article, I’ll show exactly how to do this with a commercial cloud drive service called Degoo.com and a free and open source encryption application called Cryptomator.

Create a Degoo account and install the software

First, you’ll need to sign up for the Degoo.com cloud drive service here.

100 GB Free Backup

Be sure to download and install the software. Don’t set up the download or sync folders yet. We need to get the encryption app installed first. BTW, Degoo has both free and paid options.

Install the Encryption App

Go to Cryptomator.org and download and install the software (It’s free and open source!). Once installed, you’ll need to setup one or more “vaults”, which are simply nothing more than a folder on your hard drive where encrypted files will be stored.

Set up a Cryptomator vault

First, you need to understand how Cryptomator works. DO NOT SKIP THIS!

The first time you run it, you will not have any vaults (encrypted folders). First, create a new folder on your drive in whatever way suits you best. This is where you’re going to have encrypted versions of your sync files stored.

  1. Click the “+” sign in the lower left and choose “Create New Vault” to create a vault.
  2. Navigate to the folder you want to store your encrypted files (the folder should be blank, right now) and give it a name, here I Cryptomator.
  3. Then create a password for it. DO NOT FORGET THE PASSWORD OR YOUR DATA WILL BE LOST FOREVER!!!!!
    1. I Highly recommend saving it in a password manager like LastPass.com. I also recommend using that password manager’s password generator to generate a long, random password for you.
  4. Create the Vault by clicking the “Create Vault” button. This stores a couple of small files in there that cryptomator needs.
    You’ll be prompted for the password again. This is not part of the vault creation process. You’re done. Now you’re ready to use it like you will everyday. Now you unlock the vault by entering your password.
  5. Click the “more options” button to see what you have available. Those options are pretty self-explanatory. I’ll skip those and let you choose how you want to configure it.

Your vault is now unlocked and is opened in a Windows Explorer window, usually as drive letter Z:.

The real folder on the real drive is here (below) (depending on where YOU chose to create it… this one is mine):

Now, I can store files in my Z: drive (as long as my vault is unlocked) and I can use any apps I want to read and write to the Z: drive. Everything works normally. Apps that read and write there have NO IDEA that they’re reading and writing to an encrypted folder.

You’ll notice that in Documents\deleteme\test (again, that’s where I created mine; yours will be where ever you put yours), you’ll see a “d” folder and 2 masterkey files. Those masterkey files have an ENCRYPTED version of your key. No one can decrypt it without knowing YOUR password that you just created.  This masterkey file WILL BE ON THE REMOTE SERVER, so this is why you need a STRONG password, preferably random characters generated by a password manager.

As you save more files into your Z: drive, you’ll see more files show up somewhere under Documents\deleteme\test (again, MY folder is here, YOURS is where ever you put yours). The files that show up here have unreadable filenames and if you try to open them, they will have what appears to be garbage in them. These are the files you stored in your Z: drive, but these are encrypted.

Think of your Cryptomator unlocked vault Z: drive as a decrypted, magic window into your physical, encrypted files stored in their encrypted state in your Documents\deleteme\test (again, MY folder name I chose, YOURS will be different).

One caveate: Files in your Z-Drive CANNOT be larger than 2GB! That’s a limitation with the current version of Cryptomator.

I created a text file in my new Z: drive. As you can see below, Cryptomator created a file in the Documents\deleteme\test\d\WQ folder with a funky name. That’s what’s REALLY stored on my REAL hard drive. If I try to open the funky named file, it looks like garbage bytes. Both of those windows are showing the SAME data, it’s just that the REAL data is encrypted (top window). The bottom window is a VIRTUAL drive with an decrypted view of the data. ALWAYS remember this! You will NOT back up your Z drive! EVER! You’ll back up and/or sync your Documents\deleteme\test folder. More on that later.

Now, how to sync your encrypted files with Degoo.com

Now that you have a folder that contains your encrypted files and an easy way to use the the encrypted files (your cryptomator Z-drive), you need to sync the encrypted files to your Degoo.com account. DO NOT SYNC OR BACK UP YOUR Z: DRIVE!!!!!!

  • If you haven’t already, download and install the software on Degoo.com and create an account.
  • When you open it, click on the “Choose what to backup” tab. The actual folders on disk that are being backed up are each in their own cryptomator vault folder with encrypted files.
  • Click the “Add folder to backup…” button and navigate to your Cryptomator vault folder… the one with the unreadable encrypted files NOT YOUR Z-DRIVE!!!! and click “Add folder to backup”
  • Your folder will be added to your list of folders to be backed up.

Now, you’re all set. Anything you put into your Z-Drive is automatically encrypted at the time it’s written and since the real folder with the encrypted files is the one that’s backed up, you automatically get your data backed up in addition to automatically encrypted. Now, no matter how malicious anyone at Degoo may be (I have to reason to believe the are (or aren’t)), your privacy is safe. They cannot see anything other than what you see when looking at the encrypted version of your folder. Unless they have your password to your vault (which, of course, should be DIFFERENT from your Degoo password), they’ll never be able to see the contents.

But that was hard!

No it wasn’t! And, the small amount of work you did above is only done when creating a new vault and installing everything for the first time. Once it’s done, here’s all you need to do moving forward:

  • Turn on your PC and log into Windows (or Mac or Linux)
  • Start Cryptomator and unlock your vault.

That’s it! You can even shorten that to not have to start cryptomator setting up your vault to save your password and auto-unlock on start.

You can also add more cryptomator vaults at any time.

Quick review:

In this tutorial you did the following simple steps:

  • Signed up with and installed Degoo.
  • Downloaded and installed Cryptomator.
  • Created a vault with Cryptomator.
  • Told Degoo to sync the encrypted version of your cryptomator vault.

That’s really all you did. And now, you’re protected both with encryption and with an automatic, encrypted backup.

What’s Next?

Just continue to use your computer with your Z-Drive as your unencrypted version of your data. You can even lock your vault and Degoo will continue to back up your data. Degoo doesn’t need you to have it unlocked because it’s NOT backing up the unencrypted files. It’s only backing up the encrypted bits.  Degoo isn’t even aware of the Cryptomator software.  From Degoo’s software’s point of view, all that matters is that folder with the encrypted files in it.

Conversely, the Cryptomator software is unaware of Degoo.  All Cryptomator knows is that you have a folder with encrypted files and it provides the means to unlock and use them.

You can create more vaults with Cryptomator, if you like and add them to Degoo as well.

You can create vaults inside your Google Drive sync folder, your Microsoft One-Drive sync folder, your DropBox sync folder, etc, etc… As many or as few as you want.  Cryptomator works by encrypting any folder and providing an unencrypted view of it.  Cloud drives work by backing up and/or syncing a folder.  Put the two of them together and you’ve got a robust and secure backup strategy.

I do strongly recommend you make a cryptomator vault in EVERY cloud drive sync folder and move all your non-encrypted files INTO your virtual drive letter created for that vault.

WARNINGS!

You MUST obey the following rules!!!

  • Don’t write files directly into your real folder that contains the encrypted files. If you do that, it will be backed up AS-IS… WITHOUT ENCRYPTION!
  • Do NOT backup your Z: drive (or whatever drive letter cryptomator makes for you). That is DECRYTPED and if you back THAT up, you’ve wasted all your time and effort and are NOT storing an encrypted version of your files. Your Z: drive should ONLY be used for your normal work. DO NOT BACK IT UP!!!!

You are, of course, free to break these rules, but your secure backup is not going to be encrypted if you do break them.

Encrypting the Non-Encrypted Cloud Drive Services

EncryptedCloudDrive

In this article in my series of “Encrypt All The Things!”, I’ll show how to fully encrypt your files on popular cloud drive services that do not support zero knowledge encryption.  Such services that do NOT support zero knowledge encryption are:

  • Google Drive
  • Microsoft OneDrive
  • DropBox
  • Box.Net
  • Amazon Cloud Drive

That is obviously not a comprehensive list.  Some that DO support zero knowledge encryption:

  • Mega
  • Spider Oak

That is also not a comprehensive list.  The problem with Mega is that it’s closed source, so you can’t confirm that everything’s on the up and up.  In fact, Kim Dot Com, the creator of Mega, was/is wanted by the United States government for hosting pirated material.  That’s why he created Mega, so he’d have zero ability to decrypt the data, which was a great big middle finger to the U.S. government.  He’s since left the company and now claims it can’t be trusted, but we don’t know if that’s just sour grapes from him, or if there’s a legitimate reason for him to say that.  At any rate, it’s closed source, so there’s no way to confirm.

Spider Oak is also closed source AND it costs money.  It’s not a free service.

But, there are plenty of free cloud drive services (listed above at the top of this article), but none of them support zero knowledge encryption.  But, there’s now a fairly easy way to encrypt those.

Download and install the free, open source software called Cryptomator.  You can get it here:

https://cryptomator.org/

As of this writing, they only have a Linux, Windows, and Mac version, but they are actively working on Android and iOS versions.

How it works

Once you install CryptoMator on your PC, you configure it to access each of your cloud drive services.  At the time of this writing, Cryptomator supports 4 of the popular cloud drive services.

  • Google Drive
  • Microsoft OneDrive
  • DropBox
  • (I can’t find information on the 4th one)

But, it should work with any cloud drive as long as you have a synced folder on your PC to that cloud drive service.  It doesn’t have to directly support your cloud drive service AS LONG AS your cloud drive software provides a local sync folder that other apps on your PC can access.

Below, I give general instructions.  The exact steps are clearly outlined in the CryptoMator documentation.  This will give you the basic idea of what you’re trying to accomplish…

Once installed, you add a “vault” to Cryptomator, create a password, and point CryptoMator to your local sync folder.  It will then create a virtual drive (using an unused drive letter) and store some encrypted files in your local sync folder.

Now, with your new drive letter, just put any files you want encrypted into there and NOT directly in your local sync folder.  If you put anything directly in your local sync folder IT WILL NOT BE ENCRYPTED!!!!  If you put files in your virtual drive that CrytpMator created for you and gave it a drive they, those files will appear as unencrypted to you as long as you have the “vault” unlocked with CryptoMator.  The actual encrypted bytes of the files are stored in the local sync folder associated with your cloud drive service.  If you open the sync folder, you’ll see meaningless file names and meaningless folder names with encrypted files in them.  That’s the encrypted data.  To have an unencrypted window into that encrypted data, simply open the new drive letter that CryptoMator created for you when you unlocked the vault with your password.

Since the encrypted bits are stored in your sync folder, they get synchronized with your cloud server and it’s those encrypted bits that are stored on the cloud drive servers.

Once you get that working, it’s a good idea to drag and drop all your previously existing NON ENCRYPTED files and folders from your local sync folder into your vault virtual drive.  Once you’ve confirmed they’re in the vault, BACK UP YOUR FILES, then you can safely delete them from your sync folder, which will delete the unencrypted files from your remote cloud drive, leaving only the encrypted bits.  Cryptomator will automatically encrypt them and store the encrypted bits back into your local sync folder, which your cloud drive software will then upload to your cloud drive service.

Caveats

  • Errors with large folders: I have about 64GB in my Microsoft One Drive.  When I tried moving my camera roll folder into my Cryptomator virtual drive associated with OneDrive, it kept failing.  I presume it wasn’t designed for folders with that many files or that many bytes.  After many days of effort, I finally did get it working.  I do not know if it was a OneDrive problem or a Cryptomator problem.  I had no issues encrypting my Google Drive nor my DropBox, but neither of them had as much data.
  • No Mobile (yet): Right now, there’s no mobile access to your encrypted data.  They’re actively working on both Android and iOS apps, so that may change by the time you see this.
  • No browser access: Since the web interfaces of these cloud services simply show you the files as they are on their services, after you encrypt your files and folders, when viewing them with a web browser on those services, you’ll only see the encrypted data.  This makes sense because the cloud drive services are unaware of the encryption switch-aroo you’ve done.  Don’t expect this to change.
  • Your Key: With zero knowledge encryption, you keep your key locally, but Cryptomator stores your key ON your remote cloud drive.  Don’t fret too much though.  It’s encrypted with your password that you made when you created your vault.  Technically, your password is your key.  In my judgment, it’s fairly safe.  Though, I wouldn’t be storing my archives of my classified State Department e-mail on any of these public cloud drives, even with Cryptomator. Winking smile
  • Meta data: The contents of your files are encrypted as well as the file and folder names, but the timestamps are NOT encrypted and neither are the number of files, the number of folders, nor the sizes of the files.  The timestamps are left as is in order for your cloud drive software (OneDrive, Google Drive, DropBox, etc…) to know when things have changed so it can sync properly.  The file sizes are a result of how many bytes you’re encrypting.  The number of encrypted files will be roughly equal to the number of files as they were before they were encrypted (but the contents will be fully encrypted).  This too is a side effect of how the syncing works.
  • Mobile still unencrypted: You should probably turn off or uninstall the cloud drive software on your mobile devices because you won’t be able to see anything but encrypted data.  Also, any files you have locally on your mobile device that you have set to sync will be uploaded UNENCRYPTED.  Then you’ll have a mix of both encrypted and unencrypted files on your cloud drive.  Remember, CryptoMator is actively working on Android and iOS apps.  When they’re available, you can install those and follow Cryptomator’s recommendations on what to do with your cloud drive provider software.

Use this information about the caveats

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Encrypting Your Cloud Storage

image

This is the sixth entry in my “Encrypt All The Things!” series.

Let’s face it.  Cloud storage SUX!  Why?  Because all of the most popular cloud storage services do NOT provide end to end encryption.  Oh sure, you’re files travel over an https connection from your PC to their server, but your files are not encrypted with a public key from a private key that only YOU have access too.  Sure, the cloud storage providers may encrypt your files (with THEIR keys) AFTER they receive your upload and before they store them on their own drives.

BUT!

THEY have access to the contents of your files.  They can see the file names in clear text.  They have access to the entire contents.  THEY own the encryption keys on their end and you sent them your files without encrypting them first.  Therefore, you are NOT in control of your data.  If that cloud service gets hacked or if there’s a bad employee, or they get subpoena’d, other people can (and likely WILL) gain access to your personal data.  It’s simply NOT protected.

There’s only ONE option

When it comes to cloud storage, you have only one option for realistic security.  That is, your files MUST be encrypted ON YOUR END before they’re sent over the wire to the cloud storage provider and that encryption on your end MUST be done with your public key and your private key MUST be a key that ONLY YOU have access to.  It should exist ONLY on your own PC or phone.  PERIOD.  There are no if, ands, or buts about it.  This is called “zero knowledge” encryption.

Please see “Understand Encryption” on a discussion of public/private keys.  It’s kind of critical to your understanding of how to judge whether a cloud storage service is doing it right.

Zero Knowledge

Spideroak.com has this to say about zero knowledge encryption:

“Zero Knowledge means we know nothing about the encrypted data you store on our servers. This unique design means nothing leaves your computer until after it is encrypted and is never decrypted until it is unlocked with your password on your computer. It’s not just “end to end encryption;” it’s a Zero Knowledge System.”

Spideroak.com, by the way, is a cloud drive service provider.  Though, there are some critiques of the way they password protect your local key on your own PC, it is far more secure than Google Drive, Microsoft One Drive, Amazon cloud storage, DropBox, Box.Net, etc…

Another one with zero knowledge is Mega.co.nz.  This cloud storage provider was created by the infomous Kim DotCom who’s wanted by the United States government for hosting a similar service for copyright pirates.  So, some reasonable questions have arisen as to the true privacy of this site.  And recently Kim DotCom has come out and said he’s no longer affiliated with Mega and that you shouldn’t trust it, that it’s not safe (but can you trust HIM?)

Anyway, the point is, you need to either encrypt your own files BEFORE uploading them to a cloud service or use a cloud service that does it for you (ON YOUR END!).

Home Brew

Alternatively, you can do it yourself by manually encrypting your Individual Files then upload the encrypted files to any cloud storage provider you want.  It’s a bit of a hassle, but it will provide you actual protection.  You should note that if you upload your encrypted files, but keep the file names, a LOT can be known about what you’re storing.  Best to zip up the file first (storing the name in the zip file), giving the zip file an arcane name, like the date and time it was zipped, encrypt the zip file (not with the weak ass encrypting provided in the zip products, but with how I describe to encrypt Individual Files), THEN upload it.

Conclusion

    1. Save yourself some headaches and use only “zero knowledge” cloud services and thoroughly research what others have to say about their encryption.
    2. Hide your meta-data (file names, folder names, folder structures, etc…) if you’re going to home-brew it.

Do you have any experience with encrypted cloud storage?  Please share your experience in the comments.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.