Quick Links

The security debacle at Dropbox last week opened a lot of peoples’ eyes to the need for user-managed encryption for cloud-based storage. Read on to learn how to secure your Dropbox (and other cloud-based files) with Boxcryptor.

Why Layer Additional Security Onto Your Cloud Storage?

dropboxbug

On June 19 there was a four-hour security glitch at Dropbox. During that four-hour period anyone could log into any account with any password. If someone knew the email you used to login they could supply any password at all and it would work. Essentially it didn’t matter how powerful the encryption scheme Dropbox was using to secure your files was as the security flaw temporarily allowed anyone to login to your account and be authenticated as though they were you—a procedure that would bypass the strongest encryption in the world since the system believed the interloper was a valid user on the account. So what can you do? Not used cloud-based storage at all? That’s an option but many people enjoy using Dropbox and the majority of their files are music, media files, and other non-critical files. Rather than quit using Dropbox (or other cloud-based storage drives) you can easily and selectively secure files within your Dropbox so that even if the account is compromised the intruder would still need to decrypt your heavily encrypted files.

Securing Dropbox with BoxCryptor

2011-06-28_143429

Although many people simply keep an encrypted volume within their Dropbox (like a TrueCrypt volume) doing so semi-defeats the purpose of having a remote cloud-based drive that continually updates and saves your files. When using a large encryption volume Dropbox will only upload the volume when the volume is umounted. Any time you’re inside the volume working and changing files you lose the continual backup feature. For files that you wish to encrypt, with minimal fuss and with the ability to open and manipulate individual files, while maintaining the benefit of continual backups, BoxCryptor is a dead simple solution. BoxCryptor is a Windows-based solution for file-by-file encryption using AES-256 bit encryption. It is compatible with the Encrypted Filesystem (EncFS) and thus your BoxCryptor encrypted files can be accessed on Mac OS X and Linux computers. If you plan on using BoxCryptor with a Mac OS X computer make sure to check out this detailed guide. If you plan on using it with a Linux computer make sure to check out this guide. The remainder of our guide will be concerned with securing a Dropbox account using BoxCryptor from a Windows machine.

Installing and Configuring BoxCryptor

2011-06-28_132351

The installation process for BoxCryptor is quite straight forward. BoxCryptor comes in three flavors. The free version allows you to encrypt a directory up to 2GB in size. The Unlimited Personal version costs $20 and allows for unlimited directory size. The Unlimited Business is $50 and simply a commercially licensed version of the Unlimited Personal version. Download the installation file here. We’ll be using the free version as we only need to secure a small volume of files. Run the installation file and follow the prompts. BoxCryptor will automatically detect if you have Dropbox installed on the computer and will ask you if you want to place the BoxCryptor directory in your Dropbox folder. Click Yes. The only time you’ll need to pay close attention is when you reach this screen:

2011-06-28_132653

Here you need to check to make sure BoxCryptor properly placed your directory within your Dropbox folder system. You also need to select a drive letter for BoxCryptor to mount a virtual drive. We selected Z. You can leave the Advanced Mode options alone unless you use Dropbox’s file versioning feature. By default BoxCryptor encrypts the filenames. This filename encryption is a nice security boost but it breaks the file versioning system in Dropbox. If this will be an issue for your workflow make sure to check Advanced Mode and turn off the file name encryption. If you do not use the file versioning and will not need to rely on filenames to download your encrypted files through the web interface it is best to leave the file names encrypted. If you should decide at a later date that you wish to remove the filename encryption (or enable it) you can use BoxCryptor Control (a small command line tool) to toggle the setting. You can read more about this technique here.

2011-06-28_132810

In the final step you will assign a password to your BoxCryptor volume. Choose a strong password. It’s up to you whether or not you want BoxCryptor tor remember the password. We opted to have it remember the password since our goal is to remotely secure the files not locally secure them (if someone has access to our physical computer to the degree that this password being remembered or not is our last line of defense we have bigger problems to deal with).

2011-06-28_133039

At this point you should see the BoxCryptor folder (or whatever alternate folder name you selected) within your Dropbox folder. You should also see the virtual drive in your list of drives (in our case, Drive Z). There are two very important rules you need to follow going forward. First, do not put files directly into the BoxCryptor folder. If you place files directly into the folder they will not be encrypted. They will simply be regular files like those found in another other folder in your Dropbox directory. Second, do not delete the encfs6.xml file in the BoxCryptor folder. That file holds important information that helps BoxCryptor decrypt your files, deleting it renders BoxCryptor useless and your files permanently encrypted. In fact it is best you never even go into the BoxCryptor folder directly, only use the mounted volume. Speaking of that mounted volume, let’s dump some files into it and see what happens.

2011-06-28_135003

In the above screenshot we’ve just dumped files into the Z drive, BoxCryptor’s virtual drive. We can work within this drive like we would any other drive on our computer. Files are encrypted and decrypted on the fly and any changes we make to individual files will be shortly reflected in the contents of our Dropbox account. What does it look like in the BoxCryptor folder now? Let’s take a peek.

2011-06-28_134937

Each file has been individually encrypted by BoxCryptor and, as evidenced by the green check marks, already uploaded to Dropbox. The majority of our Dropbox account, which contains MP3s, ebooks, and other non-personal files, remains unencrypted while the BoxCryptor directory enjoys strong file-by-file AES-256 encryption.


If you have additional questions about BoxCryptor you can hit up their FAQ file, check out their blog, or visit their feedback forum. Have experience with BoxCryptor, EncFS, or other file-by-file encryption tools and cloud-based storage? Let’s hear about it in the comments.