Sunday, 13 April 2014

Drop Dropbox And Swap For Something Secure?

Lately there has been quite a bit of commotion around Dropbox and its lack of security. I mean: files are stored on the Dropbox servers/discs ‘as is’, unencrypted, so theoretically Dropbox employees might be able to retrieve the contents. While I’m not exactly in possession of top secret documents, I am wary about people being able to sniff around my tax declarations and other stuff I consider private - after all, I don’t leave my front door wide open either.

Can you recommend an alternative that is more secure and still has the same functionality and high degree of ease of use as Dropbox? I only use the file sync facility (not the sharing, the photo uploads, or any other stuff that might exist), and the platforms on which I use it are Windows 7 and Android 4. I need less than 1 GB of storage as I only sync documents between computers, smartphones, and tablets.

I hear you, and indeed lately there has been a lot of commotion around Cloud storage (which is what Dropbox is), computing in general, and electronic communication. While I too did enjoy Dropbox’s ease of use, I’ve been looking around for something more secure, and with ‘more secure’ I mean: files are encrypted on my PC before they are transmitted, and only I know the encryption keys (though this latter one might be wishful thinking, read on).

Just for the record and in case you’d prefer staying with Dropbox if you could fix the security issue: this would be possible by encrypting your files manually before putting them into your Dropbox folder, or by creating a TrueCrypt container in a file, and putting that file in your Dropbox folder - there are also companies that provide that sort of functionality. However, that involves manual effort (which I hate, I’m as lazy as possible and the computers need to do the work for us) and complicates the computing environment.

There are several providers that offer secure Dropbox-like functionality. With the ‘secure’ bit, I mean: files are encrypted before they leave your PC, and are only decrypted after arriving on your other device, so that they are not transmitted or stored ‘naked’ anywhere but on your devices.

I checked a couple of these providers out, and finally went for Tresorit, a Swiss company that - drum roll - offers a free service with 5 GB storage and is available for Windows, Linux, Mac, Android, iOS, and Windows Phone. The ease of use is in a way similar to Dropbox: install the software, tell it which folder to sync, and that’s about it. The program will be humming in the background (taking care of the sync and the encryption/decryption), going about its business, while you do whatever else you want to do on your PC. Actually, Tresorit has an added advantage: you can add multiple folders to be synced (in other words, they don’t all have to sit under a single top-level folder) and, on each device, specify which folders you want to sync with that device. There’s much more that can be tweaked; check out their site.

Tresorit states the following on https://tresorit.com/about-us: We NEVER collect or store your files, encryption keys and passwords in unencrypted or invertible form. Files and some corresponding encryption keys can only be decrypted by the people you have explicitly shared with. In plain English: we don’t have the faintest idea what you store on our servers. We can’t share it with anyone. Nobody can take it from us.

At the time of writing, it seems that the Tresorit program is only available in English. Also note that, unless a provider would publish their program’s source code so that privacy claims regarding encryption keys (and more) can be verified, you can’t be 100% sure that indeed your data cannot be accessed by unauthorised people, so a certain level of trust is required. If you don’t trust it, don’t use it, but Tresorit has published a White Paper on their site that dives into the way their encryption works. I haven’t read that and most likely wouldn’t understand enough of it to judge it, but did read blogs where security specialists and cryptographers seemed to be quite happy with the techniques that were described.

One last thing: even though my KeePass file is encrypted (by KeePass), I still wouldn’t just throw that into a folder that gets synchronised to the Cloud, at least not ‘as is’. I would store it in a TrueCrypt file for enhanced security. Paranoid? Maybe. Better safe than sorry.

No comments:

Post a Comment