As the number of computers, laptops, and mobile devices we use grows, services that sync our important files between them grow in popularity. But are these services secure enough to store our confidential files? Recent news suggest not. One of the more popular file-syncing services, Dropbox.com, has experienced recent and significant security issues this year, including a brief lapse in their authentication system that made passwords optional for a 4-hour window. And not to pick on Dropbox – virtually all of these services carry some security trade-offs by design, including them having the keys to your encrypted files so that they can de-duplicate data to minimize storage requirements. Syncing confidential files in the cloud is not recommended without additional encryption.
All encrypted syncing solutions are not created equal
Searching the internet for “securing Dropbox” will result a myriad of blogs suggesting various ways to encrypt your cloud-synced files. What they all have in common is that they attempt to encrypt your files locally before they go into the cloud. But not all local encryption methods are best suited for cloud-synchronization. SystemExperts spent some time trying many of the suggestions found online, but experienced the following issues with most of them:
- Tools that create encrypted volumes within the Dropbox folder create a single large file that must be synchronized every time a single file within it changes, making it very slow. And often times the size of the these volumes cannot grow, so a single large file must be created from the start. These problems were common to tools such as TrueCrypt (cross-platform) and encrypted disk images such as .dmg and .sparseimage files (both built-in for OS X only).
- OS X has a disk image format called “sparsebundle” that it created precisely for syncing files to its Time Machine backup service. It solves the problem of syncing entire volumes by dividing it up into smaller “bands”. But this is not a cross-platform solution. Additionally, testing indicated that Dropbox had trouble detecting changes to the “bands” in real-time, and had trouble synchronizing them if the volume was mounted by multiple systems.
- Encrypting individual files makes for faster syncing, but can be tedious if it must be done manually with tools such as zip-archiving tools.
EncFS to the rescue
SystemExperts found EncFS (or Encrypted File System)solutions best suited for the task. EncFS uses AES-256 encryption, is cross platform (Windows, Linux, and OS X – sorry, no mobile yet), and it encrypts individual files on the fly as they are placed into the mounted EncFS volume. As an added bonus, EncFS provides some protection for lost or stolen laptops. EncFS mounts the encrypted files on your file system and displays them decrypted at the mount point as a new drive or volume, so as soon as the system is powered off or the user logs out, the mount point is lost and the decrypted files are no longer available.
However, there are some caveats to EncFS:
- The only Windows solution we found is a commercial application called http://boxcryptor.com/ which starts at $20 for commercial use, although it does offer a free version with some limitations
- Although free, the OS X and Linux solutions are more technically challenging to install
- Although the file contents are encrypted, anyone with access to the file system can see how many files and folders exist, their permissions, their approximate sizes, and their last accessed and modified timestamps.
Example usage of EncFS
In our test setup, we synchronized files across multiple OS X systems. Following these installation steps for OS X , we created a folder within Dropbox for our encrypted EncS files, and an EncFS mount point outside of our Dropbox folder. (Tip: On OS X and Linux, name the folder within Dropbox using a preceding . (dot) to make it invisible. This way you aren’t tempted to place unencrypted files within the encrypted EncFS folder by accident.) We named our new EncFS volume “eDropbox”, which showed up on our Mac as a new attached drive. After repeating the setup process on two additional systems, we began placing files within this new eDropbox drive. Files were immediately and transparently encrypted to the EncFS folder within our Dropbox folder, and then synchronized to our other systems, making the unencrypted file immediately available on all of the respective mounted eDropbox volumes. But anyone accessing our Dropbox account in the cloud (including the operators of the service itself) will now only find AES-256 encrypted files there.
Please let us know how EncFS works for you, if you find other solutions that work better, or how your company is addressing secure file synchronization.