Pre-encryption makes cloud-based storage safer

Topic

New Reply

	TOP STORY Pre-encryption makes cloud-based storage safer
	By Fred Langa I must confess: Until recently, I deeply distrusted the security of cloud-storage services such as SkyDrive, Google Drive, and Dropbox. But now, thanks to pre-encryption software, I’m now comfortably using several cloud services — with no worries about the security and privacy of my files.

---

The full text of this column is posted at windowssecrets.com/top-story/pre-encryption-makes-cloud-based-storage-safer (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

One of my prime uses for cloud storage is to make certain files available on the move via my Windows phone. This is something that is not provided by Boxcryptor and I can’t see anything that is.

Reply | Quote

As you discuss in another article in the current newsletter the problem of getting past a deceased’s password, one reason I use the Cloud is so my children could access my personal details the day I’m dead and gone (they would have my Cloud-drive password). What would they do if all the files had gone through this Boxcryptor software on my computer?

Reply | Quote

As you discuss in another article in the current newsletter the problem of getting past a deceased’s password, one reason I use the Cloud is so my children could access my personal details the day I’m dead and gone (they would have my Cloud-drive password). What would they do if all the files had gone through this Boxcryptor software on my computer?

Put the Master Password on paper and keep it in your home, not in your safe deposit box, as the latter might require a Probate Court Order to open.

-- rc primak

Reply | Quote

One of my prime uses for cloud storage is to make certain files available on the move via my Windows phone. This is something that is not provided by Boxcryptor and I can’t see anything that is.

Android has a BoxCryptor App at the Google Play Store.

-- rc primak

Reply | Quote

Great article but leaves a question in my mind. Sounds like the files in the Boxcryptor folder are automatically decrypted on my computer; shouldn’t I or anyone on my computer have to enter the password? If not, my computer is hackable. A user needs encryption on both his computer and the cloud.

Reply | Quote

Boxcryptor, like every other piece of commercial software has a backdoor for government access by NSA and other agencies. As far as I am concerned if the government has access then that is just as bad as any hacker that might have access. If you want any privacy don’t put anything of any importance on any computer that has internet access.

Reply | Quote

This is totally, and absolutely, useless! The algorithm is stored within the application that does the pre-encryption.. ON the harddrive on the main PC! Did you not say that the purpose of off-site backups is protection due to loss of the main pc, or it’s harddrives?
Just how are you going to decrypt these cloud-based files after something like that?

Reply | Quote

This is totally, and absolutely, useless! The algorithm is stored within the application that does the pre-encryption.. ON the harddrive on the main PC! Did you not say that the purpose of off-site backups is protection due to loss of the main pc, or it’s harddrives?
Just how are you going to decrypt these cloud-based files after something like that?

Absolutely

Reply | Quote

Doccus: that is a very interesting point! I wonder if you tried to use another PC with another installation of Boxcryptor would it be able to decrypt your files from the cloud? That’s something the article should address.

Reply | Quote

Well, before leaving my comment, I had considered a USB key with the application on it, which would then contain the cipher, but, hey, realistically, just how many people walk around all day with a USB key in their pocket and don’t eventually end up just forgetting it at home..
….until.. that fateful day. When the SHTF and your beloved Vista PC goes up in smoke 😉 (sorry couldn’t resist!)
But, seriously.. unless you have something like, say, a keybob USB key, your likely to be SOL…

Reply | Quote

Doccus: that is a very interesting point! I wonder if you tried to use another PC with another installation of Boxcryptor would it be able to decrypt your files from the cloud? That’s something the article should address.

In my other reply I didn’t address your point. I think it is a given that no two installations of Boxcrypter, or any other encryption software , would ever have the same algorithm. I mean, if they did, it would be like a lock service selling locks all with the same key!

Reply | Quote

There must obviously be a simple answer, but since I do not know: Since EFS is native, why not just use that instead of BoxCryptor?

Reply | Quote

There must obviously be a simple answer, but since I do not know: Since EFS is native, why not just use that instead of BoxCryptor?

The idea is to pre-encrypt for upload specifically to Cloud Storage. EFS does encrypt, but does not facilitate the upload, especially if we want to sync between the local machine and the Cloud. BoxCryptor makes such secure transfers easier.

-- rc primak

Reply | Quote

Will this work correctly on a laptop that uses BitLocker since EFS is disabled per the article?

Reply | Quote

Will this work correctly on a laptop that uses BitLocker since EFS is disabled per the article?

BoxCryptor’s site says this is not an issue. Mr. Langa’s article says this is true, but with caveats.

-- rc primak

Reply | Quote

BoxCryptor look interesting – will definitely look into it.

But a much simpler solution would be to use a ‘zero-knowledge’ cloud-based storage provider – such as SpiderOak.

Dropbox and SkyDrive et all encrypt the tunnel by which your data is uploaded to them, but once it gets out of the pipe at their end, it is clear to read. Obviously they have procedures and policies in place, but should those policies and procedures fail or be circumvented by an employee, you’re exposed.

SpiderOak is one of the few that encrypts your data before it leaves your computer – so that what they receive at their end, and store on their servers, is gibberish. Only you can read it, using your key that you control.

The advantage of SpiderOak is that it’s one simple piece of software, like DropBox. Set it and forget it. I have a DropBox folder for my ‘casual’ data – cat gifs, essential tools and drivers, etc – and a SpiderOak folder for my ‘serious’ data – banking, taxes, legal etc.

Not only do I see a lot of caveats in the instructions dealing with Windows itself – certificate conflicts, etc – but BoxCryptor also requires smooth interoperability with a third party’s software – SkyDrive, DropBox, etc. I’m always wary of that – too many cooks can spoil the soup.

Reply | Quote

Sorry, but this defeats the major purpose for cloud based storage, especially Skydrive and Google Drive…to use cloud based office apps to work collaboratively with others. The encrypted files cannot be opened by Office 365 online apps, cannot be downloaded and used by other people unless they know your encryption password, thereby defeating the purpose of encrypting in the first place.
Realistically, anyone who can hack a Skydrive account will be able to decrypt a Boxcryptor cypher. On top of that, if there is any information SO important that you need to double encrypt it, you would be a complete fool to put it online anyway. Anything can be hacked. Anything. The question is, do you have anything valuable enough for someone to put the costly resources and time into it?
If you are a large multinational corp with billions of dollars in transfer, ok. But sorry Fred…you just don’t have enough money, influence or affect enough of the world economy to be worth hacking. And if I am mistaken, and you are, then it is much easier to break into a business and steal the computer hardware than try to hack online accounts. And if criminals are really serious, they do worse things.
I think this is a bit of paranoia in a world that really doesn’t care much about the individual…they care about the big businesses and will go after them.

Reply | Quote

My level of trust seems to go down a notch when there is a failure in English:
35741-12-12-2013-10-48-19-AM

Reply | Quote

My level of trust seems to go down a notch when there is a failure in English:
35741-12-12-2013-10-48-19-AM

Hyuk! That is far and away the most common spelling atrocity I see. It is, in fact, so common that I think that someone in the schoolboards was playing “fast and lose” 😉 with the english texts, and perhaps tried to save money by importing their english grade school textbooks from China !

Reply | Quote

Sorry, but this defeats the major purpose for cloud based storage, especially Skydrive and Google Drive…to use cloud based office apps to work collaboratively with others.

Exactly so…or even collaborating with yourself on different devices (desktop, smartphone, tablet).

I think this whole secrecy thing is taken too seriously. If you have something that absolutely, positively cannot be seen by others, don’t put it online at all. Don’t put it on a computer, for that matter. For the vast majority of us, hyper-encryption, double-encryption, etc. is just a paranoid waste of effort that further blocks productivity.

Reply | Quote

For something as important as encryption, you need to be able to trust the people doing the encryption. If they are really trustworthy, then one clue about that is that they will make sure that you believe that you can trust them.

They were sloppy with this screen, which makes me wonder what else they are sloppy with, including perhaps the possibility that they have a back door built in somewhere. I mean, they aren’t charging you anything for the service; they have to make their money somehow.

I’m not saying that they can’t be trusted; but they need to go out of their way to show that they can be trusted. That’s what a trustworthy person does by default.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

For something as important as encryption, you need to be able to trust the people doing the encryption. If they are really trustworthy, then one clue about that is that they will make sure that you believe that you can trust them.

They were sloppy with this screen, which makes me wonder what else they are sloppy with, including perhaps the possibility that they have a back door built in somewhere. I mean, they aren’t charging you anything for the service; they have to make their money somehow.

I’m not saying that they can’t be trusted; but they need to go out of their way to show that they can be trusted. That’s what a trustworthy person does by default.

You are quite correct, and the type of spelling error leads me to believe that this is an english speaking, American based company. If so, that is even worse.
Your point can be re-emphasized by, say, one’s visiting a lawyer who demonstrates bad spelling or grammar. You’d immediately get the impression that if he had not paid any attemntion to these things in university, he could well have glossed over, or worse, read inaccurately, the legal documents affecting, possibly, your well being and security.
.. Time for a visit to the office across the hall?

Reply | Quote

Your point can be re-emphasized …

Windows Secrets is so obviously US based/biassed in its articles and when looking at contributors’ locations. I mean, Queen’s English would spell it “re-emphasised”. But aren’t we being a bit too pedantic/precious over words when what’s important is the strength of the drawbridge to our digital castles. We’ve all seen the translated-from-Chinese gobbledegook masquerading as manuals of electronic products.

But do these goodies work? Some do fantastically. Others, well… and in the latter, I have to agree on the evidence seen here not Boxcryptor.

But long live US know-how on MS Windows!

Reply | Quote

Windows Secrets is so obviously US based/biassed in its articles and when looking at contributors’ locations. I mean, Queen’s English would spell it “re-emphasised”. But aren’t we being a bit too pedantic/precious over words when what’s important is the strength of the drawbridge to our digital castles. We’ve all seen the translated-from-Chinese gobbledegook masquerading as manuals of electronic products.

But do these goodies work? Some do fantastically. Others, well… and in the latter, I have to agree on the evidence seen here not Boxcryptor.

But long live US know-how on MS Windows!

If they used the Queen’s English, that would inspire confidence, because it would show that they cared. That is, unless they had errors with their Queen’s English.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Windows Secrets is so obviously US based/biassed in its articles and when looking at contributors’ locations. I mean, Queen’s English would spell it “re-emphasised”. But aren’t we being a bit too pedantic/precious over words when what’s important is the strength of the drawbridge to our digital castles. We’ve all seen the translated-from-Chinese gobbledegook masquerading as manuals of electronic products.

But do these goodies work? Some do fantastically. Others, well… and in the latter, I have to agree on the evidence seen here not Boxcryptor.

But long live US know-how on MS Windows!

Perhaps you missed the obvious.. The error was “You will *loose* access to your encrypted files”. That is no small “dialect” difference, but a strong grammatical error, all too common in people who should know better
You *did* catch the error, did you not?
The OP’s point was that in a company that deals in security, a glaring error like that does not inspire confidence in other areas of their service…

My point was that if it were a Chinese or other translation error I would be less concerned, as , indeed, it does not reflect on the rest of the company’s service. It is, however, a common *english speakers* error, so there is quite a difference.. If english is your FIRST language, this little attention paid to the text of the info DOES cause concern.
And , furthermore, when writing comments it is hardly important if some typos get in the way. It is quite a different matter in a legal contract, such as a(n) EULA, which is where “Loose your files” appeared ..

Reply | Quote

.. when writing comments it is hardly important if some typos get in the way. It is quite a different matter in a legal contract, such as a(n) EULA, which is where “Loose your files” appeared ..

Point taken.

Reply | Quote

Well, we could look at your incorrect use of commas as evidence that you don’t know proper punctuation as well. But it could be simply an error. I think you are overreacting to a spelling error.

Reply | Quote

You are quite correct, and the type of spelling error leads me to believe that this is an english speaking, American based company. If so, that is even worse.
Your point can be re-emphasized by, say, one’s visiting a lawyer who demonstrates bad spelling or grammar. You’d immediately get the impression that if he had not paid any attemntion to these things in university, he could well have glossed over, or worse, read inaccurately, the legal documents affecting, possibly, your well being and security.
.. Time for a visit to the office across the hall?

So when are you going to correct the typo in your own post here?

-- rc primak

Reply | Quote

1) Boxcryptor is an excellent product, which works very well with the cloud services I have tried so far. At the moment I have it working on the Windows 8.1 implementation of SkyDrive.

2) Boxcryptor is German, not American or Chinese. I therefore trust it rather more than most cloud encryption tools. See the website – it belongs to Secomba GmbH.

3) @David40:
I don’t think there is much possibility of an NSA “back door” in this software, since it was produced by an EU company, which specifies that it has used AES256 and RSA2048 to USA FIPS standards (which are known not to have “back doors”).

4) @VicSetter:
There are versions of Boxcryptor for Android and iOS. The one for Android seems to work fine. Don’t know about Windows Phone, but then I don’t know anyone who has one anyway.

5) @mpoling:
Boxcryptor has arrangements for sharing with others. I don’t know the details, but you can find them on the website. The other people do not need to know your master password. I don’t know whether Boxcryptor works with Office365 – have a look at the website – but I think Microsoft is planning to provide encryption anyway.

“Anyone who can hack a SkyDrive account will be able to decrypt a Boxcryptor cypher” – with RSA-2048 and AES-256, not until around the year 2030, by which time you probably won’t care.

6)@mrjimphelps: See (9) below about “sloppiness”.
Although Boxcryptor is free to sync one provider, you have to pay if you want to sync more than one, or if you are a company – they provide business-grade services. So I don’t think you have to worry too much about the quality.

7) @Doccus, @timsinc, @erniejay856:
I think you are getting confused between the algorithm, which is the mathematical procedure for enciphering (such as RSA-2048 and AES-256), and the key, which is needed to do the encryption/decryption. Of course the algorithm is in the software on your PC, because you wouldn’t be able to encrypt otherwise. And the key has to be generated on your PC too, by hashing your password, likewise so the encryption/decryption can be done. All installations of Boxcryptor have the same algorithms; there are quadrillions of possible keys at least, so none has the same key.

Once an attacker has physical access to your PC, the game is pretty well up. The best you can do is make sure you have a really good password which would take a few years to brute-force (at least 10 characters, mixed symbols etc).

@timsinc: You would need to put your Boxcryptor password and key in your will.

You can back up the hashed-password key to a file on your PC and then store it elsewhere, so you would certainly be able to set up the account again on another PC.

8) If you really don’t trust Boxcryptor, you can set up an account with your own personally-generated key.(In that case even Boxcryptor has no way of recovering the key for you if you lose it).

Have a look at https://www.boxcryptor.com/en/technical-overview

9) @radtom, @Doccus, @mrjimphelps:
Writing “loose” instead of “lose” is a frequent error made by the less well-educated in English-speaking countries, so I think a German company can be excused, particularly as the rest of their text is very fluent, more so than some of these comments. I bet your German is not even a fraction as good.

10) A similar product is Viivo, this time from PKWARE Inc., so presumably the USA. Again, the basic version is free. I have it working well with Google Drive.

11) If you want separate “zero-knowledge” encrypted cloud storage, then SpiderOak looks OK (although in the USA), but better is Wuala (http://www.wuala.com), which is based in Switzerland and Germany, and therefore comes under EU data protection laws. I use Wuala too. It is also business-grade, with good provision for sharing.

12) If you want to be really sure, encrypt your material with AESCrypt or TrueCrypt before uploading to the cloud.

I don’t have any connection with Boxcryptor, Viivo, or Wuala.

J M Ward
Minehead
UK

Reply | Quote

What about speed and burden on the computer?

When you have lots of data, that can be a major concern.

Reply | Quote

I have a Skydrive account and tried downloading the app for my desktop only to find the app is totally useless as it won’t run under Administrator rights with UAC off. Idiotic! Gave up.

Reply | Quote

I’ve been using Boxcryptor for Mac for several months until today. Unfortunately.

The Classic version was very reliable on Mountain Lion (10.8), but after moving to Mavericks (10.9) it got unusable as many file formats could either not be opened at all (Excel) or would show no content (e.g. Word and there were others), i.e., I had to move the files to another location outside the Boxcryptor location to actually open them, and then move the file back after use … that does not make any sense.

A few weeks ago, the company published version 2 of Boxcryptor for Mac (it used to be available for Windows for a long time already) and I installed it on the Mavericks computer. Same problems. There were other issues (e.g., running against file length limit on SkyDrive after encrypting folders that were ok on SkyDrive before encryption), etc.

The company confirmed the problems in their support forum. And that was it … there was no patch or update within reasonable time. I only put confidential (sensitive) data into those encrypted containers, and I need to be confident, that those data are safe and I can access them any time. That confidence has gone.

… unfortunately, since the product idea is excellent and most other things are done well:
+ the key is on my main computer, but not on my cloud drive
+ folder and file names are encrypted, i.e., someone external cannot even read those and guess on contents
+ it can be configured in a way that I have to enter the password each time I want to access the container.

Reply | Quote

Fred,

after reading your excellent article “Pre-encryption makes cloud-based storage safer [Newsletter Comp Version]” I _almost_ downloaded Boxcryptor and started to use it.

But then I started to think about various cases I need my cloud files (MS SkyDrive currently). I’m teaching IT/ICT and mostly it’s my course material that I do need. I carry a memorystick but just in the case I loose my USB-stick before lessons, I do have the material in the “cloud” too. I also provide a link to this material to my students as a bit.ly -link. This is the first scenario raising questions.

What do I need to access files on-the-road (portable Boxcryptor perhaps)? And how about my students? What would they need to access the files?

And finally some scenarios. What if Boxcryptor “disappears” like some small companies do? And could there be some “backdoor” in the encryption software?

I do have all of the above mentioned files backed-up w/o encryption to my local backup drive. All the shared material is also under the Creative Commons license(s) (no sensitive data stored in the SkyDrive).

This whole issue arose after “Snowden”-case, but IMHO that’s just a good thing.

/Teme64

Reply | Quote

Teme64:

Welcome to the Lounge!

If you only need to save your class materials for the upcoming class session, and nothing more, it might be easier for you simply to email them to yourself. Then, when you get to your class, open your email, and everything will be there.

Jim

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

BoxCryptor’s free version only covers one device, but they have a paid personal version which allows multiple devices to join in syncing with multiple cloud services. So there is portability of the encryption across multiple devices. At least in the paid versions.

Due to this and other value-added features, the business edition of BoxCryptor is sutiable for business collaboration environments.

-- rc primak

Reply | Quote

BoxCryptor’s free version only covers one device, but they have a paid personal version which allows multiple devices to join in syncing with multiple cloud services. So there is portability of the encryption across multiple devices. At least in the paid versions.

Due to this and other value-added features, the business edition of BoxCryptor is sutiable for business collaboration environments.

Ditto in my experience. Only Dropbox is supported in the free version. Since I run Win8.1 w/SkyDrive, it is useless. But that in no way decreases the value of the basic article, only the free BoxCryptor aspect.

Reply | Quote

Thank you. So in Windows 8.x, where syncing to SkyDrive is built-in, does that make BoxCryptor redundant? Or if I encrypt documents using EFS in my local SkyDrive folder, and those docs are available offline, am I only encrypting locally and losing that encryption when they get sent to the cloud?

Reply | Quote

Boxcryptor virtual drive unavailable under different userID
Yesterday I installed Boxcryptor 2.0 for pre-encryption of the sensitive data that I back up to the cloud. I use Norton 360 for this backup, Dropbox only for some sync with an Android phone, and Google Drive only for sharing. All sensitive data is in five folders on the same user data drive as the Dropbox and Google Drive folders. So the Boxcryptor setup required removing Dropbox and Google Drive, then addition of the five folders for backup. One of the five folders is Outlook, so the Outlook profile had to be rebuilt to point to Outlook in the Boxcryptor virtual drive. All this was accomplished as the admin user.
However, I normally work as a standard user. There, the Boxcryptor setup refused the removal of Dropbox and Google Drive, so I can’t add the five sensitive folders to make the encrypted files available for use.
The system is Lenovo ThinkPad T430 with Win7 Pro x64 and the 500 GB internal HDD partitioned into C: for all software (fully patched) and D: for all user data. Security software is Norton 360 and Malwarebytes Anti-Malware. Full backups are local.
Can anyone tell me how to fix the standard user’s Boxcryptor setup without a major restructuring of my user folders?

Reply | Quote