Slashdot Mirror
Ask Slashdot: Which Encrypted Cloud Storage Provider?
An anonymous reader writes "Almost three years ago, I started looking for a cloud storage service. Encryption and the "zero-knowledge" concept were not concerns. Frankly, after two weeks testing services, it boiled down to one service I used for almost 2 years. It was perfect — in the technical sense — because it simply works as advertised and is one of the cheapest for 500GB. But this year, I decided changing that service for another one, that would encrypt my files before leaving my machine. Some of these services call themselves 'zero-knowledge' services, because (as they claim) clear text does not leave your host: they only receive encrypted data — keys or passwords are not sent. I did all testing I could, with the free bit of their services, and then, chose one of them. After a while, when the load got higher (more files, more folders, more GB...), my horror story began. I started experiencing sync problems of all sorts. In fact, I have paid for and tested another service and both had the same issues with sync. Worse, one of them could not even handle restoring files correctly. I had to restore from my local backup more than once and I ended up losing files for real.
In your experience, which service (or services) are really able to handle more than a hundred files, in sync within 5+ hosts, without messing up (deleting, renaming, duplicating) files and folders?"
Build a couple Backblaze boxes and work out a deal with some KC residents. That gets you 180TB offsite stuff with whatever sw leverage you want to lay on top of that.
Help stamp out iliturcy.
I'm not sure if it is "zero-knowledge" or just "little-knowledge" (file meta-data might be transmitted. I honestly don't know), but I've had very good luck with Copy, which was created by Barracuda (the company that's always advertising in airports, for some reason). Check them out: https://www1.copy.com/home/
Bittorrent sync + local encryption. Leave a box, or several boxes, running in some datacentres somewhere without the encryption key and you have failover backups (and increased bandwidth).
Write yourself a simple set of scripts that use rdiff-backup or rsnapshot to perform differential/incremental backups to an internal host, make a secondary mirror encrypted at a file level with GPG/PGP, and use rsync to sync the encrypted mirror to several offsite hosts. Done. If this level of security matters to you, do it yourself.
Write failed: Broken pipe
Http://mega.co.nz
For the money you're paying a service, why not just hoop up an inexpensive machine for a server, put a TB or two in it, and use BitTorrent Sync?
It's pretty secure, you can share files with others, it's available for all major OSes (including iOS and Android), you don't have to mess with any 3rd parties seeing your data... what more do you want?
I've not tried this, but always meant to. Sparkleshare is an attempt to make an open source Dropbox - and a couple of years after I first bookmarked it it's still going strong.
You can get a cheap dedicated server for under £10 a month and roll your own based on this?
Also has client-side encryption
https://github.com/hbons/SparkleShare/wiki/Client-Side-Encryption
Use EncFS or, if that's too tedious for you (it's not that polished on Windows), BoxCryptor.
Advantages: (i) you can use any cloud storage provider you want and (ii) EncFS is open source, so you have some means of verifying that there's strong encryption on your end without backdoors.
After all of this NSA business, why would you ask which storage provider keeps you safe when clearly none of them do.
If you want your data encrypted, why would you not do it yourself, then you don't need to pay for an encrypted storage provider because you can upload your encrypted data to any storage provider. Paying extra for something you're not guaranteed to get is not very intelligent.
This article brought to you by an anonymous reader / encrypted storage provider.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Considering the sorry state of basic cloud sync services, I would not be surprised if the advanced versions are even worse. The only service I can actually recommend is Dropbox - it is expensive, but it works, and even so it eats a lot of CPU time and hard disk activity at boot up.
The alternatives are worse to terrible. Google Drive claims that files are in sync when they aren't. It also seems to fight with files open in MS Office. It creates conflicts for no reason. It just plain fails to deliver, even if you neglect the absence of a Linux client. Box is much worse in my experience, although it has a nice and clean design. Skydrive is interesting, but I repeatedly ran into installation issues with it - funny given that it is MS software, or maybe to be expected.
Obviously encryption makes things a lot more difficult, especially the handling of temporary files and the merging of conflicts. So it should not be a surprise that it does not quite work yet.
You stated you need it for backup, so use a backup service. They have the benefit of alerting you when backups occur and do not occur, can sync as little as every 15 minutes, provide up to 7 years of snapshots.
With block level synchronisation, it encrypts the data before leaving the server and I believe it is PCI compliant.
Your problem isn't the storage, it's whatever you are doing locally that is the issue. I've got tens of thousands of files backed up with no issues, across several devices.
You didn't mention your OS. I'll assume you are running Linux because if you are running WIndows/MacOS you are missing a fundamental weakness already.
On Linux, use EncFS which also has a nice GUI manager via GEncfsM for those that prefer it.
Using EncFS means you don't have to upload entire files when you edit them, only the changes are synced. This is efficient, open-source, and works perfectly.
Once EncFS is working, pick any cloud storage you want and sync the encrypted folder(s). I do it with Dropbox + symlinks and it is flawless, no issues for years now.
The NSA.
tarsnap.com. Not very user-friendly, but it does what it says on the tin.
Linux/encfs/samba and then back up with your old provider.
127.0.0.1 or 10.6.6.6 or 192.168.69.42. Those are my encrypted cloud service providers. Public address varies so I ping my web server for a redirect; You could use dynamic DNS. Since we're using pre-shared-key encryption no MITM can insert themselves -- data is encrypted before the session is even initiated -- No need to worry about SSL PKI shenanigans.
I had to restore from my local backup more than once and I ended up losing files for real.
So sue them! What do you mean you didn't read the terms of service which clearly (if you're a crooked business lawyer) state you cannot sue for anything...
The only solution you can trust is DIY. That way you know what is happening.
As far as encryption is concerned, you cannot trust anyone but yourself. So you can ignore anything your cloud provider says about encryption and focus on speed, reliability and cost.
You should make sure that your cloud provider only ever receives encrypted data from you, and if he decides to encrypt again, good for him, and if he decides to let the NSA listen in, well, it doesn't matter, your data was encrypted anyway.
"I decided changing that service"
Did you. Did you really. Idiot.
"I decided TO CHANGE that service."
Only solution. If you want a job done properly, then you best carry it out yourself. Buy a relatively cheap server, equip it with whatever you need to get a backup to it working, and have that server hosted. You'll pay for the hosting and the bandwidth ( in many cases, the latter is included in the former ). All cards are in your own hands. It takes some work, but except for man-in-the-middle attacks - which are always possible, BTW, and in any scenario - you are safe.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
Thank you for share.! nau an
If you don't control the software itself, you can't be sure that there aren't backdoors. Even if there aren't backdoors when you start, they can always get introduced later.
If you're really concerned about this, put a server somewhere and use encrypted rsync or something similar. Even then, be aware that backdoors can still be pushed onto your machine with a software update.
https://leastauthority.com/
They are built by the guy who manages the Tahoe LAFS project, which is a distributed encrypted datastore. Encryption happens on your side, there's nothing they can do to read your data.
Pick a serious commerical actor if you care about your files. I've used CrashPlan for many years, since it's cheap, fast and encrypts strongly.
I think a cloud backup is a must these days...
Check out Crashplan they're the company that I've decided to go with. I pay for only one host to be backed up. I then use their utility to backup all other hosts to one server. I even use their utility to back-up my parents and several friends to my NAS at home. Then I use their tools to backup that server to their cloud. You get to define your own encryption key if you wish and at that point in time they become a zero knowledge service. A really quick search on the topic provides this list of services that support private encryption keys:
SpiderOak
CrashPlan
Mozy
Backblaze
Carbonite
IDrive
AltDrive
Bitcasa
Hope this helps.
As plenty of others have mentioned, you don't need or even want an "encrypted cloud provider". You cannot trust that.
Instead, use ecryptfs locally, and use rsync to copy the encrypted files to the provider. That's under your control, uses only software you can examine and build from source yourself if you want, and it works with any provider.
Using some proprietary, fragile, single-vendor solution is not a wise decision.
I use BoxCryptor which you can use with existing cloud storage providers such as dropbox.
It gives you a driver letter / mount point, any file you save there is transparently encrypted before being placed onto for example dropbox. You have a 1:1 relation between the plain file and the encrypted file so you can still use things like deleted file recvoery.
Try filecloud.io they are an Irish company with servers in Amsterdam
free accounts come with up to 1000GB free storage (reduced redundancy sort of like amazon) and more if you pay 6.99$ / month (29.99/6 months) that comes with raided storage
you can encrypt files yourself before uploading whichever method you want
they have previously went to courts and got advice from Irish Data Protection commissioner that if any 3rd party wants your data they have to get an Irish court order.
I use Truecrypt's encrypted drive containers in my local Dropbox folder. The file sync'd to Dropbox is encrypted when the sync occurs, so that is all they ever see. Because Dropbox does a binary diff of the file and only uploads the differences which makes syncing large encrypted files feasible.
I've seen some chatter that Truecrypt may have been compromised - Bruce Schneier and Snowden use it so I'll trust in their judgement.
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
syncdocs.com - encrypts Google Drive stuff before uploading. Simple to use and secure, and Google gives away 15GB of free space anyway.
use https://owndrive.com since i'm concerned about privacy and security. They are relatively new cloud storage provider, but they use strong AES server side encryption. Their web interface is the most user friendly one i've seen. And it's based on open API so i'd recommend OwnDrive.
--
Stian Sand
Unless you do your crypto on your own machine, and your machine is not compromised, any such service is insecure. As soon as your cloud storage provide has your crypto keys, you need to assume your encryption compromised. There are several ways to implement it:
1. Use GPG and ecrypt each file before storing it on-line.
2. Pay for a normal Linux hosting server with ample storage. Export the raw block device using NBD (network block device). Encrypt it on your device using dm-crypt or luks and mount it. This encrypts the entire disk.
3. Use some kind of cloud storage, but do encryption in javascript on the browser, in your machine, without sending encryption keys anywhere. Look at http://openpgpjs.org/ I don't know any cloud services that would allow doing that.
--Coder
Why in the world would anyone want to store his valuable files on someone else's computer? Makes no sense.
Fata viam invenient.
If you have a provider that you're happy with, the continue using it and just encrypt the data locally.
I've found Seafile to be quite good and reliable. It's a multiplatform, free software, self-hosted Dropbox alternative that provides file syncing, sharing, a web interface, and tools for team work. Libraries can be encrypted server-side.
I use it for several months now and it is both fast and reliable (much more than the owncloud versions I tested previously). It handles my whole pictures collection (about 90GB) very easily. You can install your own Seafile server (there's even a raspberry pi version), or buy storage space from them. Clients are multiplatform (Windows, Mac, Linux, Android, iPhone/iPad).
Artist do it all the time using this service to backup all their important files.
Tresorit is cross platform and work a pretty well. Don't know about pricing though. Maybe look into it?
Had the exact same problem with our accounting dept. who refused to back up locally. Tried 3-4 different companies and finally settled on Altus from Cybrix Group. funny enough it IS built on Backblaze Storage pods and uses Duplicati (open source) for backups but you can bring whatever flavor of client you want as long as it backs up over SSH.
...to think about this HARD and give us some solutions. An insecure solution seems to work just as well as a secure one, and I'm a geek generalist... and I know what I don't know. Hopefully the big guns have already been thinking about exactly this problem for a while. We know there's no such thing as perfect security... but it would be nice to have something good, and some best-practice guides so we know how to avoid compromising ourselves too obviously.
Have you tried this?
http://blog.genie9.com/index.php/tag/amazon-s3/
Cheap to check-in, expensive to check out, not super fast, but you get what you pay for.
Mostly you're down to creating a secure cloud on your own (disclaimer: I'm involved with the archistar project). This might be renting a couple of cheap ec2 instances or distributing some raspberry pi's at different locations.
Good thing is, that it's actually not that complex. There's for example secret-sharing: you distribute data to ie. 4 servers, and define that you'll need at least data from 3 servers to recover the original data. This allows you to live with one storage server gone rouge. Sounds complicated but the math behind it is real simple. I hope that I'll be allowed to pulish a simple Java library next week (management needs some convincing towards GPL).
Synchronizing access and operations between servers is tough. This is BFT (byzantine fault tolerance) country -- I am working on a BFT implementation that focuses on simlicity but this will take a couple of months. The archistar github project should include a 'real' (tm) working prototype sometime in the next half year, but I really focus on keeping most of the knowledge within small libraries to people can actually create their own secure cloud software.
cheers, A.
(also: end of shameless plug)
Does exactly what OP is looking for.
NONE, you stupid fuck.
Or really, anything that supports sync + encfs. I've got XX GB and XXXX files, and since its mostly backup or changes to small files, the sync program doesn't have to be very smart.
Tarsnap is run by the former Security Officer of FreeBSD: http://www.tarsnap.com/design.html
There's also Crashplan, which says it encrypts everything before it leaves your machine. Tarsnap provides source code so you can verify their claim though. It should be noted that with Crashplan you don't have to use their servers: you can do peer-to-peer back up with another one of your machines (or even a friend's).
SpiderOak is quite decent. It's not the fastest at syncing, but their compression and deduplication works very well.
They claim zero-knowledge, have clients for Mac OSX, Linux, Windows, iOS and Android. You get 2 GB for free, give it a shot!
Trolling is a art,
I don't use encrypted cloud storage. Instead, for secure backup, I use USB hard drives that I leave disconnected from the computer except during backup operations. This method places a priority on security (no hacker or virus can get to a drive that's disconnected), but it leaves me open to physical theft or destruction. I don't worry much about the former, but for the latter, I keep a copy at a relative's house.
Of course, this method doesn't solve the sync problem. I don't personally have a much need to sync data across devices (except for program code, which is easily synced across computers via Git), but for those of you who do, I recommend you use it only for data that doesn't really need to be secure, such as personal photos. Then, you can use any cloud service that syncs well, without regard to encryption.
I've been using the free service from Wuala for a couple months. I'm not sure exactly how many files I have, but well over 100, but only about 600 MB total. I've had one issue where it reported a problem with not being able to sync a file. It recovered in about one minute without any intervention from me. 500 GB is $55/month. Servers are homed in Switzerland, Germany, and France.
If you want an encrypted cloud storage service, use any of them but encrypt things before you upload. That is the only way to ensure Zero Knowledge and that it's encrypted effectively. Test the hell out of things afterwards to ensure they're not corrupting your files/data.
I use dropbox and my private folder is encrypted using truecrypt. It works and I've never had a problem with the file being corrupted or sync problems but then I'm only using 2GB of storage. Most of my files are now on 32+GB flash drives and they're encrypted from the beginning.
Mod me up/Mod me down: I wont frown as I've no crown
Give a check to Tahoe-lafs , that could be what you are looking for.
From their page
What we mean by "security" is something different. The service provider never has the ability to read or modify your data in the first place: never. If you use Tahoe-LAFS, then all of the threats described above are non-issues to you. Not only is it easy and inexpensive for the service provider to maintain the security of your data, but in fact they couldn't violate its security if they tried. This is what we call provider-independent security.
For all values of ___, never pay for an encrypted ___ service. Whether it's mass storage, email, or whatever. All service providers who offer this kind of stuff, are snake oil sellers. What happened to Lavabit this year wasn't news; we already knew about CALEA and have known for twenty years.
Twenty years in the tech world is a long time and ought to have conditioned your thinking by now. Even well-meaning, loyal professional allies can be subverted. The popular example case is government pointing guns (a.k.a. "court orders") at peoples' heads, saying to share the secret and keep it a secret that it's being shared. But really, once you even allow for that to be a possibility, all sorts of other things are possible. Replace the gun with a software bug exploit, replace the government with some random script kiddie with pretty much any agenda that you can think of. Anything goes.
Crypto is something that is performed by your machine, always done by software that you can understand (i.e. not proprietary). You never think about additional crypto that somebody else may or may not be doing, or by software not under your control. That's why you use a storage service that doesn't advertise crypto, you use a plain IMAP provider (if you some weird reason you're not handling that yourself), etc. Any service that tries to lure you with "security" is probably lying, unless by "security" they mean certain areas that intersect with reliability, such as DoS resistance.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
it is not a good idea to store on any cloud company's server. the NSA can compell any company in the US to give up the decryption key for pretty much anything. if you want to store your stuff on the internet, either make your own server and store on it, or find a company based in a country that does not listen to the NSA or any other spying conglomerate
another idea would be to encrypt it yourself BEFORE putting it on a cloud storage server. this way even if the NSA compells them to give up data... they cant get access to it without YOUR key.
No one has mentioned it probably because it's in semi public beta, but senderdefender.com does pure html5 client side encryption for transfer, and the guy is building a full clientless alternative for storage.
How about Space Monkey? Zero-knowledge, locally encrypted, backed up to a "cloud" composed of other Space Monkey devices instead of in expensive, NSA-vulnerable datacenters.
I've been using CrashPlan [http://crashplan.com] for some time now. Very reasonable price for unlimited data in their cloud, client side 448bit encryption, backup to friend machines, mobile device clients, ... I have had to restore a few times and it went fine.
https://www.jungledisk.com/
I suppose it all depends on ones level of paranoia and which risks you fear most. Having all the data securely encrypted but in private homes means a couple of natural disasters and the data is gone.
One can layer encryption on top of theirs (as folks propose above with Dropbox) for an extra level of complexity.
Posting anonymously since I have an interest in this company. A company called Intermedia released a product a few months ago called "SecuriSync". A brief review is here. The product uses end to end encryption and allows varying levels of control as that article will mention. I use it regularly, as do most of the people I work with. We share data with our overseas offices using this method because of the Encryption. Box has some of the same functionality, but not all of it.
As commercial products go, this one is very well done. No learning curve for users, low learning curve for administration. *snark* Hell, even our Windows admins have no issues managing and using the product.
There is an obvious (or should be obvious) problem with _any_ commercial product though. It seems that if you get to a certain size Government agencies may step in and make a company do things. See Lavabit dropping their encrypted email for an example of exerted pressure on companies that want to do well. For now, this product is fine and secure. If it grows, I can't say that the company will not have to give in to pressure or face cancelling the product. I hope it does not get to that point, but we see what happened to others that failed to give in (again see Lavabit).
Best to just say NO! to "cloud storage". Its just renting space on someone elses server. Too many technical problema and security issues.
‘Encrypted Storage Provider’. What fantasy land are you from? The NSA has forced every single on line provider to hand over encryption keys. A few have refused (lookup lavabit) and have shut down / walked away from their businesses). Meaning there is no more encryption. Everything is copied, tracked, evaluated, and reviewed. Everything. The US government has effectively killed the notion of corporate AND personal ‘cloud’ storage for anyone concerned about security.
I've selcected bittorrent sync for myself. Seems to be more reliable than other "no-server" alternatives such as aerofs.
First demand would be that the company lies outside of the US and has no US representation the US can target. Currently I know only of Mega to fulfill those requirements. Added bonus is that Kim Dotcom, the owner, is now seriously pissed at the US government so he won't cooperate with them.
If you want truly secure backups, then you need to control both ends of the backup, as well as everything in between. If there's one thing Edward Snowden has showed us, it's that someone is watching *everything* online...and encrypted data is just begging to be examined, stored & hacked.
-merlyn
been using spideroak. your keys stay with you. they store encrypted data for you. as safe as can get on the internet (which in the end is not so safe no matter what)
Tahoe-LAFS (https://tahoe-lafs.org/trac/tahoe-lafs) may be exactly what you're looking for. Redundancy, privacy, AND it's DIY. Grab a few VPS's (and perhaps an actual box your control or two), and have your own encrypted, private cloud.
With how cheap VPS's are getting, this may very well be your best option.
Failing that, use Truecrypt inside a Dropbox or and go nuts.
Get BitTorrent Sync from http://labs.bittorrent.com/experiments/sync.html and set up your own server, either locally or "in the cloud" (which you control). There are clients for all major platforms, including Android, and it works well. Traffic is encrypted and storage is only on computers you control yourself.
There is one drawback, though: It's not open source so you have to trust BitTorrent Inc.
Mega.co.nz
Don't lose your PW. Make it sufficiently complex, it is part of your key.
Use Copy + TrueCrypt or Copy + GnuPG. If you haven't heard about copy, it is basically a dropbox service that is giving away 15GB free (20 GB if you use a referral link like this one https://copy.com?r=FJ0ixF )
No matter what you think of the Cloud, you have resilient cloud like Amazon that goes away sometimes, or you can have cloud like Everpix, that refused to give me my pix after they went to price model and told me “screw you” and is about to go away forever.
Nothing is permanent. Eventually some natural disaster is going to make a huge chunk of data away for services that are not geographically redundant.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
Safenet-inc, see ProtectV