How to Encrypt Your Dropbox Folder
We have a popular post here at groovyPost that compares Dropbox and SugarSync. The lengthy review has given rise to quite a bit of discussion in the comments, including a bit of controversy over security. Dropbox and SugarSync, which both utilize Amazon’s S3 web storage, claim that your data is safe from hackers due to the SSL encryption during sync and 128-AES encryption at rest. But what about Dropbox / SugarSync staff? Could a rogue employee simply access your files by changing or overriding your password? After some back and forth in the comments, I think we came to the reasonable conclusion that yes, they could.
While the likelihood of this actually happening to you is probably very low, recent headlines about hack attacks against Sony, Gmail and even LastPass prove that you can never be too safe. With that in mind, I thought I’d share with you a tip for making your Dropbox data more secure. In particular, it prevents an unscrupulous employee at Dropbox from accessing your most sensitive data by encrypting it.
Important: TrueCrypt is no longer secure as it’s no longer being supported. We recommend using BitLocker in Windows. You can read more about TrueCrypt no longer being supported here.
TrueCrypt + Dropbox = Super Security
I am 100% comfortable putting this text document in my public folder. Why? Because it’s in an encrypted volume that I created with TrueCrypt. Go ahead and download it, if you’d like—you won’t be able to get to that text document without my password and keyfiles. You can try cracking it, if you’d like, but it’s encrypted with AES and a RIPEMD-160 hash. Meanwhile, I can still access that file just as easily as I can my other Dropbox files. Groovy, huh? Here’s how I did it:
Stage 1 – Create the Truecrypt Volume
Stage 2 – Mount the Truecrypt Volume
Creating a TrueCrypt Volume
Step 1
Download and install TrueCrypt for free. The instructions here are pretty straightforward.
Note: There are two ways to install TrueCrypt. For Dropbox users, I would recommend the Extract method. This creates a portable version of the app that you can put on a USB drive or even in your Dropbox folder. This saves you from downloading and installing TrueCrypt if you are using someone else’s computer. For your main computer, feel free to do the default install.
Step 2
Run TrueCrypt.exe and Click Create Volume.
Step 3
Select Create an encrypted file container. There are some more advanced options here, but we’ll cover those later. Click Next.
Step 4
Select Standard TrueCrypt volume and Click Next.
Step 5
Click Select File…
…and then browse to your Dropbox folder. Create a filename for your volume. It can be anything you want—the extension doesn’t matter.
It doesn’t even need an extension, in fact. Originally, I thought it would be clever to disguise it as another file type, such as “mysummervacay.jpg” but it turns out that this can cause false positives from your virus scanner. To stick with convention, go with .tc or skip the extension altogether.
Step 6
Feel free to change the encryption options. There are some useful links here to help you understand your different choices, but I imagine they are all sufficiently secure. I stuck with the defaults.
Step 7
Choose a volume size. You’ll want to choose this realistically based on how much Dropbox space you want to devote to your encrypted volume. If you’re like me and only use your encrypted volume for a couple of text files and perhaps a PDF, 10 MB is more than enough. If you want to encrypt your whole dang Dropbox folder, feel free to do 2 GB.
The one thing that you should note before moving on is that you can create a dynamic volume. That is, it “expands” as you add files to it, so that if it’s a 2 GB file container but it only has 5 MB of data in it, it’ll only take up 5 MB of Dropbox space. That’s nice, but it’ll run a bit slower. It’s up to you.
Step 8
Set up a password. Choose a very strong password that you can remember. Otherwise, all this encryption will be for nothing.
For more security, choose a keyfile. This can be any file on your Dropbox, on your local hard drive, or on a USB drive. It’ll work just like a key would—without this file, you can’t access the volume. So, make sure you don’t delete it! This is more secure than a password—especially if you choose multiple keyfiles.
Step 9
On the next screen, TrueCrypt will ask you to wiggle your mouse around to randomize the hash key. It’s kind of fun. When you’re satisfied, Click Format.
And you’re done!
Your volume is a completely standalone file. You can drag it and drop it, copy it and paste it or move it to anywhere you’d like. To read and write to the volume, you just have to mount it using TrueCrypt.
Mounting TrueCrypt Volumes from your Dropbox
Step 1
Launch TrueCrypt and Click Select File…
Then, Browse to the volume you just created and open it.
Step 2
Select a drive letter and then Click Mount.
Step 3
Enter your password and, if you chose a keyfile, browse for it by checking Use keyfiles and Clicking Keyfiles.
Step 4
Your volume will now be mounted as a local volume under Computer in Windows Explorer.
Step 5
Add files to it just like you’d save files to a USB drive.
They’ll be saved in the encrypted volume, where they’ll be ready and waiting for you next time you mount the volume.
Step 6
One last thing: in order for Dropbox to sync your volume, you have to unmount it. To do so, launch TrueCrypt, select the drive and Click Dismount.
Conclusion
Dropbox is already fairly secure. But for that extra bit of protection, it’s not a bad idea to keep your most sensitive documents in an encrypted volume. You’ll still be able to access your file, as long as you have a copy of TrueCrypt handy (which can be saved as portable version on your Dropbox account) and can remember your password. You won’t be able to access items in an encrypted volume from the web or a smartphone, either. I recommend using TrueCrypt for infrequently accessed files, such as financial documents, old tax returns, and other sensitive material that you might have if you’ve transitioned to a digital filing system.
19 Comments
Leave a Reply
Leave a Reply
acupuncture
Excellent write up. Definitely a must for anyone storing their info in the cloud. Personally I’m not of the mind to let anything sensitive into the cloud. While Google’s Chrome OS might want me to do absolutely everything in the cloud and keep it there I just don’t trust anyone with my sensitive information and I’m sure I’m not alone in that. That’s why people will always want some form of off-line storage, imo.
Nonetheless, this certainly is a good security option. Thanks.
MrGroove
Are you saying don’t put anything into the cloud even if encrypted?
acupuncture
Oh no, not at all. I have a ton of stuff in the cloud not even encrypted. It’s just not “sensitive” information. Just got a lot of my music into Google Music beta and really like it. Use gMail, gDocs, gCal, etc. . . all the time. 98% or more of my stuff is now in the cloud.
I just think a lot of people, including myself, don’t want to put anything in the cloud that is highly “sensitive.” Even if it is encrypted. I’ve been able to upload password protected files of which I’ve lost/forgotten the password and had them cracked in seconds. . . so I’m not sure how protected anything can actually ever be unless you have it on an external storage device, encrypted, and hidden ;)
I think the cloud is great and this article certainly adds a layer of security but would you trust it for something highly sensitive you’re putting in the cloud or would you keep it out of the cloud?
groovinJackman
here’s a semi-related followup question: would you EMAIL sensitive information? i.e. soc. security number, bank acct no.s? I worked with a mortgage company and a CPA who both asked for this junk. I think I opted to fax it then, but if I would’ve sent it as a PDF then it’d be in my Gmail archive forever.
acupuncture
No, I won’t send stuff like that through email. No way! I’ve read enough about email servers & services keeping copies of emails floating around without the user’s knowledge to have me well paranoid about info in emails.
Like you state, once in the email it may well be forever in an archive and probably not just yours.
While I do a lot of purchasing on-line I’m careful to ensure that certain info never goes over the web. Sure, a credit card might get scammed (best to use a temp number cc) but I’m pretty well protected there and that’s easy to find out but letting your ss & account numbers out. . . that can cause some real damage.
Joanna
Some good advice. Good article, THANKS!
Pat Drummond
I prefer a simpler solution to safeguard text files in the cloud. I use fSekrit to encrypt accounts, phone codes, banking etc. Security is solid. The encrypted file is self-extracting anywhere with a password and you can edit then save. On a schedule, I also use Notetab Pro script to open my files in my Dropbox folder, run fSekrit to open the encrypted files, then copy/paste to create new ones. Only ‘con’ is my Android phone can’t open them – but that’s a good thing in case I lost it.
Find links here: http://web.ncf.ca/ad995/pdqlib/download.html#security
Serge
This must be the most comprehensive and simple explanation for how to use DB with TC.
I’ve first made my volume to 1Gb but I can see why a smaller volume size it’s better since DB sync is taking ages to complete.
Many thanks!
Steve Krause
You’re very welcome. Welcome to the site. Hope to see you around in the comments!
Martin Rio
I have a question about this method: Is Dropbox able update parts of a Truecrypt volume? For example: Say I have a 2GB Truecrypt volume filled with many <5MB PDF files. The volume is initially fully synced with Dropbox, I mount it, make a change to one of the PDF files, and unmount it. Is Dropbox able to sync the part I changed or does it have to re-sync the entire 2GB?
Thanks in advance!
Martin Rio
This makes it sound like only the changed blocks would be re-synced: http://forums.dropbox.com/topic.php?id=14332
Johan
Hi there, this is not great as every time you make even a small edit change in a file in your “encrypted volume” the whole 10 mb will be uploaded. Especially annoying if you want a 1 gig volume :)
I see most encrypters like boxcrypt etc encrypts on file level so only the file is reloaded, obviously the name, type etc is also encoded.
Wish there was a way to get truecrypt to work like this…
Merlot
Dropbox only transfers the parts of a file that changed, so it doesn’t matter if you have a large TrueCrypt container file. If you only make some small changes, only that amount of data is transmitted.
When you create your new TrueCrypt container file, all of it has to be uploaded to the Dropbox servers. Thereafter, only the changed parts have to be transferred.
This works well with TrueCrypt because TrueCrypt uses a block cipher. When data is changed in a TrueCrypt container file, it only affects the blocks containing the data and not the rest of the file.
One fly in the ointment as Jack said is that you have to unmount your TrueCrypt volume before Dropbox will transfer the changes, even though TrueCrypt makes changes to the file as you work. TrueCrypt must be denying read access on open container files which is why the transfer can’t happen until you unmount the volume.
A consequence of this is that if you just rely on the automatic unmount when you log off your pc, your changes won’t be synced with other devices until you log back into your pc again at which point they’ll at last be uploaded to Dropbox.
Jack Busch
Thanks for chiming in! Nice explanation of the syncing.
Michele Houston
This is very interesting. I did something slightly differently. I was content with the online encryption, but moved my desktop folder into the TrueCrypt volume already existing on my computer. This prevents anyone who gets a hold of my computer from opening my dropbox folder. But then I realized that all they have to do is type in “dropbox” into the “search programs” box in the Start menu and get a quick link right into my website, no password required. Does your approach solve this issue, or is there another way around it? Thanks for any insights!
Merlot
I’m not really sure why you added your desktop folder to the TrueCrypt volume on your computer. The desktop is just a folder containing all the stuff that appears on your desktop. Anything in your TrueCrypt folder is accessible only to those who know your password once you’ve unmounted it, but that bears no relation to the files in your other folders.
Also not sure why you say anyone that can find your Dropbox folder has access to your webspace with no password required. Anything they put in the folder will be uploaded to the Dropbox servers but they won’t be able to explicitly download anything from Dropbox and to login to the website as you, they’ll need your Dropbox password.
However, if you think someone can access your computer and get to all the unencrypted files in your Dropbox folder, they probably have all they want already
Michele Houston
Actually, what I did was put my computer-side Dropbox folder into the TrueCrypt volume. Therefore, if someone got a hold of my computer, they could not get into the DropBox folder that resides on my computer. I do not have all my desktop in the TrueCrypt volume. Just my Dropbox folder and various other files
The problems is that, even when the TrueCrypt volume is not mounted, I can go to the Windows Start Menu, type in “Dropbox” in the program search box, and a link to my Dropbox site is returned. When clicked on, my website folder is entered, without requiring a password.
Merlot
Dropbox starts trying to sync as soon as you login but unless you have already unmounted your Truecrypt volume by then, Dropbox will not be able to find its folder. Maybe it will then create another folder somewhere else and maybe that’s what happened – I don’t know. It is probably better to do it the other way round and put Truecrypt volume inside Dropbox folder
Michele Houston
I think you’re right. Thanks!