Dropbox and Encryption
♬ Listen,
Do you want to know a secret?,
Do you promise not to tell? ♬
Lyrics and music by Lennon/McCartney.
At last week’s Pacific Legal Technology Conference held in Vancouver, BC, Canada, “The Cloud” was one of the hottest topics in the Conference. Of course the REPORT OF THE CLOUD COMPUTING WORKING GROUP from the Law Society of British Columbia was recognized as a leading document in terms of lawyers looking for a thoughtful analysis of moving to the cloud.
One of the other hot topics within lawyers using the cloud is the security in and around cloud-based storage and sync services such as Dropbox or SugarSync. The concern has been heightened by the revelation that Dropbox dropped the security ball and introduced a bug that could have allowed unauthorized access to users’ Dropbox accounts. For lawyers who need to guard their client’s confidences, this type of data security breach is indeed, worrisome.
It would be great if all data stored in Dropbox could be encrypted with a strong encryption algorithm, which (hopefully!) would render it meaningless even if someone could gain access to your Dropbox account (or similar service). Fortunately, others have given this some thought. Dropbox has several pages that talk about how to mount your Dropbox folders within an encrypted volume on your computer (PC or Mac). The idea here is that your files are encrypted – both on the cloud and on your computer – by having your Dropbox folders within the encrypted volume on your computer.
For PCs, Dropbox has this article in their TipsAndTricks wiki on using Truecrypt with Dropbox.
For Mac users, Dropbox has this forum that discusses mounting your Dropbox folders within an encrypted volume on your Mac using OS/X.
As we move to the cloud we need secure ways to keep our client’s secrets – secret…
(Hat tip to Peter Buxton for providing the idea for this post).
The methods covered here do not protect your files in the cloud. They will protect them if your computer is stolen, but Dropbox will still have access to them. A beach at Dropbox (as happened a few months ago) or someone getting your Dropbox name and password will expose your files.
Instead of putting Dropbox in an encrypted folder, you must store an encrypted container in Dropbox. This will break the Dropbox web interface (because they will no longer be able to access your files, which is the point). You would also not be able to access the files on two computers at once.
A better solution for backup of sensitive data would be Carbonite. A better solution for syncing sensitive data would be Jungle Disk.
I am the co-founder of Dialawg.com and think our product best addresses security concerns like these. Our service isn’t geared for synching files, but rather for keeping digital convsations (messages, files, chats, etc.) secure, yet accessible and sharable.
I’m a fan of Dropbox myself, but one of the reasons we created our product was because we thought attorneys needed a comprehensive service for communication where security is a first-class citizen.
What about SpiderOak for a secure encrypted solution? I have not dug into it enough to comment definitively, but it certainly seems a lot more security-focused than Dropbox or most other options. Perhaps someone more knowledgeable than me can weigh in?