Securing your Dropbox with TrueCrypt

We all love Dropbox. Right? There are definitely other services out there that competes with them but ultimately, Dropbox rules as an online-based syncing service. It’s easy to use, it has many uses and best of all, it’s free. However, just recently, they have been in the hot seat for not clearly stating how it is they protect their customer’s data. With millions and millions of users using Dropbox to sync and store their data on the web, you would think they got the security part locked down. Security is everything remember? If a company doesn’t take interest in securing your data, you’d best move along. Well, Dropbox does care about security. It’s just that they weren’t very forthright about it. It boils down to this, they lied.

1. Dropbox initially states that data stored on their servers (which is rented from Amazon) is encrypted and that Dropbox employees cannot access user’s data without knowledge of the account’s password.
2. A complaint was filed by the FTC stating that what Dropbox said was incorrect and that they can actually access the user’s actual data, not just the metadata (file name, date created, etc).
3. Dropbox revised the statements on their website where security was concerned to “properly” reflect the changes.

What does all this means? Simple. Dropbox has the keys to the entire kingdom (your data). Although they encrypt your data at headquarters, guess who has the keys to decrypt them? Yups, Dropbox! So why is this a problem? Well, it could mean that if you get into trouble with the FBI or some other secret agency, Dropbox can hand over the keys and let them decrypt all of your data. Is that a highly likely scenario for you? Probably not. But what about mischievous employees working at Dropbox or employees who have nothing better to do than to check what you’ve got stored in your account? I’m sure you would agree that is a more likely scenario.

What Can We Do About it?

The above scenario is possible because Dropbox has the keys to decrypt user’s data. With a service like LastPass, the company never gets the private information it needs to decrypt the customer’s data. Therefore, employees can’t just snoop around for passwords in their company’s servers. But Dropbox is not LastPass so that’s not going to happen anytime soon. If you’re as a big a lover of Dropbox as I am and want to continue using the service, something’s got to be done about this security issue if you want to keep prying eyes away from your data. Since Dropbox itself has the keys to decrypt their encryption algorithm applied to our data, why can’t we encrypt our own data with our own private keys on our computers before syncing it with Dropbox? This is a simple solution to a complex situation (if you really put your minds to it). By encrypting our own data on our computers with our own secret key, Dropbox will never be able to decrypt them with their own decryption keys.

To help us accomplish this feat, we will be using TrueCrypt. This utility is a tried and tested program that allows just about any computer user out there to protect their own data. It is open source so other developers and coders around the world can take a look at just how the tool works. This helps prove that TrueCrypt is really secure and its got nothing to hide as a security tool. I’ve just written an article on how to use TrueCrypt to encrypt your entire hard disk. I’ve decided to use this tool again to show you how easy it is to securely protect your data within Dropbox so that no one, not even Dropbox employees, can access it. This is a method already used by many, even prior to this incident so I’m not necessarily breaking new grounds here. However, I do hope that you think about what is stored in your Dropbox account at this moment and what would happen if other strangers got a hold of it.

How TrueCrypt works here is simple. We first create an encrypted storage volume. This storage area is completely encrypted with a very strong encryption algorithm and can only be decrypted with your password. This storage area, once dismounted, will look like just a single file which can’t be opened by any normal program. This file will be stored and synced to your Dropbox account. When you want to perform any modifications, you use TrueCrypt to mount the volume. This volume, once mounted, will behave like a normal hard drive complete with its own driver letter and icon within Computer. You can add, delete and modify files within this encrypted area however you like. Once you are done, you dismount the drive and the changes will get synced to Dropbox. If a stranger tries to access your data, all they will see on the outside is a single file. They might be smart enough to know that TrueCrypt is at use here but they will never be able to mount the volume provided that you’ve used a strong password.

Creating your Own Encrypted Storage File

You can download TrueCrypt from here.

First, we create our encrypted volume. What you need to decide on is how big you want this volume to be. You can make it pretty much as small or big as you want to. However, you have to remember that this file will be synced with Dropbox. So, if you make a 1GB volume, 1GB of data will be synced with Dropbox *even if you haven’t placed any files within the encrypted volume*. You must remember this. Also, Dropbox has storage limits and every account is different but the fact remains, you have limits. If you only have 2GB of storage, you obviously can’t create a 3GB TrueCrypt volume. You can choose to create a small storage area such as a 20MB volume like me and use it only to store your most personal documents and photos. Why create a big volume when you’re not going to be using it that much?

Some users have said that every time you mount your TrueCrypt volume, change a file, and dismount, you’ll have to sync the entire size of the volume back to Dropbox. For example, if your volume was 20MB in size and you’ve only changed a single file within, once you dismount, the entire 20MB volume will have to be sent back to Dropbox and not just the incremental changes. However, I found this to be untrue from my testings. TrueCrypt combined with Dropbox works as I expected. Initially, yes, my entire volume have to be synced with Dropbox (20MB in my case). However, after that, only the changes were synced back to Dropbox and not the entire volume after each mount and dismount. If you are experiencing otherwise, please let us know.

Once you’ve got TrueCrypt opened, head into the Volume dropdown menu at the top and select Create New Volume. The wizard should immediately appear to help guide your way.

1. One the first screen, select the “Create an encrypted file container”.
2. Under Volume Type, select “Standard TrueCrypt Volume”.
3. Under Volume Location, specify the location to save your container. Don’t worry, you can freely move this volume after creation. In fact, you’ll need to move this to your Dropbox folder afterward so create it on your Desktop if you so wish to. Be sure to enable the option to not save your history.
4. For Encryption Options, just stick with the defaults of AES and RipEMD-160.
5. Within Volume Size, specify the size of your container to be stored in Dropbox. The bigger the file here, the longer it will take for it to initially sync with Dropbox. However, you’ll have more room to store your personal documents.
6. Under Volume Password, you’ll get to set the password used to decrypt your volume. Create a strong password that you can remember. If you forget it, there is no back door to gain entry back inside your encrypted volume. If you want to use key file(s) to further enhance the security of this encrypted volume, then you can specify the files here. Oh, and please do NOT use the same password here as the one you’ve used for your Dropbox account no matter how strong it is!
7. In the Volume Format window, you can specify the volume’s file system to be used along with the cluster size. In most circumstances, FAT should suffice. The main real benefit of using NTFS over FAT is if you have individual files over 2GB in size. The cluster size should be left to the default unless you know what you’re doing. Once you click Format, Truecrypt will create your encrypted volume in the specified location. You can then exit out of the wizard.

Page 2: Volume Mount and Dropbox –>

Pages: 1 2