Slashdot Mirror
Ask Slashdot: Which Encrypted Cloud Storage Provider?
An anonymous reader writes "Almost three years ago, I started looking for a cloud storage service. Encryption and the "zero-knowledge" concept were not concerns. Frankly, after two weeks testing services, it boiled down to one service I used for almost 2 years. It was perfect — in the technical sense — because it simply works as advertised and is one of the cheapest for 500GB. But this year, I decided changing that service for another one, that would encrypt my files before leaving my machine. Some of these services call themselves 'zero-knowledge' services, because (as they claim) clear text does not leave your host: they only receive encrypted data — keys or passwords are not sent. I did all testing I could, with the free bit of their services, and then, chose one of them. After a while, when the load got higher (more files, more folders, more GB...), my horror story began. I started experiencing sync problems of all sorts. In fact, I have paid for and tested another service and both had the same issues with sync. Worse, one of them could not even handle restoring files correctly. I had to restore from my local backup more than once and I ended up losing files for real.
In your experience, which service (or services) are really able to handle more than a hundred files, in sync within 5+ hosts, without messing up (deleting, renaming, duplicating) files and folders?"
Build a couple Backblaze boxes and work out a deal with some KC residents. That gets you 180TB offsite stuff with whatever sw leverage you want to lay on top of that.
Help stamp out iliturcy.
I'm not sure if it is "zero-knowledge" or just "little-knowledge" (file meta-data might be transmitted. I honestly don't know), but I've had very good luck with Copy, which was created by Barracuda (the company that's always advertising in airports, for some reason). Check them out: https://www1.copy.com/home/
Bittorrent sync + local encryption. Leave a box, or several boxes, running in some datacentres somewhere without the encryption key and you have failover backups (and increased bandwidth).
Write yourself a simple set of scripts that use rdiff-backup or rsnapshot to perform differential/incremental backups to an internal host, make a secondary mirror encrypted at a file level with GPG/PGP, and use rsync to sync the encrypted mirror to several offsite hosts. Done. If this level of security matters to you, do it yourself.
Write failed: Broken pipe
Http://mega.co.nz
For the money you're paying a service, why not just hoop up an inexpensive machine for a server, put a TB or two in it, and use BitTorrent Sync?
It's pretty secure, you can share files with others, it's available for all major OSes (including iOS and Android), you don't have to mess with any 3rd parties seeing your data... what more do you want?
I've not tried this, but always meant to. Sparkleshare is an attempt to make an open source Dropbox - and a couple of years after I first bookmarked it it's still going strong.
You can get a cheap dedicated server for under £10 a month and roll your own based on this?
Also has client-side encryption
https://github.com/hbons/SparkleShare/wiki/Client-Side-Encryption
Use EncFS or, if that's too tedious for you (it's not that polished on Windows), BoxCryptor.
Advantages: (i) you can use any cloud storage provider you want and (ii) EncFS is open source, so you have some means of verifying that there's strong encryption on your end without backdoors.
After all of this NSA business, why would you ask which storage provider keeps you safe when clearly none of them do.
If you want your data encrypted, why would you not do it yourself, then you don't need to pay for an encrypted storage provider because you can upload your encrypted data to any storage provider. Paying extra for something you're not guaranteed to get is not very intelligent.
This article brought to you by an anonymous reader / encrypted storage provider.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Considering the sorry state of basic cloud sync services, I would not be surprised if the advanced versions are even worse. The only service I can actually recommend is Dropbox - it is expensive, but it works, and even so it eats a lot of CPU time and hard disk activity at boot up.
The alternatives are worse to terrible. Google Drive claims that files are in sync when they aren't. It also seems to fight with files open in MS Office. It creates conflicts for no reason. It just plain fails to deliver, even if you neglect the absence of a Linux client. Box is much worse in my experience, although it has a nice and clean design. Skydrive is interesting, but I repeatedly ran into installation issues with it - funny given that it is MS software, or maybe to be expected.
Obviously encryption makes things a lot more difficult, especially the handling of temporary files and the merging of conflicts. So it should not be a surprise that it does not quite work yet.
Your problem isn't the storage, it's whatever you are doing locally that is the issue. I've got tens of thousands of files backed up with no issues, across several devices.
You didn't mention your OS. I'll assume you are running Linux because if you are running WIndows/MacOS you are missing a fundamental weakness already.
On Linux, use EncFS which also has a nice GUI manager via GEncfsM for those that prefer it.
Using EncFS means you don't have to upload entire files when you edit them, only the changes are synced. This is efficient, open-source, and works perfectly.
Once EncFS is working, pick any cloud storage you want and sync the encrypted folder(s). I do it with Dropbox + symlinks and it is flawless, no issues for years now.
tarsnap.com. Not very user-friendly, but it does what it says on the tin.
127.0.0.1 or 10.6.6.6 or 192.168.69.42. Those are my encrypted cloud service providers. Public address varies so I ping my web server for a redirect; You could use dynamic DNS. Since we're using pre-shared-key encryption no MITM can insert themselves -- data is encrypted before the session is even initiated -- No need to worry about SSL PKI shenanigans.
Do it yourself means that you manage risk and cost. Handing it over to an outside contractor means, inevitably, eventually, with all companies, some douche nozzle accountant executive with limited tech knowledge in the pursuit personal bonuses and claiming great savings and extra profit with the typical B$ spreadsheet. Will take a series of cost savings short cuts that allow risk of data loss to become a certainty of data loss. They lose customers, the customers go elsewhere but unfortunately so do those douche nozzle executives and the problem relocates. It the cycle of greed, build trust, sell that trust for extra profit, fail and back too build trust (there ain't no profit, just bonuses for no nothing douche nozzle executives, you know, psychopaths in suits). It is always just a matter of time, to greed driven contractor failure.
Chaos - everything, everywhere, everywhen
As far as encryption is concerned, you cannot trust anyone but yourself. So you can ignore anything your cloud provider says about encryption and focus on speed, reliability and cost.
You should make sure that your cloud provider only ever receives encrypted data from you, and if he decides to encrypt again, good for him, and if he decides to let the NSA listen in, well, it doesn't matter, your data was encrypted anyway.
Only solution. If you want a job done properly, then you best carry it out yourself. Buy a relatively cheap server, equip it with whatever you need to get a backup to it working, and have that server hosted. You'll pay for the hosting and the bandwidth ( in many cases, the latter is included in the former ). All cards are in your own hands. It takes some work, but except for man-in-the-middle attacks - which are always possible, BTW, and in any scenario - you are safe.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
If you don't control the software itself, you can't be sure that there aren't backdoors. Even if there aren't backdoors when you start, they can always get introduced later.
If you're really concerned about this, put a server somewhere and use encrypted rsync or something similar. Even then, be aware that backdoors can still be pushed onto your machine with a software update.
I use BoxCryptor which you can use with existing cloud storage providers such as dropbox.
It gives you a driver letter / mount point, any file you save there is transparently encrypted before being placed onto for example dropbox. You have a 1:1 relation between the plain file and the encrypted file so you can still use things like deleted file recvoery.
Try filecloud.io they are an Irish company with servers in Amsterdam
free accounts come with up to 1000GB free storage (reduced redundancy sort of like amazon) and more if you pay 6.99$ / month (29.99/6 months) that comes with raided storage
you can encrypt files yourself before uploading whichever method you want
they have previously went to courts and got advice from Irish Data Protection commissioner that if any 3rd party wants your data they have to get an Irish court order.
I use Truecrypt's encrypted drive containers in my local Dropbox folder. The file sync'd to Dropbox is encrypted when the sync occurs, so that is all they ever see. Because Dropbox does a binary diff of the file and only uploads the differences which makes syncing large encrypted files feasible.
I've seen some chatter that Truecrypt may have been compromised - Bruce Schneier and Snowden use it so I'll trust in their judgement.
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
Why in the world would anyone want to store his valuable files on someone else's computer? Makes no sense.
Fata viam invenient.
I've found Seafile to be quite good and reliable. It's a multiplatform, free software, self-hosted Dropbox alternative that provides file syncing, sharing, a web interface, and tools for team work. Libraries can be encrypted server-side.
I use it for several months now and it is both fast and reliable (much more than the owncloud versions I tested previously). It handles my whole pictures collection (about 90GB) very easily. You can install your own Seafile server (there's even a raspberry pi version), or buy storage space from them. Clients are multiplatform (Windows, Mac, Linux, Android, iPhone/iPad).
Tresorit is cross platform and work a pretty well. Don't know about pricing though. Maybe look into it?
...to think about this HARD and give us some solutions. An insecure solution seems to work just as well as a secure one, and I'm a geek generalist... and I know what I don't know. Hopefully the big guns have already been thinking about exactly this problem for a while. We know there's no such thing as perfect security... but it would be nice to have something good, and some best-practice guides so we know how to avoid compromising ourselves too obviously.
Have you tried this?
http://blog.genie9.com/index.php/tag/amazon-s3/
Cheap to check-in, expensive to check out, not super fast, but you get what you pay for.
SpiderOak is quite decent. It's not the fastest at syncing, but their compression and deduplication works very well.
They claim zero-knowledge, have clients for Mac OSX, Linux, Windows, iOS and Android. You get 2 GB for free, give it a shot!
Trolling is a art,
I don't use encrypted cloud storage. Instead, for secure backup, I use USB hard drives that I leave disconnected from the computer except during backup operations. This method places a priority on security (no hacker or virus can get to a drive that's disconnected), but it leaves me open to physical theft or destruction. I don't worry much about the former, but for the latter, I keep a copy at a relative's house.
Of course, this method doesn't solve the sync problem. I don't personally have a much need to sync data across devices (except for program code, which is easily synced across computers via Git), but for those of you who do, I recommend you use it only for data that doesn't really need to be secure, such as personal photos. Then, you can use any cloud service that syncs well, without regard to encryption.
Sorry, forgot to add: I also checked similar services some time ago and after much playing around decided on SpiderOak. I pay for 200 GB with them and am quite happy.
Trolling is a art,
I've been using the free service from Wuala for a couple months. I'm not sure exactly how many files I have, but well over 100, but only about 600 MB total. I've had one issue where it reported a problem with not being able to sync a file. It recovered in about one minute without any intervention from me. 500 GB is $55/month. Servers are homed in Switzerland, Germany, and France.
Borrow this tin foil hat for a second:
But only if you trust both your operating system and the binary executable they send you to interface with their system.
Really, there is no truly secure method unless you are a crypto expert and roll your own - from the components in the machine to the bios to to the OS (though you could audit anything which is OS).
Of course the problem there is that you're relying on yourself, or your encryption and end-to-end computer knowledge, to be better than several billion dollars of cracking resources which could be levied against your one man system. And those are not very good odds.
FWIW, I use SO for backup, but their sync capability between computers to be dodgy (admittedly - that was 4 years ago, when I first needed a multi-computer sync provider; it's not practical to change providers for a business at a whim)
Is it just my observation, or are there way too many stupid people in the world?
If you want an encrypted cloud storage service, use any of them but encrypt things before you upload. That is the only way to ensure Zero Knowledge and that it's encrypted effectively. Test the hell out of things afterwards to ensure they're not corrupting your files/data.
I use dropbox and my private folder is encrypted using truecrypt. It works and I've never had a problem with the file being corrupted or sync problems but then I'm only using 2GB of storage. Most of my files are now on 32+GB flash drives and they're encrypted from the beginning.
Mod me up/Mod me down: I wont frown as I've no crown
For all values of ___, never pay for an encrypted ___ service. Whether it's mass storage, email, or whatever. All service providers who offer this kind of stuff, are snake oil sellers. What happened to Lavabit this year wasn't news; we already knew about CALEA and have known for twenty years.
Twenty years in the tech world is a long time and ought to have conditioned your thinking by now. Even well-meaning, loyal professional allies can be subverted. The popular example case is government pointing guns (a.k.a. "court orders") at peoples' heads, saying to share the secret and keep it a secret that it's being shared. But really, once you even allow for that to be a possibility, all sorts of other things are possible. Replace the gun with a software bug exploit, replace the government with some random script kiddie with pretty much any agenda that you can think of. Anything goes.
Crypto is something that is performed by your machine, always done by software that you can understand (i.e. not proprietary). You never think about additional crypto that somebody else may or may not be doing, or by software not under your control. That's why you use a storage service that doesn't advertise crypto, you use a plain IMAP provider (if you some weird reason you're not handling that yourself), etc. Any service that tries to lure you with "security" is probably lying, unless by "security" they mean certain areas that intersect with reliability, such as DoS resistance.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
it is not a good idea to store on any cloud company's server. the NSA can compell any company in the US to give up the decryption key for pretty much anything. if you want to store your stuff on the internet, either make your own server and store on it, or find a company based in a country that does not listen to the NSA or any other spying conglomerate
another idea would be to encrypt it yourself BEFORE putting it on a cloud storage server. this way even if the NSA compells them to give up data... they cant get access to it without YOUR key.
Do it yourself means that you manage risk and cost. Handing it over to an outside contractor means, inevitably, eventually, with all companies, some douche nozzle accountant executive with limited tech knowledge in the pursuit personal bonuses and claiming great savings and extra profit with the typical B$ spreadsheet. Will take a series of cost savings short cuts that allow risk of data loss to become a certainty of data loss.
However you don't know when this is happening. So cannot assess and manage you risk. It' s possible you may not even find out even after a loss/disclosure has occured.
Note also that if the company you choose is bigger than you are then you automatically increase your risk. Since crackers, both criminal and government sponsored, tend to be interested in the biggest targets. Whilst momandpop.com might have to specifically attract the attention of the "bad guys" they are already looking at Dropbox, Amazon, Google, Skydrive, etc.
https://www.jungledisk.com/
I suppose it all depends on ones level of paranoia and which risks you fear most. Having all the data securely encrypted but in private homes means a couple of natural disasters and the data is gone.
One can layer encryption on top of theirs (as folks propose above with Dropbox) for an extra level of complexity.
‘Encrypted Storage Provider’. What fantasy land are you from? The NSA has forced every single on line provider to hand over encryption keys. A few have refused (lookup lavabit) and have shut down / walked away from their businesses). Meaning there is no more encryption. Everything is copied, tracked, evaluated, and reviewed. Everything. The US government has effectively killed the notion of corporate AND personal ‘cloud’ storage for anyone concerned about security.
That's why people should make a backup of their online cloud storage.
now we need to go OSS in diesel cars
First demand would be that the company lies outside of the US and has no US representation the US can target. Currently I know only of Mega to fulfill those requirements. Added bonus is that Kim Dotcom, the owner, is now seriously pissed at the US government so he won't cooperate with them.
If you want truly secure backups, then you need to control both ends of the backup, as well as everything in between. If there's one thing Edward Snowden has showed us, it's that someone is watching *everything* online...and encrypted data is just begging to be examined, stored & hacked.
-merlyn
Tahoe-LAFS (https://tahoe-lafs.org/trac/tahoe-lafs) may be exactly what you're looking for. Redundancy, privacy, AND it's DIY. Grab a few VPS's (and perhaps an actual box your control or two), and have your own encrypted, private cloud.
With how cheap VPS's are getting, this may very well be your best option.
Failing that, use Truecrypt inside a Dropbox or and go nuts.
Get BitTorrent Sync from http://labs.bittorrent.com/experiments/sync.html and set up your own server, either locally or "in the cloud" (which you control). There are clients for all major platforms, including Android, and it works well. Traffic is encrypted and storage is only on computers you control yourself.
There is one drawback, though: It's not open source so you have to trust BitTorrent Inc.
Nice, and just what I would roll on my own.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
No matter what you think of the Cloud, you have resilient cloud like Amazon that goes away sometimes, or you can have cloud like Everpix, that refused to give me my pix after they went to price model and told me “screw you” and is about to go away forever.
Nothing is permanent. Eventually some natural disaster is going to make a huge chunk of data away for services that are not geographically redundant.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."