How to Protect Your DropBox Data

Guest post written by Dave W, Network Security Analyst.

As has been mentioned here before,  DropBox and services like it have a lot of interesting  uses. The problem though is that for the security conscious these uses are limited and to the security unconscious they are downright dangerous. This isn't specific to DropBox, however. If, like me, you are deep deep down the rabbit hole with Google services then you have the same issue there as well.

That being said, there are things you can do about it. One of my favorites and one of the best is encryption. As with all security you sacrifice some functionality and flexibility for security - but the price is low compared to the risks. The primary sacrifices are

the web interface and search features. You also eschew mobile access, but that's a post for another day.

 

In the case of DropBox, the security risks come from all your private data being exposed either in a breach, as has happened, or just to the prying eyes of DropBox employees. If like me you have used DropBox to transfer files between home and office you might

have the added concern that your DropBox files leave Canada and are subject to all sorts of US government intervention and ceasure.

Again, DropBox does their best and encrypts the data on their end as well, but things happen. Encypting things yourself just gives you extra insurance.

There are a number of security tools out there to encrypt your data but the one that seems to be most suited to this task is TrueCrypt. It is open source and multi-platform (barring mobile) and seems to be fairly secure.

What TrueCrypt allows you to do is create an encrypted "container" into which you can put files which will in turn be encrypted. In practice the container is actually just a file itself however it is something like a .zip or .tar file in that it is a binary file designed to store and extract other files. TrueCrypt will, when requested, mount this file like a file system. So for those Windows folks it would be a new drive letter i.e. Z:. Once mounted you can read and write files as you would in any normal directory.

I will provide Windows based instructions here to make this work as I assume if you are running Linux you can figure out the differences and if you are running a Mac then I have no idea what to tell you.

What you will need is:

  • A DropBox account
  • The DropBox client installed and configured
  • The TrueCrypt client installed

The first thing we need to do is create the encrypted container. As part of this you will

need to know how to access the folder DropBox uses to synchronize files, the "DropBox

Folder." Then open TrueCrypt and follow these simple steps.

  • Create a new container with the "Create Volume" button.
  • You want an encrypted file container, not a volume within a partition.
  • Choose the Standard volume, not a Hidden volume.
  • Choose a file location INSIDE the Dropbox folder and choose a file name.
  • Start by accepting the default Encryption and Hash algorithms. You can branch out later
  • Choose a volume size. More on this after this list.
  • Set a good strong password. They want a 20 character password. I just accept the warning on my shorter password.
  • Leave the default filesystem (FAT) for maximum compatibility.
  • Follow the instructions to create the entropy needed for a good encryption key and format the volume. This is very important!!!

Done!

 

Once created, this file will begin to be uploaded to DropBox. This will take a while until it is done if you have created a big container. On this note, how big should the container be?  The bigger the container, the more files you can put in it obviously but also the longer the initial upload and the first download to any new computer you want to access with it. How you balance this is up to you. Once the initial file upload and downloads have happened on all you computers only the changed data is uploaded/downloaded so you won't have to transfer the whole container more than once per computer. I suggest one big container for most of your data, say 2GB and one or more small ones for quick hit files.

Now that you have a container, let's mount it. You might want to wait for DropBox to transfer the file first, but you don't have to as long as you don't unmount it untill that initial upload finishes. I will explain why shortly.

To open the container, open DropBox if it isn't already open, and follow these steps.

 

  • Select the file that you just created from "Select File" dialog.
  • Choose a drive letter to mount it too (I like z: but do what you like).
  • Click the mount button and cross your fingers.

If all goes well, and it ususally does, you have a mounted TrueCrypt container. YAY!

You can now go to the drive letter you picked and start adding files.

The way DropBox works, it will not update a file until the file is closed. So long as you have the container mounted it is open. After the initial upload is complete you can unmount the container and the files you added or changed will be uploaded to Dropbox in their encrypted state.

To unmount the container open TrueCrypt and either select "Unmount All" or choose the specific container to unmount from the drive list at the top and select unmount.

Now all you need to do is install Dropbox and Truecrypt on a secondary computer and follow the mount instructions above to access those encrypted files and make more changes.

Remember to unmount the container after each round of file changes so they can be uploaded to Dropbox. Also remember to wait until the updates have synced out to your other devices before syncing them.

On Unix-like systems you can get more creative. For instance, I run a backup of my FreeBSD server to the RAID drive on my Linux desktop. Then I back up parts of that backup and of the local Linux backup to an encrypted container on Dropbox. This can all

be scripted and added to cron to mount the container, copy the files and unmount the container on any schedule I choose.

One you get the basics down you can come up with creative ways to use it, use multiple containers and play with keys and other encryption and hashing algorithms.

Currently there doesn't seem to be an IOS or Android port, however, I am working on a way to use EDS Lite and a specially created Truecrypt container to get mobile access to this encrypted content.

Let us know what creative ways you come up with to use these tools.

-Dave