21 June 2011

How to keep things secure in your Dropbox or other cloud storage

I'm a huge fan of Dropbox and other cloud services.  It's just incredibly convenient to be able to access my stuff from all my machines.

But security and privacy remain problematic: If your stuff is stored on someone else's machine, who else can access it?  The question has been in the news lately.  Expect more such stories as adoption of cloud technologies accelerates.

Yet by far the largest risk to your data is loss from hardware failure, theft or physical disaster.  Aside from the convenience factor, storing things in your Dropbox means it's locally copied to all your machines as well as safely backed-up (and versioned!) in the cloud.  For those reasons, I keep all my current work in my Dropbox.  Securely!

Here's How:

I use Macs most often lately, and this tip leverages some truly keen capabilities of OS X.  (I am unaware if Windows 7 offers similar functionality combined with similar ease and baked-in speed, but there are third-party tools like TrueCrypt which can attempt something kinda/sorta parallel, but not as easy or automagical, and not as swift in execution.)

Disclaimer: a patient Bad Guy could probably hack any encryption, and it probably serves as a minor inconvenience at best to any of several three-letter agencies.  But, I suspect that should I be of sufficient interest to such folks that they'd be groping my digital giblets rather than just fondling my carbon-based ones at airports, encryption strategy would be the least of my worries.

  • Open Disk Utility.  (It's in your Applications | Utilities folder, or just go to Spotlight and type "disk utility.")
  • Click the New Image button.
  • A form will pop up.  Fill it out as follows.  You're creating a sparse bundle disk image-- a virtual disk divided into small files (more backup- and Dropbox-friendly than a monolithic disk image would be).  Give both the image and the virtual disk that will appear on mounting it sensible names (via the "Save As" and "Name" fields, respectively).  Choose the size as-desired.  Select Mac OS Extended (journaled) as the format and a single Apple Partition Map as the partition.  Choose 256-bit encryption if you're uber-paranoid, or consider the faster 128-bit.  Select a size that's adequate but not obese for your purposes.
  • Click the Create button.  You'll be prompted to enter a password.  Do so (twice) and be sure to UNCHECK the "Remember password in my keychain" so you'll be prompted for the passcode each time you mount the disk.  You want that behavior.
  • Click OK.  The disk will mount and appear on your desktop, and Dropbox will begin uploading it to its servers (and then down to any of your other linked computers).
  • Now do whatever you want to do.  Put stuff in the disk as usual. 
  • Here's the automagical part: you can make aliases to any item that's inside and put the alias wherever you want-- on your desktop, for example.  Clicking on such an alias will automagically resolve to the encrypted disk, and you'll be prompted for its password if it isn't already mounted.  Changes you make will automagically be stored in the encrypted disk.  You can, of course, mount the virtual disk manually by double-clicking on the sparsebundle in your Dropbox.  But you don't need to.
  • Using this strategy, at no time does unencrypted information get transmitted (Dropbox connections are themselves encrypted) or stored on Dropbox.
  • When you're done, "eject" the virtual disk (or, this will happen automatically when you shut down).  It is now unopenable and its contents unreadable by anyone lacking the password.

 You can now access your encrypted disk from any OS X Mac!  (To-date, encrypted disk images aren't supported by iOS... hope that changes.)

You can, of course, do the same thing without putting the sparsebundle in your Dropbox.  For example, I have a VMWare Fusion virtual machine with sensitive content installed on a 25GB encrypted sparsebundle on my external Firewire disk.  Thanks to OS X's deep integration of this functionality, it runs like a hose.

(Don't have Dropbox yet?  Get it at http://db.tt/Me4yRjt and I get a little space bonus... [grin].)


  1. And if you need to access your files from your iOS / Android devices? I suppose your solution will not work in that case.

  2. "And if you need to access your files from your iOS / Android devices? I suppose your solution will not work in that case."

    --Correct, this is an OS X-centric recipe. But, as noted, perhaps there is a solution like TrueCrypt that might work for you in another situation. The key to what I posted is really what Apple calls a sparse-bundle disk image. Dividing the image into small files is what makes this practical for DropBox and other cloud stores since the whole huge image doesn't need to be re-transmitted on any small change. (It also makes the image more backup-friendly in general.) Unfortunately I've downloaded the latest version of TrueCrypt and it doesn't seem to support anything similar-- sparse images, yes, but while those take up a minimal amount of physical space, they are still one monolithic file.

    If there is a cross-platform utility out there that provides sparsebundle-like encrypted stores with good performance, perhaps someone will post info about it.

    Thanks for your comment.


  3. Another point: the AES encryption that is so efficient on OS X gains its power in part from hardware acceleration in recent (generally Core-i) Intel CPUs. Other platforms lacking Intel's AES-NI instructions (and other encryption choices) will be slower. Having said that, my Mac is an older Core 2 Duo unit and its encryption/decryption is fast to the point of virtual transparency.

    The latest versions of TrueCrypt also leverage AES-NI acceleration when present. More info, including links to additional encryption tools, here: http://en.wikipedia.org/wiki/AES-NI


  4. My choice is EncFS:
    I can mount fusefs in Linux, Mac OS X (probably Win). It don't require unmount volume.

  5. Thank you very much, ctrld. This sort of informed advice is invaluable.

  6. Many thanks to Shawn Blanc for spotlighting this tip in his daily blog, which I've considered essential daily reading since its inception: http://shawnblanc.net/2011/06/scott-jordan-dropbox/.

    Subscribe to Shawn's RSS feed here: http://feeds.feedburner.com/shawnblanc


  7. Would the whole disk image need to be re-synced with Dropbox every time a change is made? Or could Dropbox just sync the delta on the encrypted image?

  8. "Would the whole disk image need to be re-synced with Dropbox every time a change is made? Or could Dropbox just sync the delta on the encrypted image?"

    As I understand it, Dropbox resends the whole file when a byte changes. Perhaps there are some circumstances when just the delta is transferred... but in any case, the sparse bundle approach minimizes transfers since the disk image is broken into small files. Only the small files that changed would need to be processed at all.

    This would appear to be a benefit of the EncFS approach that ctrld posted a comment about, too.

    Your backup process will benefit from these segmented images, too.

  9. Good review – here are a few recent changes as of June 2011:
    You get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
    It gives you the ability to upload and sync any folder on your computer.
    It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
    You can also stream MP3 music files to your smartphone or computer.

    Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!


    Hope this helps someone!

  10. Thanks, Anonymous, for the pointer to the SugarSync service. I just signed up and tried the installation process, and it went smoothly. Unlike Dropbox, it doesn't create its own folder-- you can choose any folder or folders to sync, and you can of course create a specific folder just for syncing.

    Painless. Very nice. My compliments... I will be looking forward to using this service in the coming days.


  11. Whoa-- this blog post is the #1 Google result for searches on Keeping Dropbox Secure. And its reprint on Patricia Seybold's Outside Innovation blog is #2!

    Thanks, everybody!

  12. I just noticed that this post is also the #1 Google UK hit for "fondle my giblets." Um... yay?

  13. Depending on whether you want to use DropBox for consumer or businesses purposes, it may or may not be right for you. For businesses in many regulated industries, DropBox is not compliant. Their website clearly states this:
    Dropbox Enterprise File Transfer from Thru is the secure solution for businesses and enterprises. Their solutions have been working for large businesses for ten years without a single security breach.

    1. nxb3942 makes an interesting point about compliance with various regulations that might apply to a user's given industry, such as HIPAA, ITAR and so forth. I'm not an attorney so cannot advise whether keeping sensitive information in encrypted form on a service which otherwise might not comply would be acceptable or not.

      nxb3942 references Thruinc.com, which offers an end-to-end solution which is claimed to satisfy various alphabet-soup regulations. Intriguing.

      Note: From reviewing their website, it would seem that Thruinc.com's "Dropbox Enterprise File Transfer" is not related to and does not use the service from Dropbox.com despite its evocative name.