With news of the NSA, GCHQ, big corporations, and anyone else with an Internet connection snooping through your online data these days, you can’t be too careful when it comes to protecting the stuff you put in the cloud. This guide will tell you what you need to do so that TrueCrypt can keep your synced files guarded from prying eyes.
When is your data not your data?
When your files are kept only on your computer, or on your own thumb drives or portable hard drives, you have the ability to completely control who has access to them and what they can do with that data. As long as you keep your computer malware-free, set appropriate file permissions, use strong passwords, and physically secure your storage media, you can be reasonably assured that the only people looking at your electronic documents are those whom you’ve chosen to allow. This may sound like a lot, but it really is all relatively simple and the bottom line is that these are things which are generally well within your control.
However, when you choose to put your files in the cloud with services like Dropbox, OneDrive, iCloud, and Google Drive, you are handing this control over to a lot of other organizations who may not necessarily hold your privacy as a top priority. Recent news has cast much doubt upon whether or not we can trust large corporations to keep our personal data from secretive government agencies, or even to not dig into it themselves. Former NSA contractor Edward Snowden has leaked details of government mass surveillance programs that claimed cooperation from nearly every major cloud storage provider there is. Another recent incident found Microsoft digging through a blogger’s Hotmail account without even having a court order.
There are a number of other potential weak links in the chain between you and your cloud storage provider. Your ISP and other Internet backbone providers that handle your network traffic could be coerced or ordered to provide access that could similarly compromise your information. This risk is generally mitigated by the use of SSL, but even that protection is reliant upon other organizations like Certificate Authorities who may still be compromised, wittingly or not, by government agencies or other hackers. The best way to make sure you have control of who accesses your data in the cloud is by encrypting the data yourself, so that you’re the only one holding the keys.
How does TrueCrypt fit in?
TrueCrypt creates a virtual drive on your computer that is encrypted with a key generated at the time of the drive’s creation. Because the key is generated on your computer, and protected by a password you select, the only people who can unlock a TrueCrypt volume – regardless of where it is stored – are those who know the password. If you create a sufficiently strong password, and take appropriate measures to keep it secret, that means that you’re the only person who can access the data in your TrueCrypt volume even if you decide to put it somewhere online. TrueCrypt even provides options for two-factor authentication by way of keyfiles or security tokens of your choosing.
We already have some guides covering TrueCrypt usage in general:
What’s special about a TrueCrypt volume in the cloud?
Because of the way cloud storage operates, there are special considerations you need to bear in mind for your TrueCrypt volumes to work properly.
TrueCrypt Volume File Names
Some cloud storage providers (one known case at this time being OneDrive for Business) may edit files of certain types to insert unique identifiers or other metadata. Since a TrueCrypt volume is not a regular document file, no matter what file extension you choose to use for it, modifications like this could corrupt the volume and render it unusable. To prevent such changes from happening, it would be best to avoid using common file extensions for the TrueCrypt volumes you keep in the cloud – the safest bet is to use TrueCrypt’s native extension of “.tc”.
TrueCrypt Volume Timestamps
Most cloud storage software only syncs files when the timestamp changes. By default, TrueCrypt will not alter the timestamp of a volume after it is created. This will prevent your cloud storage software from recognizing when there have been changes to the TrueCrypt volume, and new versions will not be synced. To resolve this, you need to change one of the options in TrueCrypt’s Preferences.
From the TrueCrypt main interface, go to Settings -> Preferences…
In the TrueCrypt – Preferences dialog, un-check “Preserve modification timestamp of file containers” and click OK.
Now, whenever a change is made to the files within the TrueCrypt container, TrueCrypt will update the timestamp on the volume file so that the change can be detected by your cloud storage software.
Dismount Volumes to Save Changes
Though timestamps on files within the TrueCrypt volume are updated whenever the file is saved, TrueCrypt will not update the timestamp on the volume itself until you have dismounted the volume. Since your cloud storage software cannot see the files inside of the TrueCrypt volume, the volume file’s timestamp is the only indicator it has to know when there’s been an update. So, whenever you want changes to your TrueCrypt volume to be sent to the cloud, make sure to dismount the volume from the TrueCrypt main interface, or by right-clicking the TrueCrypt tray icon and selecting the appropriate dismount option (or Dismount All).
Saving Files in a Volume vs. Normal Files
Another side-effect of storing your files in a TrueCrypt volume, where your cloud storage software does not have direct access to it, is that you will need to sync the entire TrueCrypt volume whenever you want to update even a single file in the volume. Depending on how your cloud provider does synchronization, this may mean that you need to do a full re-upload of the whole volume. Some cloud providers do block-level updates instead, which will only sync the portions of the volume which have actually changed. Even then however, the nature of encryption may still necessitate a data transfer that is larger than the individual file(s) being updated.
You should check your cloud storage provider’s documentation, and consider doing some testing of your own, to see exactly how much this will impact you. Depending on the size of your volume, and the files stored within, the performance hit could range from fairly minor to rather extreme.
This can be mitigated by keeping your TruCrypt volumes relatively small. Make them just large enough to store the files you want in them, with relatively little padding for growth. Also consider breaking a large volume up into smaller chunks if you have a lot of files.
Problems With Very Large Volumes
Some cloud storage software may not properly handle very large TrueCrypt volumes, potentially resulting in corruption or loss of data. Volumes 300 MB or less in size should be ok. Anything in the multi-GB range is definitely risky.
Again, this is solved by keeping your volume sizes small – something you’ll want to do for general performance reasons anyway. To reduce your risk of permanent data loss, you should also consider keeping (and regularly updating and testing) an offline backup of your data that does not sync with the cloud-based versions.
Normal Cloud Storage File Considerations
Other general considerations for files stored in the cloud still apply with your TrueCrypt volume:
- Don’t leave the volume open with unsaved changes on more than one computer at a time.
- When accessing your volume via a web interface, you’ll need to manually upload it back to the cloud after you’ve dismounted it if you’ve made any changes.
That’s all there really is to it. With all your personal data kept in a TrueCrypt volume in the cloud, you can feel secure in knowing that anyone who wants access to it will need to come to you personally to request it.