Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Keeping Cloud Data Encrypted Without Cross-Platform Pain?

Posted by timothy on from the thrice-distilled-optimism dept.

bromoseltzer writes: I use cloud storage to hold many gigs of personal files that I'd just as soon were not targets for casual data mining. (Google: I'm thinking of you.) I want to access them from Linux, Windows, and Android devices. I have been using encfs, which does the job for Linux fairly well (despite some well-known issues), but Windows and Android don't seem to have working clients. I really want to map a file system of encrypted files and encrypted names to a local unencrypted filesystem — the way encfs works. What solutions do Slashdot readers recommend? Ideal would be a competitive cloud storage service like Dropbox or Google Drive that provides trustworthy encryption with suitable clients. Is there anything like that?

56 of 107 comments (clear)

  1. Good luck ... by gstoddart · · Score: 4, Insightful

    I hope you find what you're looking for, but I would suggest that:

    Ideal would be a competitive cloud storage service like Dropbox or Google Drive that provides trustworthy encryption with suitable clients

    This isn't possible.

    Unless you own the crypto bits, and you know for a fact that they don't have any way to access your keys, you should assume any provider can probably comply with court orders and hand over your data.

    Some of them might be peaking even if they claim not to be.

    The only way you can be guaranteed your stuff is secure is to encrypt it yourself, and cut the cloud out of the process entirely.

    There pretty much is no such thing as "trustworthy encryption" you didn't do yourself.

    --
    Lost at C:>. Found at C.
    1. Re:Good luck ... by TWX · · Score: 2

      Yep. I imagine the only sort of thing that would work would be an encrypted archiving format, but there will not be a seamless method to open the contents. One will probably have to manually decrypt all files in order to have access to them.

      This is par for the course with cloud, aka, someone else's computer. If you want secure, you need to buy your own server, set it up with an encrypted file system, pay for colocation in a datacenter, and host everything yourself.

      --
      Do not look into laser with remaining eye.
    2. Re:Good luck ... by epine · · Score: 1

      There pretty much is no such thing as "trustworthy encryption" you didn't do yourself.

      Does retyping the Tarsnap source code count as "doing it yourself"?

    3. Re:Good luck ... by NotInHere · · Score: 1

      And even then your security can be compromised by anybody who can stick an usb stick into your server at the datacenter, or has physical access by other means. Therefore, you can't just chose some datacenter where you put down your server and this is it, you have to chose one thats guarded with video surveillance, and proper protocols. And even then, a data compromise can be maximum detected, but stopping is even harder. Also you have to trust the people guarding your server. What if they get an NSL? but of course, if the NSA really sends an NSL requesting specifically your data, then you are fucked already, and they usually use other methods I guess. So the only data protection advantage you get from setting up your own server in a datacenter, is that NSA will most likely be too lazy to grab your data. I guess they have collective VPS programs already.

    4. Re:Good luck ... by mcrbids · · Score: 2

      You make it sound *onerous* but it doesn't need to be. You can buy many home routers with a USB port. Plug in a thumb drive and enable webDAV shares!

      We've been using webDAV for many, many years to create a distributed, "cloud based" storage accessible anywhere with good security. (Authenticated webDAV over SSL is approximately as secure as the password)

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    5. Re:Good luck ... by mlts · · Score: 1

      I find there are multiple ways to skin this cat:

      Scenario 1: Archiving. This is where one sticks files into some archiving program (ZIP, RAR, etc.) and then uploads the archive to some place like Amazon Glacier where it pretty much remains indefinitely until needed. This takes some thought, since even though uploading and keeping stuff on Glacier is inexpensive... retrieving it isn't cheap. One should figure out a size of archive that isn't hard to download, but not too small that documents and other items require multiple downloaded files to retrieve. This can be done to mobile devices, but again, it is a balance of useful file size versus time downloading.

      Scenario 2: Random access block-based file. Using TrueCrypt on a DropBox synced partition for example. The changes are propagated. Of course, the download with this is cross-platform compatibility.

      Scenario 3: Subdirectory of files encrypted with something like CFS, EncFS, or another tool. This may work for OS X, Linux, and Android, but won't on iOS and Windows.

    6. Re:Good luck ... by AmiMoJo · · Score: 1

      Wouldn't a simple TrueCrypt container meet all the requirements?

      Create a container and set up cloud sync with a service that only sends diffs. I believe Dropbox does that, for example. Mount the container on each machine, or mount it on a NAS and share it unencrypted locally, or whatever you want to do.

      All the cloud service sees is a TrueCrypt container. Android has a few apps supporting TrueCrypt. All major desktop operating systems support it. It's probably the most trustworthy system out there, being both open source and recently audited.

      The only flaw in this system is that the container file is a live filesystem, so in-progress updates can cause issues as they propagate across devices via the cloud. But that's your only real option for what the OP wants.

      Alternatively, Spikeoak seems to do what the OP needs, and isn't expensive. The only down side is the closed source nature of the service.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Good luck ... by paulatz · · Score: 1

      The only way you can be guaranteed your stuff is secure is to encrypt it yourself, and cut the cloud out of the process entirely.

      This is completely true, the best you can get are some self-hosted services that work almost as seamlessly as commercial Clouds.

      I use Bittorrent Sync, it is fast and has a good mobile app. You need to have a server running if you want availability. I have two: a 150€ NAS in my home network and a Linux worstation at work (I never turn it off anyway in case I need to work from home, and it restarts in case of power failure).

      The only feature you miss is the possibility to one-click share a single file with some random guy, but for that there are the usual Clouds, I do not need to encrypt a file that I am sending around anyway.

      --
      this post contain no useful information, no need to mod it down
  2. Roll your own by BobSwi · · Score: 1

    with ownCloud or SeaFile, a Raspberry Pi 2, and whatever size USB you want.

    1. Re:Roll your own by bobbied · · Score: 1

      with ownCloud or SeaFile, a Raspberry Pi 2, and whatever size USB you want.

      Maybe for home use, but that's going to be pretty darn slow... You will effectively be limited to 1/2 of USB 2.0 speed (or less) because the Pi's network connection is via the single USB connection which is shared by that USB drive, the keyboard and the mouse etc.... Ouch...

      Personally, I'd go with an old scrapped desktop PC running OpenMediaVault attached to your network. Just stuff in a cheap SATA interface or two, load up on cheap drives, raid them into a redundant array of some kind and then install "ownCloud" plugin (Open Media Vault). You may spend some cash on drives, but you will be much happier than using that Pi.

      Once you get OMV up, there are plenty of ways to do backups of just about anything you like.....

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:Roll your own by rHBa · · Score: 1

      If you're hosting from home then your internet connection will more likely be the bottleneck. Having said that I'd recommend using an old laptop, they tend to be quieter than a desktop, draw less power and they also have a built in UPS. You can get a 3 year old laptop with 2GB RAM and a broken screen for next to nothing.

    3. Re:Roll your own by bobbied · · Score: 1

      I like that idea... ;)

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    4. Re:Roll your own by buchner.johannes · · Score: 1

      Alternative version of roll-your-own: Host at some provider, use their client (or if you do not trust them, put a encrypted file system on top).
      Mount that on a Linux machine.
      Share that filesystem via SMB, so Android and Windows can access the files.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  3. Boxcryptor by MoZ-RedShirt · · Score: 1

    You might want to take a look at
    https://www.boxcryptor.com/en/...

    --
    Microsft spel chekar vor sail, worgs grate !!!
  4. Mega by Dredd13 · · Score: 2, Informative

    If you get rid of the mobile requirement, http://mega.co.nz/ might be the solution for you.

    Specifically designed by Kim Dotcom's folks so that they CANNOT access your data (so they don't tell if you've got financial paperwork or pirated movies). Has a method for sync'ing a local unencrypted filesystem into their cloud architecture.

    1. Re:Mega by Dredd13 · · Score: 1

      How the fuck is this "Offtopic"?

      Screw you, whoever moderated that...

    2. Re:Mega by cerberusss · · Score: 1

      I like Mega as well, but I felt the client for OS X was kinda clunky.

      --
      8 of 13 people found this answer helpful. Did you?
    3. Re:Mega by Dredd13 · · Score: 1

      Really? I haven't had any problems with it. I mean I did when it was like "month 1" of the service going live, but it settled down fairly nicely over time.

  5. Wuala by Anonymous Coward · · Score: 1

    There's Wuala, which is essentially Dropbox with client-side encryption. It used to be free for personal use, but now plans start at 1 EUR per month. Also, the encrypted data is stored in Europe, which is nice. http://www.wuala.com

  6. If you don't have anything useful to say... by Anonymous Coward · · Score: 1

    Shitpost!!!!!

  7. SpiderOak by ahziem · · Score: 2

    SpiderOak is a cloud-based, zero-knowledge storage and backup system. It has clients for Windows, Mac, Linux, Andorid, and iOS. You can also access from the web, but you have to provide a password, which means it is no longer zero-knowledge. I signed up a few years ago when large fires burned through my city, and I needed a secure, automated, off-site backup. The fires are gone, but now I still use it on Windows and Linux. The GUI is a little clunky, but it works. I stay in the first pricing tier by loading my old family photos (>>50GB) instead onto Google Nearline, which is cheaper but less convenient.

    1. Re:SpiderOak by jddj · · Score: 2

      +1 for SpiderOak, but please know that their Android client is not Zero-Knowledge. It means that mobile use is...not quite as clean as one would like.

    2. Re:SpiderOak by vux984 · · Score: 1

      Yeah +1 for spideroak. But you still do need to trust them.

      The source is closed. So you can't inspect and build the client yourself. So you have no way of knowing whether its really zero knowledge or not; or whether the client can or is sending the keys to the server etc.

      They also specifically disclaim zero knowledge for web based access and mobile. The former should be obvious, but the latter is a bit of a surprise/disappointment.

      Still I -do- generally trust them; and recommend them. Their business model isn't advertising and harvesting data.

      But the fact that I've decided to trust them is a far cry from it being a provably trustworthy system.

    3. Re:SpiderOak by antiparadigm · · Score: 1

      +1 SpiderOak SpiderOak has but one issue, but it is the same issue all cloud storage has (with the exception of rolling your own). You have to place your trust fundamentally in the hands of others. You own the keys and if you forget the keys, they can't help you recover them. If one must use a more mainstream option (I use Onedrive more then I probably should, but at least it isn't Google) I will take an object and use 7-zip to compress it, and if desire, use 7-zip to AES-256 encrypt the file. Then if I'm being totally paranoid (and lets face it - we all get this way every once in a while) I use a tool called AESCrypt to encrypt the compressed blob. Followed by using Eraser to fully wipe the plain text from my drive. I believe 7-zip and AES Crypt are available in both Windows & Linux flavors. Android, YMMV. But if you really want security I would suggest SpiderOak or roll your own cloud. (SpiderOak you have to trust, but they do encrypt before it leaves your PC, OwnCloud isn't that hard to setup, but you do have to consider having an always on server in your house... and your upload bandwidth.

    4. Re:SpiderOak by Fweeky · · Score: 1

      Their mobile client is open source: https://github.com/SpiderOak/S...

      The desktop client is mostly unobfuscated Python bytecode and easily inspected, docstrings, symbol names and all, with a bytecode decompiler. Not good enough, but at least a bit more transparent than most.

  8. CryptSync by Metabolife · · Score: 1

    For the windows front there's CryptSync.
    It encrypts files with 7zip so you can still grab them from other platforms.
    http://sourceforge.net/project...

  9. BT Sync by Insightfill · · Score: 1

    BT Sync - Aka "Bittorrent Sync" aka "Sync" is pretty close. In that setup, your own computers act as the cloud. Android and Linux clients, etc. I primarily use it to keep photos backed up from my phone to home, but also keep folders and movies on my home computer which sync with my phone as well.

    It's not a "cloud solution" in the normal sense - you can't keep files on the cloud and dynamically choose which ones to push around later, but it's CLOSE and may suit your needs.

    1. Re:BT Sync by corychristison · · Score: 1

      Syncthing looks interesting. Even has an Android client to boot.
      Thank you for sharing.

      I currently use BTSync, but it seems I have problems every time I upgrade, having to recreate the shares and such. Kind of a PITA.
      I also firewall it, so it doesn't sync outside of my home or office network, so, hopefully keeping any potential back doors out.

    2. Re:BT Sync by cerberusss · · Score: 1

      What I don't like about BT Sync is that it requires a specific port to be open. OwnCloud just uses the standard https port, 443, which is open anywhere.

      --
      8 of 13 people found this answer helpful. Did you?
    3. Re:BT Sync by lhowaf · · Score: 1

      Syncthing works great - especially with SyncTrayzor on Windows.

  10. Tarsnap? by X86BSD · · Score: 3

    I use Tarsnap. Cheap. Fast. Reliable. *Secure*. Client for almost all major platforms. Source included for the client. Check it out.

  11. trustworthy encryption by fustakrakich · · Score: 1

    I'm sorry, what?

    --
    “He’s not deformed, he’s just drunk!”
  12. nCryptedCloud for Dropbox encryption by WreckDiver · · Score: 1

    These guys do transparent encryption/decryption of DropBox and other cloud providers with web access as well as native clients for Windows, Mac, IOS and Android: https://www.encryptedcloud.com/

  13. Half of USB 2 still saturates home Internet by tepples · · Score: 2

    You will effectively be limited to 1/2 of USB 2.0 speed (or less) because the Pi's network connection is via the single USB connection which is shared by that USB drive

    Hi-Speed USB is nominally 480 Mbps half duplex and practically reaches half of that. If the storage shares a bus with a NIC, it could still saturate 120 Mbps. Home Internet is typically 3 to 50 Mbps down, and if you don't have a symmetric service like Verizon/Frontier FiOS, you get far less than that up.

    1. Re:Half of USB 2 still saturates home Internet by bobbied · · Score: 1

      You will effectively be limited to 1/2 of USB 2.0 speed (or less) because the Pi's network connection is via the single USB connection which is shared by that USB drive

      Hi-Speed USB is nominally 480 Mbps half duplex and practically reaches half of that. If the storage shares a bus with a NIC, it could still saturate 120 Mbps. Home Internet is typically 3 to 50 Mbps down, and if you don't have a symmetric service like Verizon/Frontier FiOS, you get far less than that up.

      Perhaps, but if you have this on your local network you will not be subject to the bandwidth limits of your ISP. I would usually be at home with most of my devices anyway, so I'm limited to the 802.1a/n link speed, which is going to fully push the Pi beyond it's limits. BTW, my FIOS connection is 25/25bps so, in my case I think it would be possible to nearly saturate the USB buss/CPU load of a Pi remotely, and for $10 more I could get 50/50, which would surely tax the Pi.

      There is some serious bandwidth limits for the Pi though. You can loose up to 50% to overhead. The remaining 120Mbps is split between the NIC and the USB drive, so the best you can count on is about 60Mbps. The way USB works it requires a LOT of overhead processor load and the Pi is pretty limited in that area, so even a total of 120Mbps might be a stretch for it. I'm not saying it won't work, only that you might want to consider something with a bit more oomph.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:Half of USB 2 still saturates home Internet by bobbied · · Score: 1

      One more data point... There are actual observed Pi to storage bandwidths to report here. The *best* transfer rate noted was about 32Mbps, when running just the storage device on the USB bus. Half of that is about 16Mbps which is something that my internet connection could easily swamp. The data is here: http://www.mikronauts.com/rasp...

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  14. Not a chance by Overzeetop · · Score: 1

    There pretty much is no such thing as "trustworthy encryption" you didn't do yourself.

    And, let's face it, for all but maybe a few hundred out of the 7 billion people on the planet, even if you try to do it yourself it's probably going to fail under a true attack that is targeted at getting your information and there's a good chance your home-built system will just screw up your data altogether.

    Saying the only trustworthy encryption scheme is the one you create only works if you're a cryptography and programming expert. Otherwise it's like hiding your life savings in safe you built entirely from scratch.

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:Not a chance by gstoddart · · Score: 2

      Saying the only trustworthy encryption scheme is the one you create only works if you're a cryptography and programming expert.

      I never said create it yourself.

      I said if you are looking for a "trusted encryption" being implemented by someone else on your behalf, there's a very high likelihood it's not secure from them. And if you want it to be secure form them, encrypt it yourself.

      So, use a solution which exists, and which has a good reputation. But the cloud provider should be left out of the process of encryption and used to only store the encrypted data, because in all likelihood either for ease of use, or compliance with law enforcement ... if they have access to the crypto keys, your trust level is pretty much reduced to pretty much zero, because if they have the keys they can decrypt it.

      The last thing people should be doing is rolling their own damned encryption solutions. The second last thing you shouldn't do is to use a service which is doing the encryption for you unless you know explicitly they have the ability to decrypt your stuff.

      So, back when DropBox first came out and said "it's encrypted, we promise" .. it wasn't encrypted from them, they could and did look into it, and they could and would open it for law enforcement.

      If you want it secure so only you can open it, you have to do it yourself, and understand that you have to take ownership for it if you screw up. Just don't assume that when a service says they'll encrypt your stuff that it means it's secure or private from that service.

      That's not possible.

      --
      Lost at C:>. Found at C.
  15. Boxcryptor Classic by hrath · · Score: 1

    Supports EncFS on Windows and works well with different Cloud FS providers.

  16. Dropbox & Boxcryptor by Anonymous Coward · · Score: 1

    Dropbox combined with Boxcryptor Classic (Android & Windows) and Cryptkeeper (basically encfs) on Linux. Works for me.

  17. Re:If they did that they would lose clients by jddj · · Score: 1

    Hmmm. Don't agree with this.

    1. Spider Oak has built its business on zero-knowledge (Full Disc: not an employee or a fanboy, but a user. Like it, except for non-zero-knowledge on mobile/web)

    2. There _is_ research going on about ways to compute on data without knowing the contents of the data. It's entirely likely that someone will solve search on zero-knowledge encrypted data, even though you and I don't yet know how it might work. (one way that comes to mind: zero-knowledge encrypt the query, then bounce the encrypted query against the encrypted ciphertext. This would probably suck 'cause it'd require ECB mode or something similar, and that's pretty weak, and such a technique would leak information like a sieve, but OTOH, not _impossible_ right out of the gate).

  18. pcloud.com by ManiaX+Killerian · · Score: 1

    https://pcloud.com/ - they have end-user encryption, currently in the desktop versions, working on getting it in the web and mobile versions. The encryption sources are open and available at their github account ( https://github.com/pcloudcom ), and they recently got an audit of the whole software and encryption schema.

    (disclaimer - i worked there and helped design it)

  19. OwnCloud by cerberusss · · Score: 1

    This being a tech site, I suggest you do it yourself and get a virtual private server somewhere, then install OwnCloud. It's extremely easy, just get a VPS at one of the nice providers like DigitalOcean or Linode, install Debian and use dmcrypt or ecryptfs to encrypt the filesystem.

    Then share your files over HTTPS. Done.

    --
    8 of 13 people found this answer helpful. Did you?
  20. KeePass by rwa2 · · Score: 1

    Not a complete filesystem-level solution. But I'm pretty happy with KeePass for sensitive stuff.

    Using the KeePassX client on Linux, with the .kdb file on Google Drive.
    KeePass2Android on our phones. We have a secret key not stored on Google Drive, and a passphrase to unlock that. Haven't had any trouble with the automatic sync of the .kdb back to Google Drive after making any changes.

    If encfs works fairly well on Linux, what's stopping you from getting http://linuxonandroid.org/ working on Android and mounting your encfs file in a full Linux chroot environment? Then on Windows just run a Linux VM that exports a Samba share of the unencrypted files.

    The other thing I've always done since forever is just use my phone / internet kiosk to VNC+SSH back to my home PC.

  21. Down to the User by PenguinJeff · · Score: 1

    EncFS is nice for a single logged in user but I wonder about building enc read/write into applications so that if root logs in even they can not read the users encrypted data. I think programs need to start using libraries to encrypt to the user level. So that only the user that owns the key can read(was going to add write but root can write to a file system) the encrypted file. Multi-user systems are always creating problems.

  22. Keep Using EncFS by ZeroNullVoid · · Score: 3, Interesting

    I recently went through this same issue.

    I tried lots of alternatives, but EncFS is still the best solution out there.

    The best and most reliable windows port of EncFS is Safe.
    http://www.getsafe.org/

    It does have some limitations, but in general it's the best solution out there.

    They strive to be binary compatible with Linux EncFS and have versions for Windows and Mac.

    Plus it's free and open source. (GPLv3)

    1. Re:Keep Using EncFS by operator_error · · Score: 1

      I must agree, EncFS is a great way to go. I use SSHFS with Ubuntu, and can simply mount any encrypted volume (including a remote volume) as a local PC disk. Here's a simple GUI tool for Ubuntu: http://www.libertyzero.com/GEn... I am pleased to have learned of Windows & OSX versions of the same thing today. Thanks!!!

    2. Re:Keep Using EncFS by Wizarth · · Score: 1

      Thank you, I didn't know about Safe. At one point I had to recover a backed up EncFS and ended up using a Linux VM to mount the encfs then copied everything out unencrypted.

  23. Flip the solution by ArhcAngel · · Score: 1

    Keep all your files on a BlackBerry and use Blend on the other devices. I'm only half kidding.

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  24. Own Cloud, on a cloud VM with encrypted HD by dowens81625 · · Score: 1

    Own Cloud, on a cloud VM with encrypted HD ?

  25. Re:OwnCloud by Anonymous Coward · · Score: 1

    As of about a year ago, Owncloud didn't handle large files well at all. Maybe it's gotten better since then, but I dumped it for sftp / rsync.

  26. Seafile by PAPPP · · Score: 1

    I use and suggest Seafile. All the parts are open source, folders can be client-side encrypted.
    Its crypto isn't perfect (they use some odd AES settings, and the design leaks some metadata) and every now and then I manage to bug the sync system and have to remove/re-add a file to get it to sync properly, but it has good clients for Linux (gui or cli), Windows, Mac, Android, and iOS, as well as web access (You have to give your passphrase to the server for that, which is security-harming in theory, it is supposed to be flushed after N minutes). They have free AWS-backed instances with a small amount of storage to try, and it isn't bad to set up a server for on a VPS or the like, they also have a specialized RPi installer.

  27. git encrypt? by Tomahawk · · Score: 1

    Mount the drive-storage solution 'normally', and use it as a local git repository.
    If you use something like https://github.com/shadowhand/... you can encrypt all files that you store in git, hence on the cloud. There are likely similar solutions for svn, and cross platform solutions.

  28. Owncloud? by Trogre · · Score: 1

    If you want your data to be secured then the only way really is to run a server yourself.

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    1. Re:Owncloud? by BlackLotus89 · · Score: 1

      Yeah. If you enable encryption and "External Storage" you can use OwnCloud with Dropbox,Googel Drive or whatever the hell you are using (as long as it is suppported like webdav,samba,ftp,sftp,...) I think it didn't get clear that OwnCloud can be combined with other CloudStorage providers to store your files encrypted on them.

  29. Forget Android by allo · · Score: 1

    Mobile platforms are inherent insecure. Not only the OS is not designed to be secure (against what you're fearing), the manufacturers are not your friend (you already said "hello google"), but the apps are per default spyware as well. if you have installed a security framework, you will know, that 9/10 apps access data they do not need to function as very first action after being installed. Stuff like calendar, contacts, call log, android serial, active/installed apps ...
    So on a mobile device almost everything is your enemy. you do not want to access sensible data there.