SEARCH

How-To Geek

How To Encrypt Your Cloud-Based Drive with Boxcryptor

2011-06-28_1429

The security debacle at Dropbox last week opened a lot of peoples’ eyes to the need for user-managed encryption for cloud-based storage. Read on to learn how to secure your Dropbox (and other cloud-based files) with Boxcryptor.

Why Layer Additional Security Onto Your Cloud Storage?

dropboxbug

On June 19 there was a four-hour security glitch at Dropbox. During that four-hour period anyone could log into any account with any password. If someone knew the email you used to login they could supply any password at all and it would work. Essentially it didn’t matter how powerful the encryption scheme Dropbox was using to secure your files was as the security flaw temporarily allowed anyone to login to your account and be authenticated as though they were you—a procedure that would bypass the strongest encryption in the world since the system believed the interloper was a valid user on the account.

So what can you do? Not used cloud-based storage at all? That’s an option but many people enjoy using Dropbox and the majority of their files are music, media files, and other non-critical files. Rather than quit using Dropbox (or other cloud-based storage drives) you can easily and selectively secure files within your Dropbox so that even if the account is compromised the intruder would still need to decrypt your heavily encrypted files.

Securing Dropbox with BoxCryptor

2011-06-28_143429

Although many people simply keep an encrypted volume within their Dropbox (like a TrueCrypt volume) doing so semi-defeats the purpose of having a remote cloud-based drive that continually updates and saves your files. When using a large encryption volume Dropbox will only upload the volume when the volume is umounted. Any time you’re inside the volume working and changing files you lose the continual backup feature.

For files that you wish to encrypt, with minimal fuss and with the ability to open and manipulate individual files, while maintaining the benefit of continual backups, BoxCryptor is a dead simple solution. BoxCryptor is a Windows-based solution for file-by-file encryption using AES-256 bit encryption. It is compatible with the Encrypted Filesystem (EncFS) and thus your BoxCryptor encrypted files can be accessed on Mac OS X and Linux computers.

If you plan on using BoxCryptor with a Mac OS X computer make sure to check out this detailed guide. If you plan on using it with a Linux computer make sure to check out this guide. The remainder of our guide will be concerned with securing a Dropbox account using BoxCryptor from a Windows machine.

Installing and Configuring BoxCryptor

2011-06-28_132351

The installation process for BoxCryptor is quite straight forward. BoxCryptor comes in three flavors. The free version allows you to encrypt a directory up to 2GB in size. The Unlimited Personal version costs $20 and allows for unlimited directory size. The Unlimited Business is $50 and simply a commercially licensed version of the Unlimited Personal version.

Download the installation file here. We’ll be using the free version as we only need to secure a small volume of files. Run the installation file and follow the prompts. BoxCryptor will automatically detect if you have Dropbox installed on the computer and will ask you if you want to place the BoxCryptor directory in your Dropbox folder. Click Yes.

The only time you’ll need to pay close attention is when you reach this screen:

2011-06-28_132653

Here you need to check to make sure BoxCryptor properly placed your directory within your Dropbox folder system. You also need to select a drive letter for BoxCryptor to mount a virtual drive. We selected Z.

You can leave the Advanced Mode options alone unless you use Dropbox’s file versioning feature. By default BoxCryptor encrypts the filenames. This filename encryption is a nice security boost but it breaks the file versioning system in Dropbox. If this will be an issue for your workflow make sure to check Advanced Mode and turn off the file name encryption. If you do not use the file versioning and will not need to rely on filenames to download your encrypted files through the web interface it is best to leave the file names encrypted.

If you should decide at a later date that you wish to remove the filename encryption (or enable it) you can use BoxCryptor Control (a small command line tool) to toggle the setting. You can read more about this technique here.

2011-06-28_132810

In the final step you will assign a password to your BoxCryptor volume. Choose a strong password. It’s up to you whether or not you want BoxCryptor tor remember the password. We opted to have it remember the password since our goal is to remotely secure the files not locally secure them (if someone has access to our physical computer to the degree that this password being remembered or not is our last line of defense we have bigger problems to deal with).

2011-06-28_133039

At this point you should see the BoxCryptor folder (or whatever alternate folder name you selected) within your Dropbox folder. You should also see the virtual drive in your list of drives (in our case, Drive Z). There are two very important rules you need to follow going forward. First, do not put files directly into the BoxCryptor folder. If you place files directly into the folder they will not be encrypted. They will simply be regular files like those found in another other folder in your Dropbox directory. Second, do not delete the encfs6.xml file in the BoxCryptor folder. That file holds important information that helps BoxCryptor decrypt your files, deleting it renders BoxCryptor useless and your files permanently encrypted.

In fact it is best you never even go into the BoxCryptor folder directly, only use the mounted volume. Speaking of that mounted volume, let’s dump some files into it and see what happens.

2011-06-28_135003

In the above screenshot we’ve just dumped files into the Z drive, BoxCryptor’s virtual drive. We can work within this drive like we would any other drive on our computer. Files are encrypted and decrypted on the fly and any changes we make to individual files will be shortly reflected in the contents of our Dropbox account.

What does it look like in the BoxCryptor folder now? Let’s take a peek.

2011-06-28_134937

Each file has been individually encrypted by BoxCryptor and, as evidenced by the green check marks, already uploaded to Dropbox. The majority of our Dropbox account, which contains MP3s, ebooks, and other non-personal files, remains unencrypted while the BoxCryptor directory enjoys strong file-by-file AES-256 encryption.


If you have additional questions about BoxCryptor you can hit up their FAQ file, check out their blog, or visit their feedback forum. Have experience with BoxCryptor, EncFS, or other file-by-file encryption tools and cloud-based storage? Let’s hear about it in the comments.

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 06/28/11

Comments (32)

  1. Youngbud

    Whats the Diff Between BoxCryptor= :( ($$) & Truecrypt= :) (FREE)…

  2. RandyN

    Nice job on the article. Explains it more thoroughly then I’ve seen elsewhere.

  3. PingLu

    So… that means anyone with access to my dropbox account can lock me out of my files by simply deleting the .encfs6.xml file? (that you can’t rename, can you?)

    Does the xml file change after using or can i just copy one to a secure location?

    Nevertheless, great article, I’m definitively concerning moving some files back if boxcryptor works well :)

  4. tecn0tarded

    does it have to be installed in Windows to be accessed by linux or is it suppose to be able to install in linux?

  5. tecn0tarded

    I should of read the FAQ’s first.

  6. Jason Pender

    I think the “cloud” is a bad idea for storing personal things in the first place. It’s just not that secure as they say it is.

  7. th3m

    Ok nice, but still you can access those files from your local computer only. The cloud based theory is not left intact. You cant view those files from your mobile for example. Don’t know if we really need it.

    Thank you for the nice and informative article though :)

  8. john

    Ditched dropbox. Now trying spideroak which only stores your files in an encrypted state. Decrypting occurs on client only.

  9. Abdollah

    Any non-open source encryption software may not be reliable and trustworthy.
    No one could prove this software and other countless non-open source encryption softwares are not fake or government spy agent themselves.
    Please higher the quality of your article good guys.
    Keep going and good luck

  10. Robert F.

    @Abdollah: Because BoxCryptor is compatible to the open source project EncFS, the encryption of BoxCryptor has to work the same way as the encryption of EncFS. So although BoxCryptor is closed source, you can review the encryption algorithms in EncFS. Additionally you can review the network traffic to find out that your password/key is only used locally and never sent anywhere.

  11. Hatryst

    This makes cloud storage reliable and secure, once and for all. Very informative !

  12. Benedict H.

    How secure is it compared to TrueCrypt?

  13. E. W.

    OK… the deal is to encrypt your files ‘before’ uploading and storing to the cloud, which makes your files in cloud storage a little more secure, but I wouldn’t say it makes using the cloud for storage any more reliable.

    It’s as reliable as the servers are vulnerable to natural disaster or hacker deletion. And that could happen at any moment.

  14. dragonbite

    How does it work if you, or a friend, wants to access it through the web browser?

  15. steve j

    Anyone have any comparison versus secretsync? They appear to be essentially identical, wonder what they each think is their advantage?

  16. SealthX

    I’ve been using BoxCryptor with Dropbox for a little over a month now. So far it is working very well. Allows me to sync sensitive files between three computers. Files that are not sensitive can be accessed via my Android phone in Dropbox. I don’t need web access to my files, and don’t use Dropbox to share them with others.

  17. Scottt

    Hi All. Good job on the article. Considering BoxCryptor. Anyone have any problems to report? In Windows or Linux? The project is still in beta. Thanks.

  18. Fred

    Will this work with iPad sync? What about running Parallels on a Mac, how does the process work there?

  19. tecn0tarded

    scott can it work exclusively in linux w/o wine? i could only find an .exe file

  20. xenosapien

    screw the encrypted files, now I wanna know about the Illuminati Mind Control Pandas!!!!

  21. Uncle Atilla

    If you like the idea of cockroaches breeding behind the walls, then you’ll love the Cloud. So you’d worry if unauthorized persons suddenly had access to your data, but what about the authorized persons who have continuous access to it? Who are they, who authorized them, and what kind of perverted acts are they performing on your data? Some of us are advanced in years and we surely weren’t born yesterday, neither would we trust any data-sucking company, nameless and faceless, with every last drop of our private business, because it’s simply a fact that they’ll all sell out to the highest bidders or the most intimidating crooks, or both.

  22. JAG

    Hoodwinked!
    Once connected to the internet, you are sitting in front of a 1-way mirror.
    Even if not on the internet but on a wireless LAN, you are still sharing your computing with anyone with very little effort on their part.

    Look at the site SANS.

  23. Devon

    cloud storage is an invitation to other to steal your data… etc

  24. Robert F.

    @Steve j: Besides the price, the main difference is how they work. SecretSync syncs a plaintext folder and an encrypted folder and encrypts/decrypts the data while syncing. So each file is stored in two versions on your computer: plaintext and encrypted (you also need 2x storage space). BoxCryptor, however, is a virtual hard drive that encrypts/decrypts data on-the-fly. When you store a file in the BoxCryptor drive, it is encrypted and stored in the target folder. When you read a file, it is decrypted and returned to the application. The files are never stored in plaintext.

    @dragonbite: In order to access files from the web interface on a computer without BoxCryptor, you have to use BoxCryptor Portable (download the encrypted file and the .encfs6.xml configuration file and enter the correct password). Otherwise it’s not possible.

    @tecn0tarded: On Linux you should use EncFS instead of BoxCryptor/Wine.

  25. Robert F.

    @PingLu: Sorry, almost forgot your question: If the .encfs6.xml file is deleted and you do not have a backup (or can restore it from the deleted files in Dropbox), you in fact loose access to your encrypted files. The file only changes if you edit the encryption settings (e.g. change the password), so you can easily make a backup to a secure location.

  26. Jai

    This software is great, But I had problems installing with Avast. So I ditched Avast, it was a hog anyway like most antivirus! Im a carefull internet user. But hay a Great aritical.

  27. Martineau

    FWIW, I’ve encountered what appears to be max path length problem trying to copy a large (600+ MB) folder of files in deeply-nested subfolders over to my BoxCryptor virtual drive. Four out of the 2,500+ files couldn’t be copied. I noticed that they happened to have 4 longest paths ranging in length from 320-356 chars each.

    I’m sure the files are OK because I regularly copy the folder to a 2nd drive, and have successfully copied it to a TrueCrypt mounted volume as well as made a 7ZIP archive from its contents.

    For me this is a show-stopper. I tried accessing BoxCryptor’s website this morning to report the problem, but it seems to be down at the moment…which also doesn’t bode well IMHO.

  28. Éric

    @Robert F.: So if I understand correctly, the .encfs6.xml file itself is versioned and protected, it is only the encrypted files that aren’t. Am I correct?

  29. Squeeks

    Noticed with secretsync you have to sign-up for an account. Not too fond of that.

  30. Neil

    Great utility. Have one concern and found one major shortcoming. The downloaded installer does not have a valid certificate which is usually a red flag but not a show stopper. I found that in Windows XP, BoxCryptor does not work in restricted accounts (i.e. “power users” and “users”), it only works in accounts with administrative privileges. While this might not bother some, it’s a show stopper for me. Did not try it in Windows 7 where, perhaps, it does not have this limitation.

  31. cw

    Best way to use this is to NEVER upload any secret programs,c-card numbers,secret documents etc etc.
    I will ONLY store stuff like films,programs,that are taking up place on my drives and can be easely replaced.
    It doesent matter if the files are encrypted,you can never be 100 procent sure anyway these days.
    God only knows what kind of secret super computers there are lurking around today (DNA and other variants that can encrypt anything)

  32. TheDigitalDad

    The Cloud is novel, frail, infantile, and highly over amplified in importance by the Microsoft Google, Spaces, Dropbox and other marketing maws and a few others all to their adavantage, It is only only as redundant and fortified as the source or target location wherein in the Cloud you interact or keep your data repository. “Cloud” marketing regardless of source is trying to sell portability. Cloud crier: Use me! use me! use me anywhere! Personally my thumb drive encrypted with TureCrypt and hanging round my neck is portable enough for me and Smith & Wesson as far as that goes and no one has that with Dropbox, Spaces (Live), Google or any other cloud mongul. LOL. Securitywise you remove foreign physical security concerns keeping your data on thumb drives around your neck and its still pretty portable. And yes, what does anyone really, really know about anyone at Dopbox other than they gave half a DVD space gratis? Anyone ever known anyone works in Spaces or Dropbox’s repository? Those are your Cloud.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!