Don't you trust Google with your credit card, passwords and business sensitive data?
Well ... I don't. I do however, trust hackers that are working day and night to break into Google accounts, to eventually succeed. A month ago, my friend Gmail account was broken into. He was in panic, since much of his important data was at risk.
The Cloud services and webapps added valuable features, such as access your data everywhere, collaborate and share documents easily, better search and more. I use Gmail and Google Docs for years and expect them to replace many of my desktop apps in the future. However, it seems to me that most cloud services vendors expect full trust from their users.
I wanted a solution that will allow me to access a few private files everywhere (including behind a firewall), and store them encrypted on the server, so only I (someone who knows the password) can access them. No free service I checked offered to encrypt my files on the server. I'm sure there is one , free, somewhere. They all claimed a "secure transfer" though.
Update (13/05/2011): Since I wrote the original post, I found a solution for encrypted Dropbox called BoxCryptor which I have yet to try out. Dropbox also published privacy and security wiki page explaining some of the considerations and referring to tools.
Revision History and Password Security
One thing to note about storing encrypted files in Dropbox like storage, is that it remembers previous revisions, which may imply that replacing a password doesn't prevent an attacker from restoring an older version of the file and using the old password (which may have been compromised by now). Even if the old password is not known to the attacker, having multiple versions of the cipher text (encrypted document) with small differences in the plain text, may help the attacker.
Being a developer, I started thinking about how to detect changes in files (Change notifications on Windows), Encrypt and upload using one of the cloud storage APIs. Even taken a look at MS Sync Framework.
Stop! Shame on me! I have taken the oath - some refer to it as the Lazy Manifesto
Anyway, here is the solution (not a single line of code fired :-)
1) Install Dropbox - my new file sync service.
2) Download and unzip Notepad++ - I'm a fan of Scite and Notepad++ is based on the same code.
3) Open the Plugins | Plugin Manager dialog, select NppCrypt and Install.
4) Make sure that Plugins | NppCrypt | Monitor open/save is checked.
That it! You config days are over.
To store an encrypted file in your Dropbox folder, simply save it with .nppcrypt extension. It will ask you for password (you can leave other default values). Optionally, you can also associate the .nppcrypt extension with Notepad++ in the shell File types. Do the setup for all your machines (I suggest putting NotePad++ itself in Dropbox - so it syncs to all machines).
Notes:
a) If my Dropbox account is hacked - the files may be deleted - encryption doesn't cover against all attacks.
b) If you don't like Dropbox, or Notepad++ select an alternative editor with encryption. See http://alternativeto.net/desktop/notepad-plus-plus/ and http://alternativeto.net/desktop/dropbox/
* With MS Word 2007 : Ribbon menu | Prepare | Encrypt Document
c) If you only want to store passwords and the like - consider KeePass. It encrypts the data.
d) Box.net and other services offer a paid version that includes encrypted storage.
Disclaimer:
All information in this article is provided as-is, without any warranty. I cannot be held responsible for any damage or exposure that may occur to your data as a result of implementing this.
In a future post, I will discuss why Google Docs doesn't encrypt your documents by default and how can it be adapted to support encryption on the server. It is not that simple though, since Google operates on the documents in the server - think of search for example.
No comments:
Post a Comment