ISSUE 18.20.F • 2021-05-31

ADVERTISEMENT

AskWoody Plus Newsletter Subscribers Exclusive for Memorial Day: Get 60% off a new RoboForm Everywhere subscription with this link (exp. 6/15/21). RoboForm is an award-winning password manager, password generator, online form filler, and secure repository where you can safely store sensitive information like credit cards and billing data. Best of all, with RoboForm, you have access to your passwords and saved data on all your devices. Say goodbye to writing down passwords on scraps of paper or in a password book, and say hello to RoboForm.

LANGALIST

By Fred Langa

Does it feel like rolling the security dice when you save your files to a cloud-based service? When the files move out of your control and protection and into who-knows-what security measures the cloud-provider is using? You feelin’ lucky?

It doesn’t have to be a gamble. Here’s how to take charge of your cloud-based file security to make your remote files snoop-proof and effectively just as safe as those on your local PC.

Plus: No, ProduKey isn’t malware, despite what your security app says!

AskWoody’s recent OneDrive coverage from Lance Whitney, Susan Bradley, and me (see article list at end of this text) has unleashed a torrent of email from subscribers struggling with various aspects of OneDrive’s poorly documented features and operations.

Questions about OneDrive’s security are a common theme. For example, see this note from AskWoody subscriber Jimmy Dominguez:

“Hi Fred! Could you provide us with your thoughts on the security of OneDrive? My main concern is putting my password app database on OneDrive. It’s KeePass.”

That’s a great topic, Jimmy, and for much more than just password databases! You probably have many other private, sensitive files, too — financial records, tax information, health data, etc. — that you don’t want to fall into the hands of cloud-based snoops.

The good news is that all major cloud-service vendors are extremely serious about the security of your data while it’s in their care — the success of their cloud business depends on users’ being able to trust the service!

But your specific question was about OneDrive. Microsoft describes OneDrive’s extensive security measures on the support page, How OneDrive safeguards your data in the cloud.

While that’s all good — and truly, OneDrive’s built-in security is good — it cannot be perfect. No human-built system ever is. Worse, it puts you (and your files) into a passive, subordinate position, totally dependent on someone else to correctly spec, implement, and maintain essential security for your cloud-based files.

There’s a better way — easy steps you can take to ensure your data remains safe, no matter where it resides.

Let’s start with Jimmy’s password manager as the working example. It will lead us to a more general discussion of how to secure any type of cloud-based files.

First of all, yes, the KeePass password database is safe to sync to the cloud because, like all the major password-keepers I’m aware of, KeePass encrypts its database.

Today’s high-quality file encryption is the very best way to add nearly impregnable security to any file, regardless of where it will be stored — in the cloud, on your PC, on a flash drive, in an email attachment, whatever. Without the correct decryption passphrase or password, the file contents will be safe and totally inaccessible.

A good password manager will also never transmit its data unencrypted, “in the clear.” As you saw on the above-referenced Microsoft support page, OneDrive’s cloud-based components automatically enforce the use of encrypted HTTPS connections anyway — so odds are no one will be able to snoop your data while it’s in transit.

HTTPS adds good baseline security, but you can significantly enhance your online privacy by also using a VPN (virtual private network), which adds another, independent layer of encryption on top of HTTPS and can also disguise your physical location.

Many password-keeper apps also allow use of two-factor authentication when you first sign in, to verify that you’re really you and not some snoop trying to break in. KeePass can use two-factor authentication, although it’s a bit kludgy. See Tutorial — Using KeePass With Two-Factor Authentication.

And, if you employ OneDrive’s Always leave on this device setting, as recommended in OneDrive’s impermanent local copies (AskWoody Plus 2021-05-24), your working copy of the encrypted KeePass database will be kept local with a separate and still-encrypted copy tucked away in the Microsoft-protected cloud, synced there via encrypted HTTPS/VPN transmission. I’d say that’s very, very safe!

OK, that’s KeePass. But you can employ the same concepts to achieve similarly safe transmission and storage of all your sensitive cloud-stored files — financial records, tax information, health data, etc.

The bedrock concepts are to employ file- or folder-level encryption on the files/folders that will sync to the cloud; to use only encrypted communication (e.g., HTTPS and/or a VPN); and, if available, to use two-factor authentication when first signing in to your cloud-based apps and services.

Encryption can be easy and virtually automatic. For example, the MS Office apps offer optional, built-in, high-quality, 256-bit AES encryption (Microsoft calls it password protection; see Protect a document with a password.) Just save your Office files this way, using a good, un-guessable password, and your files will be effectively un-snoopable by anyone, anywhere.

If you use apps without built-in encryption, you can instead use a simple external file- and folder-level encryption app such as 7-Zip (open source/free; site). 7-Zip can encrypt virtually any file or folder.

Note: Whole-disk encryption does not work this way. Systems such as BitLocker encrypt files only while they’re physically present on the local hard drive; the files lose their encryption when they’re exported from a BitLocker-encrypted disk. To secure files in the cloud, you need a file- and folder-level encryption tool such as 7-Zip; not a whole-disk encryption tool like BitLocker.

As for communicating with the cloud, make sure your cloud provider enforces use of HTTPS connections. I strongly suggest that you use a reputable VPN.

Choosing a VPN can feel random because there are a million services available, free and paid, as this example Google VPN search shows. I’m not a VPN expert by any means, but to give you at least a known-acceptable starting place, my consumer-level experience with ExpressVPN has been positive. It’s  been fast and reliable for me from multiple locations, and it allows one VPN subscription to cover all my and my wife’s digital devices — PC, Android, Linux, Chromebook, Mac, and iOS. It has a good reputation for security and comes with a 30-day, money-back guarantee. But, again, this is only my personal, anecdotal experience; there may be other VPNs out there that better suit your needs and preferences. Search away!

Bottom line: OneDrive is reliable and reasonably safe on its own. Add in file- and folder-level encryption, secure communication via HTTPS and VPN, and maybe multi-factor authentication, and your cloud-based files will be about as safe and secure as humanly possible!

Related info:

More OneDrive coverage in recent issues:

In Win7 to Win10 activation trouble (AskWoody Plus 2021-05-24), I mentioned ProduKey as a free example app that can dig out the product keys for Windows and other apps installed on your PC.

But some readers, including Bob Petruzzelli, encountered a snag:

“Fred: Just to let you know I was reading your article this morning and tried to download the ProduKey app.

“Windows Defender was adamant that it was a virus and wouldn’t let me download it. I created a dummy .zip file and added it to the Windows Defender exclusions in my download folder. Then I could download it. But then when I unzipped it the .exe file was instantly deleted by Windows Defender, whoosh…. So I made a dummy file for that in the Windows Defender exclusions.

“”Then I could finally run the file and get my Product Key.”

Thanks, Bob. ProduKey isn’t a virus, of course, but many browsers and security apps see that it’s trying to get at product keys, and they incorrectly assume that something evil must be happening.

But yes, with Windows Security (formerly “Windows Defender”), you’ll usually have to click through several layers of warnings before the file safely arrives on your disk, and several more to get it to run.

It’s confusing and a bit of a pain the first time you encounter this kind of adamant blockage by Windows Security, but the support information at Add an exclusion to Windows Security can help you get the file to run.

Alternatively, there are many other product key-finder apps out there (examples). Feel free to experiment until you find one that works the way you — and your anti-malware app! — want it to.

Fred Langa has been writing about tech — and, specifically, about personal computing — for as long as there have been PCs. And he is one of the founding members of the original Windows Secrets newsletter. Check out Langa.com for all of Fred’s current projects.

You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!

Like what you see in the AskWoody FREE newsletter? Become a PLUS member! As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters. Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums. The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.  Join AskWoody PLUS Today!