Encrypted file storage program. Encryption for Dropbox. Dropbox: File syncing is easy, but not secure. Current state of affairs

Recently, users are becoming more and more mobile, freelance services are in greater demand, and companies are switching to remote work. In these conditions, the availability of data anytime, anywhere and from any device (both desktop and mobile) becomes more important than ever. At the same time, the demand for cloud data storage services is growing, both from individual users and companies.

Using cloud storage allows you to publish your files, edit them and share them with friends and colleagues. Using cloud storage services, you can not only store the files themselves, but also the history of their changes, as well as synchronize data on your devices.

With the growing interest in cloud storage, there is also a need to protect data stored in the clouds. Some cloud service providers provide the ability to back up and encrypt data, but there are also various stand-alone services that protect data when placed in cloud storage. We will talk about just one such service that supports most cloud storage providers - the Boxcryptor service - in this article. This service is implemented by the German company Secomba GmbH (Werner-von-Siemens-Str. 6, 86159 Augsburg).

Boxcryptor system requirements

The Boxcryptor service is presented by the manufacturer in the following formats:

• Plugin for Google Chrome browser.
• Portable version.
• Version that requires local installation.

This article discusses the version that requires local installation. The service supports deployment on the following platforms:

• Windows XP SP3 and higher (with .NET Framework 4.0).
• macOS X 10.7.5 and higher.
• iOS 7 and above (iPhone/iPad/iPod).
• Android 4.0.3 and higher.
• Windows Phone.
• Windows RT.
• Blackberry 10.

To interact with the local version of the service and cloud storage, you must have:

• User accounts for cloud storage in which encrypted versions of files are planned to be stored.
• Free space on local storage in an amount corresponding to the volume of files located in cloud storage and subject to encryption. In general, the free space on your local disk should be comparable to the amount of space provided by cloud storage services, for example:
• Yandex.Disk provides 10GB;
• Dropbox - 2GB;
• Google Drive - 15GB;
• Box - 10GB;
• OneDrive - 15GB;
• Amazon S3 - 5GB;
• CloudMe - 3GB;
• iCloud Drive - 5GB;
• Telekom - 25GB, etc.

Functionality

The available functionality of the service depends on the type of subscription (license) purchased.

Table1 . FunctionalityBoxcryptor depending on subscription type

Functionality	Short description	Availability as part of a subscription
		Free	Unlimited Personal	Unlimited Business	Company Package
Use of AES-256 and RSA encryption algorithms	Encrypting the contents of files hosted in cloud storage	Yes	Yes	Yes	Yes
Secure provision of access	Giving third parties access to your encrypted files	Yes	Yes	Yes	Yes
Mobile app support	Possibility to deploy the application on mobile devices	Yes	Yes	Yes	Yes
File name encryption	Masking the name of a file placed in cloud storage	No	Yes	Yes	Yes
Supports an unlimited range of cloud platforms	Possibility to protect data not on one, but on several cloud storages	No	Yes	Yes	Yes
No quantitative limitation of supported devices	Ability to deploy the service on more than two devices	No	Yes	Yes	Yes
Technical support	Availability of unlimited technical support from the manufacturer	No	Yes	Yes	Yes
Creating user groups	Ability to group users into groups for subsequent file sharing with the group as a whole	No	No	Yes	Yes
Commercial use	Possibility of using the service for corporate purposes	No	No	Yes	Yes
Personal use	Can be used by only one user	Yes	Yes	Yes	No
More than one user using a subscription	Ability to add an unlimited number of users to use one subscription (license).	No	No	No	Yes
Master key	Ability to decrypt company files accessible to its employees without knowing their passwords	No	No	No	Yes
Resetting company user passwords	Ability to reset and replace company user passwords used for encryption without losing access to data in encrypted company files	No	No	No	Yes
Active Directory support	Synchronizing Boxcryptor users with users from the company's Active Directory	No	No	No	Yes
Defining Policies	Creation of security policies to comply with internal and external requirements (password length, file name encryption, etc.)	No	No	No	Yes
User and device management	Centralized management of users and configuration parameters	No	No	No	Yes
Audit	Monitoring user behavior to detect and respond to suspicious security events (unusual login attempts, policy violations, etc.)	No	No	No	Yes
Two-factor authentication	Using two-factor user authentication using the Duo Security solution	No	No	No	Yes

Boxcryptor subscription cost

Boxcryptor subscription costs are as follows:

• Free - free.
• Unlimited Personal - 36 € ($48) per year.
• Unlimited Business - 72 € ($96) per year.
• Company Package:
• 8 € per user per month - when purchased for 1 year.
• 6.4 € per user per month - when purchased for 3 years.

For a full subscription for personal use (Unlimited Personal), the manufacturer provides a 25% discount for students.

Subscriptions "Free", "Unlimited Personal" and "Unlimited Business" are intended for 1 user only:

• Free and Unlimited Personal - use only for personal purposes (protection of personal information) by only one user. These subscriptions are intended for individual individuals;
• Unlimited Business - used not only to protect personal but also corporate information, but again only for one user. This subscription is intended, as a rule, for employees of a legal entity or for individual entrepreneurs. Only taking into account the fact that each employee has his own subscription (license).

Unlike personal subscriptions, the Company Package subscription allows you to add an unlimited number of users for one license.

Working with Boxcryptor

Installing the desktop version of the Boxcryptor service

The service is quite easy to use, especially with regard to the limited range of functions provided as part of the Free and Unlimited Personal subscription types. Although these two types may be most in demand among Russian users. To take advantage of the offered functions, you need to download the distribution kit for the corresponding platform from the manufacturer’s website.

This article examines the operation of the service using the example of a distribution kit for the platforms most common among Russian users: Microsoft Windows and Android. At the time of preparation of the material, version Boxcryptor 2.3 is available on the manufacturer’s website for the Microsoft Windows operating system, and version 2.1 for Android (as well as Beta version 2.49.559). For other platforms, the list of functions is similar - a detailed description of the service functions for each platform is provided by the manufacturer on its website in the corresponding user manuals.

When installing the product, you are asked to read and accept the “License Agreement” concluded between the manufacturer Secomba GmbH and the end user, as well as the “Data Protection Policy”.

After installation and launch, you will need to authenticate if you have a Boxcryptor account, or create such an account.

Drawing1 . Registration in desktop versionBoxcryptor onWindows

When creating an account (profile), a notification appears that you need to remember the password, otherwise you will lose access to all encrypted files. Only by agreeing to this and accepting responsibility for saving the password can you continue registration.

Here, as part of creating a profile, you will need to decide on the type of subscription (license).

Drawing2 . Selecting a subscription type in the desktop versionBoxcryptor onWindows

You only have to choose from three types; the fourth and most complete type of Company Package subscription is available for selection only on the website (where you also fill out a profile for this type). Manufacturers offer the following trial periods for “Company Package” and “Unlimited Business” subscriptions:

• Company Package – trial period of 30 days to familiarize yourself with the functionality.
• Unlimited Business – free testing for 1 week.

Activation of these features is only available through the web interface from your Boxcryptor account.

When you select an Unlimited Personal or Unlimited Business subscription, your browser will launch and display the payment page.

After all selection and payment procedures have been completed, the service itself starts.

The version installed on a smartphone with the Android operating system will also need to be authenticated.

Drawing3 . Authentication inBoxcryptor onAndroid

On first launch:

• A corresponding icon appears in the lower right corner of the screen in the notification area.
• The “Tutorial” for working with the service opens.
• The service automatically searches for cloud storages associated with the device, and if they are missing, a settings window opens.
• The created virtual disk appears in Explorer, which is used to encrypt files and synchronize with cloud storage.

Drawing4 . First launch of the desktop versionBoxcryptor onWindows

If any cloud storage is already connected to Windows, it will appear in the Boxcryptor Explorer in the virtual disk area.

Drawing5 . Contents of the virtual diskBoxcryptor in desktop version onWindows

Further work on encrypting and decrypting files (directories) is carried out within this Boxryptor virtual disk with associated cloud storages (for example, Dropbox).

The first launch on an Android device will also require you to define a cloud storage matched by Boxcryptor.

Drawing6 . First startBoxcryptor onAndroid and cloud storage definition

Setting up Boxcryptor

To configure the service parameters, you must select the appropriate item (“Settings”) in the context menu called up on the icon in the notification area (see Figure 4). All basic and advanced settings are performed within the corresponding tabs of the “Boxcryptor Settings” window.

Drawing7 . Desktop settingsBoxcryptor onWindows

Determining the local directories that are used to store sensitive information to be encrypted using Boxcryptor is done by clicking "Add" on the "Locations" tab and then selecting the directory of interest.

To link the cloud storage specified on the “Location” tab to Boxcryptor, just click on the word “Link” and fill out the appropriate configuration forms.

Drawing8 . Linking cloud storage in the desktop versionBoxcryptor onWindows

As a result of adding a local directory and linking cloud storage, the corresponding locations will appear in the list.

Drawing9 . Catalog and cloud storage connected in the desktop versionBoxcryptor onWindows

The parameters of the account to which the subscription to the service is assigned can be adjusted on the “Profile” tab. Parameters that can be edited (“First Name”, “Last Name”, “Email” and “Password”) are marked with a symbol. Additionally, this tab provides:

• Subscription type information.
• The ability to generate a master key necessary to restore access to encrypted company data in the event, for example, of the dismissal of the employee responsible for this data. This feature is only available for the Company Package subscription.
• The ability to export keys to ensure work with the service in the absence of a network environment (in offline mode).

Drawing10 . Account configuration parameters in the desktop versionBoxcryptor onWindows

In order to provide access to an encrypted file stored in the cloud, for example, to work colleagues, you will need to create a group and add them to this group. However, there is one caveat: you can only add to groups those who are also Boxcryptor users (with the same type of subscription). Within these settings you can:

• Add and remove group members.
• Leave the group.
• Reassign (revoke) the permissions of a group owner to a group member (by selecting the member and calling the context menu on him).

Drawing11 . Creating a group on the desktop versionBoxcryptor onWindows

More precise settings can be made using the configuration parameters, “Advanced” tab. The main set of parameters allows you to adjust the name of the Boxcryptor virtual disk created by the service and its corresponding letter, as well as configure the ability to simultaneously launch the service with the operating system, check for updates, and encrypt file names. Manufacturers themselves recommend activating file name encryption only when it is really necessary, since this type of encryption affects system performance (especially with a large number of files). To be able to fine-tune settings, you will need to select the “More settings” item.

Drawing12 . Advanced settings for the desktop versionBoxcryptor onWindows

As part of advanced settings, the following parameters can be enabled/disabled:

• “Enable the use of the Recycle Bin” - is responsible for deleting files and directories to the Recycle Bin, from where they can be restored.
• “Connect as a hard drive” - Boxcryptor during installation creates a virtual disk to encrypt files and directories, and this option allows you to give the disk the status of a physical one from the system's point of view.
• “Connect for all users” - is responsible for the availability/inaccessibility of the Boxcryptor disk to all users whose accounts are present at the workplace where the service is deployed.
• “Enable support for long paths” - allows you to remove/set the limit on the path length to a file to 256 characters. However, this may cause problems on systems that do not support longer lengths.
• “Connect in Windows Volume Manager” - allows you to add a Boxcryptor virtual disk to the Windows Volume Manager.
• “Do not show files and folders starting with a dot” - allows you to exclude/include from the visible files those that begin with a dot. Such files are usually generated by cloud storage services, and their accidental encryption can lead to irreparable consequences.
• “Hide files and folders if their names cannot be decrypted” - this option allows you to hide those files with encrypted names for which the user does not have rights to decrypt them.
• “Do not show OneDrive warnings” - allows you to exclude warnings generated when working with OneDrive cloud storage services, since this cloud storage has the ability to save files in the cloud without synchronizing with local media, and Boxcryptor encrypts files only locally.
• “Automatically detect removable drives” - allows you to define connected removable storage media as locations attached to Boxcryptor.
• “Automatically detect network drives” - allows you to define network drives as locations attached to Boxcryptor.

Boxcryptor on Android has a more modest set of configuration parameters. Automatically activated are: encrypting file names, resetting service settings after three failed authentication attempts, and previewing files. An interesting feature is “Set PIN code protection” - it allows you to protect the service from unauthorized access and will require you to enter a PIN code if you call the service while it is running in the background.

Drawing13 . Composition of settingsBoxcryptor onAndroid

Having configured the service based on your own needs, you can start using it directly for the purpose of encryption and decryption.

Encrypt and decrypt files and directories with Boxcryptor

The general principle of encryption implemented in this service is reminiscent of the fairy tale about Koshchei the Immortal: Koshchei’s death in a needle, a needle in an egg, an egg in a duck, a duck in a hare, and so on. In this service, several cryptographic keys act as such components, each of which is locked (encrypted) next in the chain of algorithmic encryption actions. In general, we can distinguish several used cryptographic entities (keys/passwords):

• Password.
• AES key.
• RSA key pair:
• Public key.
• Private key.

And depending on the initiator of cryptographic transformations, AES and RSA keys are determined for:

• User.
• Companies (User Groups).

Keys are generated directly on the user’s device when creating a user or company account (user group). All keys except the user's password are sent to the Boxcryptor server, but they are all sent encrypted (except for the RSA public key).

Drawing14 . The general principle of file encryption implemented inBoxcryptor

All operations to encrypt/decrypt files are carried out only locally on users’ computers, and only then are synchronized with cloud storage. The file encryption procedure is as follows:

• Generating an individual key for the file (AES key).
• Encrypt the file using this key.
• Encrypting the file key with the user's RSA public key. How many users will be given access to the file, so many times this operation is performed in order to form a “secret” for each user.
• Adding the encrypted file keys for each user to the end of the encrypted file contents results in an encrypted file.
• Encrypt the user's RSA private keys based on the user's password.
• Saving all secrets on the Boxcryptor server.

The file is decrypted in the reverse order, only the private RSA key is used instead of the public RSA key. However, all these transformations are hidden from the user's eyes.

This service impresses with its ease of use for encryption and decryption. All operations are performed in one click. You need to use Explorer within the Boxcryptor virtual disk to select a file located in the cloud storage, call up the context menu on its name and click “encrypt” or “decrypt” (depending on your purposes). If encryption occurs, a green square with a padlock appears next to the file name, indicating that encryption has taken place.

Drawing15 . Encrypting a file on the desktop versionBoxcryptor onWindows

Directly in the cloud storage itself, the file will be renamed by adding the “.bc” extension to it. The appearance of its display in the cloud storage also changes; to see this, just call up the context menu on the encrypted file and select “Show source in Dropbox.” When you open an encrypted file directly in the cloud, a message will appear asking you to convert it and select the encoding. A fragment of such a message is shown in the figure below.

Drawing16 . Displaying an encrypted file on the desktop versionBoxcryptor onWindows andDropBox

Directory encryption is carried out in a similar way. When a directory is encrypted, the suffix “_encrypted” is added to its name, and a green square with a lock appears on the directory designation in Explorer.

Another way to encrypt a file is to move/copy it to a previously encrypted directory. Thus, it is automatically encrypted.

Drawing17 . Automatic file encryption in the desktop versionBoxcryptor onWindows

As mentioned earlier, this service can provide encryption not only for cloud storage, but also to protect locally hosted files. The steps are similar. Encrypted and original files are stored in cloud storage, locally on the user’s device (when protecting locally hosted files) and in the Boxcryptor virtual disk. Files do not reach the Boxcryptor server in any form. You can open an encrypted file in readable form only within the Boxcryptor virtual disk or after copying it from this disk. In the original location, the encrypted file will open in an unreadable form with the corresponding notifications displayed (a message about the need to convert it and select the encoding).

If there is no network environment, files can be encrypted within the Boxcryptor virtual disk, and the “sync” icon will be displayed on their image, and when a network appears, synchronization with cloud storage will be performed.

Decryption is carried out by selecting the “Decrypt” item and results in obtaining the original file. If decryption is applied to a directory, all files contained in it are automatically decrypted.

Drawing18 . Decrypting a file on the desktop versionBoxcryptor onWindows

When using the service on devices with the Android operating system, encryption is also quite simple. Within the service, you need to go to the cloud storage directory of interest and use the “” button to select a file on the device to upload to the cloud. Just at the moment of loading, the service will display a message about the need to decide whether encryption should be performed.

Drawing19 . Encrypting a file inBoxcryptor onAndroid

Managing access rights to an encrypted file/directory in Boxcryptor

Providing access to the encrypted directory is carried out through the context menu called on the encrypted file. Access can be granted to a group of users (added at the service setup stage) or to an individual user (by specifying their email address). Again, there is a nuance - access can only be granted to those who are Boxcryptor users, and accordingly, it can be granted by someone who has the necessary rights.

Drawing20 . Managing access rights to an encrypted object in the desktop versionBoxcryptor onWindows

If you log in to the operating system with a different account, access to the Boxcryptor virtual disk will be limited. Accordingly, another user, if he does not have the necessary permissions, including those set when setting up the service (the “Connect for all users” parameter - see Figure 12), not only will not be able to use the files located within the virtual disk, he he simply won’t see such a resource. In fact, it is on this disk that the files are encrypted for their subsequent placement in the original storage (and on the virtual disk itself they are stored in clear text).

Providing an encrypted file to a non-Boxcryptor user

If you need to transfer an encrypted file to a person who is not a Boxcryptor user, this can be done thanks to the product's integration with the Whisply service. You can implement such a transfer by using the corresponding item in the context menu, called up on the encrypted file in Explorer.

Drawing21 . Secure transfer of a file encrypted in the desktop versionBoxcryptor onWindows, via serviceWhisply

After that, the Whisply service page related to file transfer will open in the browser. To complete the transfer you will need to go through the following steps:

1. Make sure the file being transferred is correct.
2. Define file access parameters: the time after which the file will no longer be accessible to anyone; the ability for the recipient to download the file only once or multiple times.
3. Set password.
4. Send a download link (including the method of sending: by email, SMS message, or copied to the clipboard for later presentation to the recipient).
5. Send a password (similar to sending a download link).

Drawing22 . Working with the serviceWhisply to transfer a file encrypted inBoxcryptor

As a result of completing these steps, the recipient will receive an encrypted file with the ability to read it. In addition, when an encrypted file in the cloud is changed, the recipient will have the opportunity to use the same link to receive the most current version of the file, but only during the validity period of the link.

Encrypting file names in Boxcryptor

Encrypting file names, as well as encrypting/decrypting a file, is done through the context menu. As a result of name encryption, the file name in the cloud storage will be represented by a set of hieroglyphs (with the exception of the “.bc” extension).

Drawing23 . Encrypting the file name in the desktop versionBoxcryptor onWindows

You can return the normal file name by canceling name encryption through the context menu.

Boxcryptor user master key

This feature allows you to retrieve encrypted company files if a user has forgotten their password or left without transferring their credentials to other users. To generate such a key, you need to go to the “Profile” tab in the Boxcryptor settings and in the “Master key” line click “Generate”. In the window that appears, you must enter passwords for the new key and generate the key itself. After generation, the generated key must be entered into the appropriate policy via the web interface.

Drawing24 . Generating a user master key in the desktop versionBoxcryptoronWindows

When the need arises to use a master key, you simply need to unlock it by entering the appropriate password on the “Profile” tab in the service settings. This will allow the person in charge to have access to all encrypted files of all users of the company.

conclusions

We looked at the main functions of the Boxcryptor service, designed to protect the data of individual users and companies as a whole when they are placed in cloud storage. There are three types of subscriptions available for individual users:

• free – Free – with limited functionality;
• paid – Unlimited Personal – expanded range of functions compared to Free;
• paid - Unlimited Business - the most complete set of functions, designed to protect not only personal, but also business information of individual employees, small companies and private entrepreneurs.

Companies are offered a separate type of subscription, which is the most complete and represents an independent business package - Company Package.

A distinctive feature of the Company Package is the presence of functions aimed specifically at companies, for example:

• Generating a user master key and resetting user passwords, providing the ability to decrypt company files in the event of loss of passwords used for encryption.
• Active Directory support, which allows you to synchronize Boxcryptor user accounts with user accounts from the company's Active Directory, which makes life a little easier for the system administrator.
• User and device management, facilitating centralized management of all company users and service configuration parameters on corporate devices.
• The ability to conduct an audit (monitoring) to help detect uncharacteristic user behavior.
• Two-factor authentication, providing user authentication through the use of the Duo Security solution.

The main advantages of the service are:

• Variety of supported platforms: Windows XP SP3 and higher, macOS X 10.7.5 and higher, iOS 7 and higher (iPhone/iPad/iPod), Android 4.0.3 and higher, Windows Phone, Windows RT, Blackberry 10.
• Availability of a portable version (for Windows, macOS, Linux platforms).
• A large number of supported cloud storage services: Yandex.Disk, Dropbox, Google Drive, Box, OneDrive, Amazon Cloud Drive, Amazon S3, CloudMe, Cloudwatt, Cubby, Egnyte, GMX, iCloud Drive, livedrive, Orange, SDS, SpiderOak, storegate, Strato HiDrive, SygarSync, Telekom, WEB.de.
• Perform encryption/decryption of local storage files.
• Intuitive interface.
• Availability of a free subscription.
• Using reliable and time-tested encryption algorithms - RSA and AES.
• Ability to work offline and subsequently synchronize with cloud storage.
• Perform encryption/decryption in one click.
• Perform on-the-fly encryption/decryption.
• “Automatic encryption” of files when they are placed in an encrypted directory.
• Ability to securely provide access to a file.
• Restoring access to encrypted company files using a master key.
• Availability of an extension for the Chrome browser.
• Protection against unauthorized access. When starting the service, you are required to enter a password for your Boxcryptor user account. Access to the service can be limited by the operating system user account.
• Technical support from the manufacturer for users of paid subscription types.

The disadvantages of the service include:

• Minimum set of functionality in a free subscription.
• Reduced system performance when using file name encryption (especially in the case of a large number of files).
• The absence of one of the most common cloud storage providers in Russia - Mail.ru - among the supported cloud storage providers. However, manufacturers offer to contact them if you do not find what you need in the list of supported providers - they will check.
• The inability to perform certain operations directly in the locally installed version of the service (requires the use of a web interface), for example:
• Select the Company Package subscription type and activate the 30-day trial period.
• Add a policy associated with the generated master key.
• Lack of automatic connection of cloud storages associated with the Boxcryptor user account when it is launched on mobile devices with the same account. That is, on new devices where Boxcryptor is installed, cloud storage service providers should be detected and added automatically, but on mobile devices they have to be added manually.

I have already spoken more than once about the complexity of the situation with business and cloud technologies (and in fact, not only with business, but with any client who stores any confidential information). On the one hand - convenience and savings, which give an advantage over competitors. On the other hand, the “crudeness” of algorithms and mechanisms for protecting information, which, if materialized by even one data leak over several years, can result in such losses, both in a material sense and for reputation, that all savings will go to waste.

However, if you approach the issue comprehensively, the likelihood of the worst-case scenario being realized can be significantly reduced. In the end, saving drowning people is the work of the drowning people themselves. Just encrypting files on the client side adds an additional important barrier of protection - after all, they are not decrypted on the storage server. Another option would be to use more secure services.

Encryption is a more reliable method, but it imposes certain restrictions on working with files. In particular, encrypted files cannot be viewed online, they are more difficult to transfer to other users - in order to view the contents of an encrypted file, you will need at least a password, and in some cases also a decryption program.

Before going into details, I recommend consulting a previously published article () on information security and cloud technologies, from there you will learn, in particular, why it is so dangerous to use the same password twice and how to set up two-step authentication in Dropbox (which will significantly reduce chances of your account being hacked with virtually no effort on your part). And now - in more detail about today's topic.

Create a container in TrueCrypt

is an open-source cryptographic software that creates a cryptographic container on your hard drive in which you place files, or folders with files. The container is displayed as a folder or a separate subsection on the hard drive and is visible “from the outside” as a large array of binary data, which cannot be accessed without a program and knowledge of the passphrase. With TrueCrypt, you can work with data inside an encrypted archive as if it were a regular folder. Encryption/decryption operations are performed on the fly. In such an archive, you can work calmly without fear that someone else will gain access to important data, and for greater safety (after all, loss of information due to a technical failure is also a common occurrence), it makes sense to store such an archive in your Dropbox folder .

Why Dropbox? There are several reasons. Firstly, Dropbox has no limit on the size of the stored file, which allows you to make the crypto container as large as you like. Secondly, Dropbox can detect changes in the structure of synchronized files and copy only them. In practice, this means that when you make changes to a huge archive, Dropbox will only sync the small part of the data that was modified, and not the entire file, as most other services do.

Create an archive in the cloud using BoxCryptor

If you still use a cloud service as storage, then why not create a crypto archive there right away? Apparently this is the thinking of the creators of the popular application, which, contrary to what you might think from the name, works with any cloud service. BoxCryptor creates a crypto archive in the folder of the selected service, where all the files are stored that you can add and change there through the virtual disk created by the program. There are also applications for mobile platforms that will allow you to access the crypto archive from your tablet/phone. There are applications for Android (works with crypto archives stored in Dropbox/Google Drive, Skydrive support promised in the near future) and iOS (works only with archives stored in Dropbox, Google Drive and Skydrive support promised in the near future). The free version of BoxCryptor can only work with one archive and does not encrypt file names, otherwise there are no restrictions. Competing services CloudFogger and SecretSync provide similar services.

Use a cloud service with client-side encryption support

Until now, we have only talked about actions to protect information on the part of the client, which you need to take yourself. However, there are also cloud services where this process is automated. These are, in particular, SpiderOak and Wuala. The operating principle of their clients is such that before sending information to the server, it is encrypted by the client locally, as a result - even the service owners themselves do not know what is stored on their servers, since the key is stored in the client software. The process of installing and configuring the SpiderOak client is slightly more complicated than Dropbox, but there are unique features, such as password protection of shared files, etc.

Encrypt individual files

If you don't have many files or you only need to send files in encrypted form, then it makes sense to simply pack the necessary files into an encrypted archive. The popular 7zip archiver is perfect for such tasks - just select the “encryption” option when creating an archive and specify the password.

Full disk encryption

Let's consider the opposite situation - you constantly work with confidential information of a significant volume. In this case, it makes sense to use full-disk encryption solutions like FileVault for OS X, BitLocker for Windows, or EncFS for Linux. Such solutions can be used both to create a separate encrypted partition on a hard drive and to encrypt the entire disk. In the latter case, only a small partition that contains the system’s boot files remains unencrypted, and both passwords and more complex authentication and authorization methods, for example, a USB key on which the key is written, can be used as authorization methods. Such protection methods slow down the system and make file recovery very problematic in the event of a failure, but provide the greatest data security. Of course, all data stored in cloud services will also be encrypted, since they will be uploaded to the cloud already encrypted, although it will be impossible to access them through the web client.

Over the past few years, so many services have appeared for remote storage and synchronization of user data that it is almost impossible to refuse to use them. However, many are deterred by privacy issues. After all, when we upload files to the cloud, we are transferring them to someone else's computer, which means that someone else besides us may have access to our information.

On the other hand, it is difficult to refuse the numerous conveniences that data storage services give us: having a backup copy of files, the ability to access your documents from any device from anywhere in the world, convenient transfer of files to other people. You can find several ways to solve the security problem of remote file storage. Some of them will be discussed in this review.

⇡ Cloudfogger— free encryption for any cloud

Perhaps the easiest way to ensure the security of files stored in the cloud is to manually encrypt them. To do this, you can use password-protected archives or one of the many existing encryption applications. But for those who deal with a large number of documents that are constantly being changed, such methods are not very suitable. Since services for remote file storage relieve us of the need to upload files to them manually, then the encryption process should be automated. This can be achieved using the specialized Cloudfogger program. It works with Windows, Mac, and can also be installed on Android and iOS devices.

The app encrypts data using 256-bit AES (Advanced Encryption Standard) encryption before it is uploaded to the cloud. Files arrive on the servers of Dropbox and other cloud storage services exclusively in encrypted form, so they can only be accessed if Cloudfogger is also installed on the device from which you want to open the file.

It is very convenient that encryption does not cause inconvenience in work: the key to access files is entered only once, when the system boots, after which you can work with them as usual. But if, for example, a laptop is stolen, then the next time it starts, the attacker will no longer be able to find out the contents of the files in the protected folders.

To start working with Cloudfogger, you need to create an account (and for greater security, you can disable the password recovery option, but in this case, forgetting it is strictly not recommended). Then the application itself will try to find folders of popular cloud services Dropbox, SkyDrive, Google Drive and others. But even if Cloudfogger did not cope with this task automatically, you can still manually select the directories whose contents you want to encrypt.

In addition, it is possible to identify individual files from any other folders. The easiest way to do this is to use the Explorer context menu - Cloudfogger adds its own list of commands to it.

It is also possible to exclude from encryption individual directories and files from those folders that are protected by Cloudfogger. Such data will be uploaded to cloud services as usual. It is worth keeping in mind that after the synchronized folder is protected by Cloudfogger, it will take some time to re-upload the data from it to the cloud storage.

Another feature of Cloudfogger is sharing encrypted files with other people. If the data contained in cloud storage is protected by an application, standard methods of sending links to it to other people will not work. But if you allow access to files in the Cloudfogger interface, you can safely share them with other people. Files encrypted by Cloudfogger can be transferred on a flash drive or sent by mail.

Technically, file access works like this: Each Cloudfogger file (.cfog) contains a unique AES key, which is stored encrypted in the file itself. These 256-bit keys are protected by RSA keys, which are unique to each user. Decryption occurs only if the user whose RSA key matches the one specified in the header of the .cfog file tries to access the file. If there are several such users, data about their keys is accordingly entered into the file headers.

Another specialized solution for ensuring file security on cloud services is Boxcryptor. Originally created as a complement to Dropbox, today this application supports all popular services for remote file storage. However, in the free version, encryption of data stored on only one service is available, and you cannot enable encryption of file names.

Boxcryptor automatically detects the presence of installed clients for popular services for storing files in the cloud (even Yandex.Disk is supported), creates a virtual disk and adds the corresponding folders to it. In the settings you can manage all connected folders: add new ones, temporarily disable encryption, and so on.

The service offers support for all major platforms, both desktop and mobile. There is even an extension for Google Chrome. To work with Boxcryptor, you will need to create an account - forgetting your password is strictly not recommended!

⇡ Tresorit— cloud service with increased attention to security

If, for security reasons, you do not yet use any services for remote file storage, you should pay attention to the young project Tresorit, launched about six months ago. The service was created as an alternative to standard solutions for storing files in the cloud and is ready to provide a much higher level of file confidentiality.

Tresorit provides user-side file encryption. Thus, all data is stored on the service’s servers in encrypted form. The strong AES-256 algorithm is used for encryption. When creating a user account, you are warned that if you lose your password, it will be impossible to access data on the remote server. There are no ways to recover the password, since the password is not stored anywhere: neither in the installed application, nor on the service servers. And for users who have lost their password, Tresorit developers offer the only solution - to register again.

You will have to pay for increased security by giving up some of the usual functions. For example, you won’t be able to access your files from someone else’s computer—Tresorit doesn’t have a web interface. So far, the developers have not even promised such a possibility, explaining that JavaScript has many vulnerabilities. However, taking into account the ability to install the Tresorit application on mobile devices, this drawback does not seem so serious - after all, if it is not possible to carry a laptop with you everywhere, then the smartphone is certainly almost always with the user.

Invitations sent by mail are used to exchange files. By setting up sharing, you can assign different roles to people: some can only view files, others can make changes to them and add new files to folders, and others can also invite new users.

⇡ MEGA— secure 50 GB in the cloud with synchronization

Until recently, the new brainchild of Kim Dotcom could hardly be considered as an alternative to the usual services for remote file storage. The fact is that the only way to load files into it was to drag them into the browser window. Accordingly, there was no talk of automatic loading or synchronization.

But with the release of the application for Android, as well as the beta version of the client for Windows, the service now has these two most important capabilities.

We have already written in detail about the service itself and the security principles on the basis of which it was created in the material “Mega-return of Kim Dotcom: 50 GB in the cloud for free”, so we will dwell only on the main points. So, MEGA was created as a response to the closure of Megaupload by the American authorities. The servers on which user data is stored are located in New Zealand. All files are encrypted on the user’s side, that is, before being sent to the service, making it impossible to access them without knowing the password. Unlike Tresorit, MEGA runs in a browser and allows users to view lists of files, delete and move them, but online viewing is not available as they are encrypted. To view the file, you must first download it to disk. A 2048-bit RSA key is used for encryption, and a forgotten password cannot be recovered because it is also the encryption key.

At first, users did not even have the opportunity to change the password entered during registration, but now such an opportunity has appeared. Moreover, if the user is already logged into their MEGA account in the browser, but does not remember the current password, they can change it by entering a new one and then clicking on the confirmation link in the email that is sent to the email address associated with the account.

The MEGASync client allows you to synchronize the contents of any folders on your disk with virtual folders available in your Mega account. Right during the initial setup, you can choose which folders you want to backup where.

Later, you can add additional folders in the application settings. The client settings also make it possible to view information about free space (remember, Mega offers as much as 50 GB for free), limit download speed, and use a proxy.

The MEGA client for Android allows you not only to download files stored on the server, but also to automatically upload to the service all photos and video files taken by the device’s camera. All basic operations for working with files are also available in the client: deleting, moving, creating links to files for sharing with other people, searching.

⇡ Conclusion

The presence of files on your computer, the contents of which no one else should know about, is not a reason to refuse to use services for remote data storage. You just need to take care of your privacy by installing software to provide additional protection or by choosing one of the services with encryption on the user’s side. Mega looks the most attractive among all the solutions considered. The service offers a very large amount of disk space for free, provides encryption of files before uploading to the server without the use of additional utilities, and also allows you to view a list of files and manage them in the browser and from an Android mobile device.

The last article in this section, in which I will touch on the topic of cloud storage, such as Dropbox. There have already been cases of hacking of cloud storages, so you will have to forget about the security of your data, more precisely, if you do nothing, of course.

In this article I will show you interesting software that will protect your files in the cloud. This utility is called BoxCryptor and helps to create a virtual disk that can immediately encrypt the necessary data using the AES type.

Advantages of the program

• Ease of use;
• Availability of a free version, but you can also purchase a paid version;
• Interaction with almost all cloud storages;
• Reliability of the program;
• Work only with individual files, not with containers.

BoxCryptor does its job well and file encryption is instantaneous, as is decryption. If your password suddenly gets into the hands of ill-wishers, then the files will still be unreadable for them.

Before use, you need to figure out which version you are ready to use. If you are not going to pay, then the free version is suitable for you, although its functionality is slightly limited in that you can only work with one virtual disk. In the unlimited version, you can work with multiple drives and folders, and it is possible to encrypt file names. This version costs $40.

Previous articles:

Installing and working with BoxCryptor

You can download the utility on the official website. Click the button there "Download Boxcryptor". Next, the program installer will download. You shouldn't have any problems installing the program.

After installation, we are prompted to register. Click on the link below “Create a Boxcryptor profile”.

Enter your first name, last name and email address, as well as your password. Click “Next”.

In the next window, a message appears that losing your password threatens you with bad consequences, that is, you will not be able to recover the encrypted data. Check the box and go “Next”. The registration process will begin.

We are asked to choose a version. I will choose Free, that is, free.

Now you need to log into your account and we can start working with the program. We will see a welcome window, and then a virtual disk will open, for me it is designated by the letter X. If you do not have any Cloud software installed on your computer, you will have to do this, otherwise the program will remind you of this. You will also see the BoxCryptor Tutorial window. If you have never worked with such programs, then study it.

Now you need to do the following: go to the virtual disk and see the cloud service folder there, in my case Dropbox. I open this folder and encrypt some directory there. To do this, right-click on it, go to the Boxcryptor section and select "Encrypt".

A window will appear warning you to close all open folders and encrypt files within the folder. A message will appear indicating that the operation was completed successfully. Click OK.

Now the folder will have a postscript "_encrypted". The files you transfer there will be immediately encrypted. Please note that if you upload files to the cloud not from a virtual disk, they will not be encrypted. You can encrypt not only folders, but also any files.

If you want, you can specify the access rights for the encrypted file or folder. To do this, select the item "Access rights management". So, you can add a trusted user who can use encrypted data.

When you open an encrypted folder from Dropbox, you will see actually protected files that you cannot work with. You can only do this from a virtual disk.

To remove encryption, you need to right-click on the desired file or folder, go to “Boxcryptor” and select "Decipher".

A warning will appear asking you to click "Yes". Decryption is done instantly. By the way, if you wish, you can rename the encrypted data.

That's all I wanted to tell you about data protection in cloud storage. There are a lot of such programs and it makes no sense to analyze them all. Moreover, based on this article, you can do it yourself.

Dear community!

But we should start with an overview of the current situation.

There are clouds in which you can store a lot of different information. Sometimes done for free. It's seductive. Many services are literally fighting in their desire to provide you with as many gigabytes and functions as possible. However, you need to understand that free cheese only comes in a mousetrap. The danger lies in the fact that you transfer your files for storage to someone else’s uncle with unknown intentions in relation to you. And the danger of files as an object of information lies in the fact that a copy can be made from it and you will never know about this fact. Also, files can be analyzed for different purposes. In general, a lot of things.

Those who adhere to the point of view “I have nothing to hide, let them look” may not read further. Continue to enjoy recent iCloud photo leaks, removal of unlicensed content from the cloud, etc. For those who care about the confidentiality of their personal lives and, in general, it is unpleasant for them to spy on you through the keyhole and put the big brother’s hand into your personal affairs - read on.

You can use the clouds. But you need to do it right. The solution here is data encryption. However, you need to understand that encryption is different from encryption. Many services shout that they have the best encryption algorithms. But these same services are modestly silent about the fact that they themselves can access your data at any time. Therefore, the most correct option is to encrypt/decrypt data on YOUR side. Thus, the cloud always deals only with encrypted content. At the same time, the encryption client and the cloud service should not have the same owner. The ideal case is an open source encryption client.

So what do we have with this approach:

1. The owner of the cloud never has access to the contents of your files. No way.
2. All nodes in the chain of your traffic do not have access to your data. This is, for example, the owner of a wifi point in a cafe, a provider, the owner of trunk lines, network administrators at your work, etc.

This is cool.

1. You have extra worries about ensuring encryption/decryption, and an extra load on your computer.

Who cares what is more important? But let's agree that:

1. The cloud is not a corporate tool for you. Although there may be options in the form of distributing the password to colleagues.
2. The cloud is a personal data storage for you.

Current state of affairs

1. At the moment, no service provides the above-described content encryption model. It’s understandable, it’s not profitable for him.
2. After googling, I was surprised to find that no one is particularly concerned about this problem. Perhaps the same trick is being repeated with clouds as with social networks eleven years ago. When people, without thinking, posted everything about themselves online. Who had what relationship with whom, where he served and worked. A gift to all intelligence agencies and scammers.

Current options for solving the problem of ensuring the security of your own files in the cloud:

1. Encryption provided by the cloud owner. Protects only from other users, but not from the cloud owner.
2. Storing files in the cloud in password-protected archives or encrypted containers (such as truecrypt). It is inconvenient to use, because in order to make a small change or just download a file, you need to download/upload the entire container. Which is often not fast if it is big.
3. VPN only protects the communication channel, but not the cloud content.
4. BoxCryptor program. It can encrypt files sent/downloaded from the cloud. But its operating mechanism is inconvenient. You should have a synchronized copy of all cloud data on your local computer. In this copy, you work with data, and the program uploads/merges it into the cloud in encrypted form. Synchronizes in general. Inconvenient.

What do we want?

We want to have a flash drive with us, we insert it into any of our (or not our) computers with an Internet connection, and launch a certain program from it. A virtual disk appears in our system, and by logging into it (some using Explorer, some using Total Commander), we will be taken to our account in the cloud. We see our files and do what we need with them. And then we turn everything off and leave. But if we log into our account without launching this magical program, then we (or an attacker, an admin-sniffer, a cloud owner, etc.) will see a bunch of garbage - both in the file names and in their contents.

An alternative is to install this program permanently on all your computers and forget about its existence and the need to run it periodically. This method will work with all types of clouds that support the WebDAV standard and allow you to store simply arbitrary files that meet file system standards.

After googling, I found only 2 options for solving the encryption issue almost in the form in which I need.

1. WebDav plugin for Total Commander. Adds a cloud account to Total Commander and it becomes visible as a disk. In which you can copy files. However, it does not yet support encryption. My attempts to persuade the author to include encryption in it and to become Gisler the first to solve this problem were unsuccessful.
2. The CarotDAV program, which has already been written about on this site. It can encrypt files and names individually. And everything would be fine, but it has an explorer interface, which is inconvenient.

And now, in fact, the reason why I am writing this long post has happened.

Actually, the program is easy, everything works as it should. But most importantly, now you can be sure that your files in the cloud belong only to you - while maintaining an easy and convenient way to access them.

I invite everyone who is interested and who needs such a program to join the testing.