Securing your Dropbox with TrueCrypt

We all love Dropbox. Right? There are definitely other services out there that competes with them but ultimately, Dropbox rules as an online-based syncing service. It’s easy to use, it has many uses and best of all, it’s free. However, just recently, they have been in the hot seat for not clearly stating how it is they protect their customer’s data. With millions and millions of users using Dropbox to sync and store their data on the web, you would think they got the security part locked down. Security is everything remember? If a company doesn’t take interest in securing your data, you’d best move along. Well, Dropbox does care about security. It’s just that they weren’t very forthright about it. It boils down to this, they lied.

  1. Dropbox initially states that data stored on their servers (which is rented from Amazon) is encrypted and that Dropbox employees cannot access user’s data without knowledge of the account’s password.
  2. A complaint was filed by the FTC stating that what Dropbox said was incorrect and that they can actually access the user’s actual data, not just the metadata (file name, date created, etc).
  3. Dropbox revised the statements on their website where security was concerned to “properly” reflect the changes.

What does all this means? Simple. Dropbox has the keys to the entire kingdom (your data). Although they encrypt your data at headquarters, guess who has the keys to decrypt them? Yups, Dropbox! So why is this a problem? Well, it could mean that if you get into trouble with the FBI or some other secret agency, Dropbox can hand over the keys and let them decrypt all of your data. Is that a highly likely scenario for you? Probably not. But what about mischievous employees working at Dropbox or employees who have nothing better to do than to check what you’ve got stored in your account? I’m sure you would agree that is a more likely scenario.

What Can We Do About it?

The above scenario is possible because Dropbox has the keys to decrypt user’s data. With a service like LastPass, the company never gets the private information it needs to decrypt the customer’s data. Therefore, employees can’t just snoop around for passwords in their company’s servers. But Dropbox is not LastPass so that’s not going to happen anytime soon. If you’re as a big a lover of Dropbox as I am and want to continue using the service, something’s got to be done about this security issue if you want to keep prying eyes away from your data. Since Dropbox itself has the keys to decrypt their encryption algorithm applied to our data, why can’t we encrypt our own data with our own private keys on our computers before syncing it with Dropbox? This is a simple solution to a complex situation (if you really put your minds to it). By encrypting our own data on our computers with our own secret key, Dropbox will never be able to decrypt them with their own decryption keys.

To help us accomplish this feat, we will be using TrueCrypt. This utility is a tried and tested program that allows just about any computer user out there to protect their own data. It is open source so other developers and coders around the world can take a look at just how the tool works. This helps prove that TrueCrypt is really secure and its got nothing to hide as a security tool. I’ve just written an article on how to use TrueCrypt to encrypt your entire hard disk. I’ve decided to use this tool again to show you how easy it is to securely protect your data within Dropbox so that no one, not even Dropbox employees, can access it. This is a method already used by many, even prior to this incident so I’m not necessarily breaking new grounds here. However, I do hope that you think about what is stored in your Dropbox account at this moment and what would happen if other strangers got a hold of it.

How TrueCrypt works here is simple. We first create an encrypted storage volume. This storage area is completely encrypted with a very strong encryption algorithm and can only be decrypted with your password. This storage area, once dismounted, will look like just a single file which can’t be opened by any normal program. This file will be stored and synced to your Dropbox account. When you want to perform any modifications, you use TrueCrypt to mount the volume. This volume, once mounted, will behave like a normal hard drive complete with its own driver letter and icon within Computer. You can add, delete and modify files within this encrypted area however you like. Once you are done, you dismount the drive and the changes will get synced to Dropbox. If a stranger tries to access your data, all they will see on the outside is a single file. They might be smart enough to know that TrueCrypt is at use here but they will never be able to mount the volume provided that you’ve used a strong password.

Creating your Own Encrypted Storage File

You can download TrueCrypt from here.

First, we create our encrypted volume. What you need to decide on is how big you want this volume to be. You can make it pretty much as small or big as you want to. However, you have to remember that this file will be synced with Dropbox. So, if you make a 1GB volume, 1GB of data will be synced with Dropbox *even if you haven’t placed any files within the encrypted volume*. You must remember this. Also, Dropbox has storage limits and every account is different but the fact remains, you have limits. If you only have 2GB of storage, you obviously can’t create a 3GB TrueCrypt volume. You can choose to create a small storage area such as a 20MB volume like me and use it only to store your most personal documents and photos. Why create a big volume when you’re not going to be using it that much?

Some users have said that every time you mount your TrueCrypt volume, change a file, and dismount, you’ll have to sync the entire size of the volume back to Dropbox. For example, if your volume was 20MB in size and you’ve only changed a single file within, once you dismount, the entire 20MB volume will have to be sent back to Dropbox and not just the incremental changes. However, I found this to be untrue from my testings. TrueCrypt combined with Dropbox works as I expected. Initially, yes, my entire volume have to be synced with Dropbox (20MB in my case). However, after that, only the changes were synced back to Dropbox and not the entire volume after each mount and dismount. If you are experiencing otherwise, please let us know.

Once you’ve got TrueCrypt opened, head into the Volume dropdown menu at the top and select Create New Volume. The wizard should immediately appear to help guide your way.

  1. One the first screen, select the “Create an encrypted file container”.
  2. Under Volume Type, select “Standard TrueCrypt Volume”.
  3. Under Volume Location, specify the location to save your container. Don’t worry, you can freely move this volume after creation. In fact, you’ll need to move this to your Dropbox folder afterward so create it on your Desktop if you so wish to. Be sure to enable the option to not save your history.
  4. For Encryption Options, just stick with the defaults of AES and RipEMD-160.
  5. Within Volume Size, specify the size of your container to be stored in Dropbox. The bigger the file here, the longer it will take for it to initially sync with Dropbox. However, you’ll have more room to store your personal documents.
  6. Under Volume Password, you’ll get to set the password used to decrypt your volume. Create a strong password that you can remember. If you forget it, there is no back door to gain entry back inside your encrypted volume. If you want to use key file(s) to further enhance the security of this encrypted volume, then you can specify the files here. Oh, and please do NOT use the same password here as the one you’ve used for your Dropbox account no matter how strong it is!
  7. In the Volume Format window, you can specify the volume’s file system to be used along with the cluster size. In most circumstances, FAT should suffice. The main real benefit of using NTFS over FAT is if you have individual files over 2GB in size. The cluster size should be left to the default unless you know what you’re doing. Once you click Format, Truecrypt will create your encrypted volume in the specified location. You can then exit out of the wizard.

Page 2: Volume Mount and Dropbox –>

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Pages: 1 2

Comments

  1. Just tested this, created a 50MB container, let it sync, added 8MB of data, watched bandwith monitor as only 8MB of data was transmitted.

    This is better than I thought.

    • Yups! That’s more like it! This is how all cloud storage based services needs to be from now on. I’m severely disappointed in Microsoft Skydrive for not providing this feature. They actually have a technology in their arsenal called Remote Differential Compression that actually sends just the deltas of file changes from a client to a server. Not sure why they couldn’t incorporate this into Skydrive yet Dropbox could.

  2. The problem with this is that the encrypted files have to be quite small in size, whenever you make a change to the encrypted file, like save a new document, the entire encrypted file needs to be synced back to Dropbox.

    This can add up really quickly and consume quite a bit of bandwidth.

    This will continue to be a problem until Dropbox change how files are synced across, ie, using something like de-duplication so that only the bits that change in the file are synced across.

    • That’s not true, at least from my point of view. If you do a quick search, you’ll find some articles saying that one of the biggest advantage of Dropbox over Skydrive and Google Drive is due to it being able to sync only the delta changes within a file or container.

      I also made a note of this in the article here where I created a 20MB encrypted volume. Initially, the entire 20MB file would have to be uploaded. I have a slow upload link and so 20MB is big deal for me as it took some time to finish. Once synced, I created some text files in the encrypted volume. Dropbox picked up the change and proceeded with the sync/upload. This process, however, completed in a very short amount of time. This leads me to believe that Dropbox is syncing only the delta and not the entire encrypted file again which therefore saves me bandwidth. Are you saying this is not happening for you?

  3. abhilash ab says:

    While I’m not a security architect,
    The important thing to remember you while using data encryption tools like Truecrypt is that,  is that by enabling you to use personal encryption keys, they basically remove the option to compromise your data.  Sure, they can give it away, but the data is practically useless without the key.  How To Use  Truecrypt  in Ubuntu:

    • You are correct. This is one of the reason why TrueCrypt is so powerful. You, the owner, hold the keys to your own kingdom and no one else. This makes sense because TrueCrypt is not an online service so there wouldn’t be any reason for them to hold your keys/passwords in the first place. This would only go bad for users who forgot their password.

Speak Your Mind

*


(humans only, please) *