Best Free Encryption Utility for Cloud Storage

Updated 24. February 2014 - 19:39 by philip

In a Hurry?
Go to details...  Go straight to the Quick Selection Guide
 
Introduction

Cloud services, Dropbox for example, take "every precaution" to keep your data secure. They use SSL encryption to make sure that your files are secure in transit. Once your files arrive, they store them encrypted on their servers. They also use internal policies and controls to ensure that employees don't access your files. Of course things can go horribly wrong when you don't have physical control of your documents.

That's where encryption programs like SpiderOak, Tresorit and Viivo come in. They provide client-side encryption to protect your files from access at rest. Or from the more usual threat of a rogue employee gaining access your files. Automatic client-side encryption assures that your files never leave your computer in an unencrypted state.

On-the-fly encryption is the the most convenient way to protect your files the cloud. Your programs have direct access to the unencrypted contents of your files, and the on-the-fly encryption process presents the encrypted files to the cloud. Once on-the-fly encryption is set up, the smooth, client-side conversion requires no direct action by the user. But because encryption adds complexity, it makes local backup even more important.

Notes on "due dilligence"

TrueCrypt is a seasoned product. It fully meets my criteria for selecting encryption software. Unfortunately, it's not a convenient solution in some cases, and it may not work well with the cloud service you choose (see backup trap under True Crypt below).

It's too early to consider Cloudfogger and BoxCryptor seasoned, and they are not open-source software, so while I like all the other indicators I've seen, I'm not ready to declare them fully vetted. On the other hand, your encryption program and your cloud service must both be compromised at the same time to expose your files. Your may feel that the risk of joint compromise may be low enough for you to put your files in the cloud using one of these products.

Viivo and Wuala are not open source either, but they are seasoned products from a source whose business is encryption-centered.

 Cautionary Notes

  1. Recent revelations about NSA crippling, and/or hacking encryption software are sobering when you consider storing or transferring data via the Internet. I do not think that it is prudent to trust any of the products listed here to protect information that you would not want agents of any government to have access to. Not unless you have means to independently valididate them. It seems reasonable at this point to trust them for protection from civilian attacks. Example: TrueCrypt might be the most secure alternative for cloud storage security, but "nobody knows" yet (or about any other encryption software/service for that matter).
  2. Operating systems are messy: Echos of your personal data -- swap files, temp files, hibernation files, erased files, browser artifacts, etc -- are likely to remain on any computer that you use to access the data. It is a trivial task to extract those echos.
    For example, when you encrypt and compress files, clear-text versions that existed before you compress/encrypt the file or clear-text copies that are created after you decrypt/decompress it remain on your hard drive. Unless you purge -- not just delete -- those clear-text files. :-(
  3. The fact that an encryption program "works" does not mean that it is secure. New encryption utilities often appear after someone reads up on applied cryptography, selects or devises an algorithm - maybe even a reliable open source one - implements a user interface, tests the program to make sure it works, and thinks he's done. He's not. Such a program is almost certain to harbor fatal flaws.
    1. "Functionality does not equal quality, and no amount of beta testing will ever reveal a security flaw. Too many products are merely buzzword compliant; they use secure cryptography, but they are not secure." --Bruce Schneier, in Security Pitfalls in Cryptography
  4. It is possible to inadvertently upload unencrypted files to cloud services using some of the solutions described here. See the notes under BoxCryptor and Viivo in the discussion below.
  5. Further advice about how to use encryption are discussed in Encryption is Not Enough, including what you need to do beyond encryption to be sure your private data is not lost or exposed.
 
Discussion

SpiderOak is not just an encryption program. It combines client-side encryption with 2 GB of free cloud storage (more storage is availale for a fee). In other words, you don't need a separate cloud-storage service. SpiderOak also provides sync between PCs and portable devices in addition to backup. In sum, SpiderOak provides encryption backup, sync and storage space. Backup and sync can be automatic.

Your files are unencrypted on all your synced devices, but are always encrypted for transmission and storage in the cloud.You can use SpiderOak for as many folders as you like. Of course you can use up the free 2 GB pretty quickly, but it is inexpensive to get more. It is challenging to discover all the functions of SpiderOak intuitively, but they have excellent "getting started" guides and a users manual.

The SpiderOak statement on privacy and passwords is a good example of what you should look for to evaluate the security of any encryption service for cloud storage. In particular, be very leary of any service that offers password recovery. If there is a mechanism for password recovery, it is likely your data on the server is also accessible to a determined hacker or agency.

I have have been using SpiderOak for the small set of sensitive files that I want to backup and sync. One thing to understand is that SpiderOak breaks files into blocks so that only the changed or added sections of files need to be stored. That way many versions of the file by just storing the incremental blocks. It offers fine-grain control of the backup/sync process, which helps you stay within the 2 GB of free storage. It's a bit tricky to use SpiderOak until you get used to how it processes backups and syncing.

Wuala is similar to SpiderOak, and also provides selective sharing by file or folder. They offer a more-generous 5 GB free storage. I had intended to use Wuala, but it requires Java, which exposes your PC to a seemingly perpetual string of serious vulnerabilities. I truncated my evaluation after learning that it worked well.

I liked the general capabilities of Wuala, and judging from some papers they have written it is likely that their encryption is sound. If you're willing to live with the hazards of Java, it is nice to work with.

Wuala uses AES- 256 for encryption, RSA 2048 for signatures and for key exchange when sharing folders, and SHA-256 for integrity checks, which is good in principle, but keep in mind that AES is an NSA "approved" algorithm. Their servers are in Switzerland, Germany, and France, which may offer you more privacy.

Tresorit is the latest significant entry in this "client plus cloud" active encryption arena, with a free 5 GB plan. The Tresorit interface is gloriously simple, and they describe their approach to encryption quite well. It could be the most secure one on this list. They have an impressive analysis of why they doubt that Tresorit has been hacked. Being based in Switzerland doesn't hurt either. ;)

Tresorit may be little puzzling when you first set it up. You might think nothing is happening. Their support is comprehensive and well written though, so you should be able to figure out how to get Tresorit going. I've been using Tresorit for my most important data since September, 2013, and it has performed flawlessly. There is a sizable development team at Tresorit, and they are actively introducing new apps and features. They plan to implement file versioning soon, for example. [whitepaper]

SafeMonk is similar in operation to Cloudfogger, but quite a bit simpler to use. It is a bit unsual in that it uses public/private encryption instead of shared key. That enables a very flexible sharing capability that works on a folder-by-folder basis. SafeMonk presents the same hazard that many cloud encryption products do. If you copy a file to the SafeMonk folder without SafeMonk running it will be unencrypted on your computer and in the cloud.

BoxCryptor and Viivo provide most of the same functions that Cloudfogger does. They are integrated with the file-system in a different way though. Both use an encrypted virtual-drive interface that is linked to an ordinary folder. They encrypt a single folder, and augment it with the virtual-folder overlay to give cleartext access. With this approach, you work directly with an unencrypted local files, which is faster, but not as secure against local attack.

Their two folder approach also leaves users open to fatal mistakes. All files to be encrypted must be placed in the unencrypted local folder. or they will not be encrypted in the cloud-facing folder. Any files placed directly in the encrypted folder will not be encrypted. That could be hard to remember, and there is no warning or other indication of mistakes.

TrueCrypt is a top-rated product for most uses, but there is a potential backup trap when it is used for files that will be synced or stored in the cloud.

Encryption programs that create encrypted "volumes" (files that contain encrypted files) do not change the size of the volume (container file), and often - intentionally - do not change the modified date of the volume, even though files in the volume have been changed or added. The result can be that your cloud service does not recognize that the volume file has changed, and will fail to update the online copy.

TrueCrypt is an example of an encryption program that does not change the modified date of volume files (encrypted file container). However, some cloud backup services - Dropbox for example - check the hash value of volume files, not the date, and if that changes Dropbox stores the latest copy of the volume file. If you're using Dropbox, that makes TrueCrypt an excellent way to implement client-side encryption for your most sensitive files. SkyDrive, monitors the modified date - not a hash value - so TrueCrypt volumes are not updated in the cloud by SkyDrive after their content changes client-side.
 
Related Products and Information
 
Quick Selection Guide

SpiderOak
4
 
Combines a web service with a stand-alone program
SpiderOak provides 2 GB of free cloud storage, along with client-side encryption. More storage is available for a fee. You can select as many local files or folders as you'd like - within the storage limit- for backup and sync. Your files are remain unencrypted on your synced devices, but are always encrypted before transmission and in the cloud.
SpiderOak keeps previous versions of files you back up - which is good - but those versions count against your 2 GB allocation. Although you can delete old file versions, 2 GB could get to be a little tight eventually. The user interface is logical, but it's a bit complex to discover it all if you want to use more than basic options.
https://spideroak.com/
https://spideroak.com/opendownload/
4.8.4
20 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.
Windows XP, 7 & 8; Linux; Mac; iPad and iPhone: Android; and other smartphones in the works
Tresorit
4
 
Combines a web service with a stand-alone program
Possibly the most secure choice of products listed here. Clean, simple interface. Sync works quickly and well. Well written support documentation. Based in Switzerland.
While the interface is simple, the functional elements of the product are a bit obscure. That should be no problem if you use the documentation.
https://tresorit.com/
https://tresorit.com/download
0.8.119.149
9.3 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.
Windows XP, 7, 8; Mac; Android; or iOS
BoxCryptor
2.5
 
Runs as a stand-alone program on a user's computer
On-the-fly encryption gives you transparent access and quick sync for encrypted files when signed in. Strong security. Simple operation. For Windows, Mac, iPhone, iPad, and Android. Some users will find the virtual drive with an assigned letter convenient (but see Cons).
The file system interface could lead to confusion, with files left unencrypted in the cloud (see discussion above). Requires Microsoft .NET. Only one encrypted folder is allowed in the free version, and it is limited to 2 GB.
https://www.boxcryptor.com/
https://www.boxcryptor.com/download/
1.3.2
7.1 MB
32 bit but 64 bit compatible
Free for private use only
A portable version of this product is available from the developer.
Windows, Mac, iPhone, iPad, and Android

Requires Microsoft .NET

Viivo
2.5
 
Runs as a stand-alone program on a user's computer
On-the-fly encryption gives you transparent access and quick sync for encrypted files when signed in. Strong security. Simple operation. For Windows, Mac, iPhone, iPad, and Android. Some users will find the virtual drive with an assigned letter convenient (but see Cons in the discussion).
The file system interface could lead to confusion, with files left unencrypted in the cloud (see discussion above). Supports Dropbox only at this time.
http://viivo.com/
http://viivo.com/
1.01.0042
20.4 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.
Windows 7 & 8, Mac OS X 10.7 and 10.8, iOS 6.0 and later, and Android 4.0 and later.
SafeMonk
2.5
 
Runs as a stand-alone program on a user's computer
Best Free Encryption Utility for Cloud Storage. Simple operation. Supports account recovery in case you lose your password or have other trouble. Files are encrypted when SafeMonk is not running. Secure sharing on a folder by folder basis is easy to set up.
Preview release. Works with Dropbox only. If you copy or save a file to the SafeMonk folder when SafeMonk is not running it will be unencrypted on your computer and in the cloud.
https://beta.safemonk.com/
https://beta.safemonk.com/
0.3.1
12.7 MB
32 bit but 64 bit compatible
Free for private or educational use only
There is no portable version of this product available.
Windows 7 & 8, OSX 10.8, iOS 6.1 or later (iPhone app is available)
TrueCrypt
2
 
Runs as a stand-alone program on a user's computer
TrueCrypt is a proven product with strong security. It offers familiar use for many users. Works well with Dropbox, but see the note under Cons below.
TrueCrypt is a top rated product for conventional use, but it is not as convenient for client-side cloud encryption as solutions like Spider Oak, Cloudfogger and BoxCryptor.
http://www.truecrypt.org/
http://www.truecrypt.org/downloads.php
7.1a
3.0 MB
32 and 64 bit versions available
Open source freeware
A portable version of this product is available from the developer.
Windows XP/Vista/2000/7/8; Mac OS X; Linux

 
Editor

This category is maintained by volunteer editor philip. Registered members can contact the editor with any comments or suggestions they might have by clicking here.
 
Tags

encrypt cloud storage file folder

Back to the top of the article.

 

Share this
4.47059
Average: 4.5 (17 votes)
Your rating: None

Comments

by theelostone on 24. February 2014 - 2:05  (114618)

I think Cloudfogger is dead. Their blog and twitter haven't seen a new post since 2012. Would love to see an updated version of this article re-reviewing the programs that are still active and listing any new contenders. I'm guessing much has changed. Boxcryptor now wants a yearly subscription from you to get the same functionality that used to be free, etc.
by philip on 24. February 2014 - 19:25  (114626)

Hi theelostone,

Yes, I appears that they are not in an active mode at Cloudfogger. Their blog, Twitter and Facebook entries all stopped, and their webpage still states "free for non-commercial use." I will be moving Cloudfogger off the main list.

I keep an eye on this encryption category, and recently moved Tresorit to the main list. I've been using it for nearly a year with great results.

I haven't looked closely at Mega yet (comment below), but I like the fact that they are located in New Zealand.
by George.J on 12. February 2014 - 4:43  (114418)

Take a look at Mega, a file hosting and cloud storage site with top notch security. The site uses an advanced AES encryption algorithm at client side. Even the site owners doesn't have access to the encryption keys, so they can't decrypt the content.

Also you get 50GB free storage space with 10GB bandwidth.

by philip on 25. February 2014 - 14:40  (114646)

Well, the joke's on me. I should have recognized Mega at the start. It is the colorful Kim Dotcom's old Megaupload rising from the ashes. This search at DuckDuckGo will give you a feel for my surprise when I began to vet Mega. I wanted to go beyond their rather (pun intended, but apropos) cryptic website. It will be interesting to keep an eye on it. Could turn out to be the world's best or something else.

by philip on 12. February 2014 - 14:52  (114425)

Thanks for the tip George. I'll take a look.
by PK_justin on 10. February 2014 - 16:37  (114386)

With more attention on "taking the keys back" with regard to security in the cloud, this article has a nice roundup of offerings. With Viivo specifically, there have been a few updates since it was first publishing, including new features, UX and support for Box, Drive & SkyDrive (or whatever it'll be called next). Others updated, too, I'm sure, as attention in this area of security is understandably booming.
by DutchPete on 19. September 2013 - 10:43  (110862)

Philip I don't see Bitcasa mentioned here. They offer 10 Gb free. I have been using their free service for a few months with mixed feelings. You can access you files in the cloud and download them if need be, but you cannot delete them when in their website. The deletion needs to be done locally by unmirroring the file or folder you want deleted. They used to offer email support to free accounts as well, but have recently stopped doing that and reserve it for paid accounts only. In any case Bitcasa should be considered I think.
With the recent upheaval from the Snowden revelations I am not sure anymore about the security of all these client-side encryption programs, and am considering doing my own encryption (TrueCrypt?)in combination with a cloud service.
by philip on 25. September 2013 - 16:49  (111000)

To wrap up what I've learned about Bitcasa: 1) They use what is known as Convergent Encryption, which may not be secure against determined snooping (see the Wikipedia article on the technology). 2) Their focus is on storing all your data in the cloud (so you never run out of space, and can access your files from anywhere), not highly secure storage. 3) In a video pitch that I watched, the key founder was brilliant, but he is young, and seemed overconfident. So it's not for me. ;)
by philip on 19. September 2013 - 12:23  (110866)

Thanks for your comment DutchPete. I'll take a look at Bitcasa. I don't know how to respond to the Snowden revelations yet. For me, it's not the surveillance that I'm concerned about so much as it is the corruption that they have imposed on encryption. It's not going to be long before cyber criminals learn how to break the compromised utilities, and there is no way to know which ones those are. Oh bother.
by DonsEars on 29. July 2013 - 20:59  (109738)

Love CryptSync. It is basically a watch folder front end for 7-Zip.
by autohost on 29. April 2013 - 20:54  (107384)

Try http://tools.tortoisesvn.net/CryptSync.html

From it's website:
" CryptSync is a small utility that synchronizes two folders while encrypting the contents in one folder. That means one of the two folders has all files unencrypted (the files you work with) and the other folder has all the files encrypted.

The synchronization works both ways: a change in one folder gets synchronized to the other folder. If a file is added or modified in the unencrypted folder, it gets encrypted. If a file is added or modified in the encrypted folder, it gets decrypted to the other folder. "
by philip on 30. April 2013 - 15:26  (107400)

Thanks for the tip autohost,

CryptSync is a clever little wrapper for 7-Zip. I presume that it uses DES-256 encryption which is native to 7-Zip. A little experimentation with CryptSync is a good way to see how tools like BoxCryptor and Viivo work. You can also open individual files in the encrypted folder directly with 7-Zip.
by DonsEars on 29. July 2013 - 21:04  (109739)

When I open a CryptSync file with 7-Zip it reports "Method: LZMA 7zAES".
by newbino on 14. March 2013 - 9:34  (106237)

Just found Viivo http://viivo.com/ new from PKWARE (of .zip fame). Looks interesting!
by philip on 14. March 2013 - 17:56  (106246)

Yes indeed, newbino. Thanks for the lead. The parent firm is in the secure cloud business for enterprises, so this could be a good one. Found nothing beyond that at their site to answer the questions that I use to vet encryption software. I'll be doing more research online soon.
by Panzer on 12. December 2012 - 8:56  (103536)

Secured Cloud Drive provides you with the highest military-grade encryption for the files you store using any online storage:
http://www.secured-cloud-drive.com/
by Barrett Linton on 19. October 2012 - 13:11  (101056)

One functionality that I am missing from Cloudfogger (or I must have missed it) is a way to access my *.cfog files via a browser from any device if need be. Perhaps a browser plugin or API could do the trick. Any thoughts on that?
by philip on 19. October 2012 - 14:14  (101059)

Hi Barrett,

There are no browser add-ons for Cloudfogger. There are now apps for iPad, iPhone and Android. There is also a Mac program. You'll find details for these apps/programs on their Download page (see the link in the Quick Selection Guide section for Cloudfogger on this page).
by Am (not verified) on 2. October 2012 - 12:56  (100108)

Regarding the TrueCrypt "backup Trap" comment in the review, it is possible for TrueCrypt to change the modified date of volume files by unchecking the "Preserve modification timestamp of file containers" option within Settings / Preferences.
by philip on 2. October 2012 - 13:17  (100109)

Hi Am

You know, I've tried that more than once over the years and the modification timestamp did not change for me. Maybe you need to do that before creating the volume, i.e., maybe it doesn't work for previously created volumes. I guess I need to experiment some more.
by Am (not verified) on 2. October 2012 - 14:59  (100115)

Hi Philip,

FYI, I have also used this on previously created volumes and it works fine (after making a change to a file within the volume and then dismounting the volume).
by philip on 2. October 2012 - 18:49  (100125)

Thanks Am,

Yes, that might make the difference. I've noticed that the hash values of TrueCrypt volumes don't change until you dismount them. That's a clue that changed virtual-drive contents are in memory and/or the swap file until the volume is dismounted.
by PQ on 22. June 2013 - 9:03  (108658)

Yes the unticking "Preserve modification timestamp of file containers" in truecrypt works perfectly for me. I also only found this out and applied it after I'd created the containers. I was ready to drop truecrypt becasue the containers weren't being updated to the cloud. Once i dismount the containers the modified date gets updated (If I've made any changes) and the cloud app reocgnises this. I have been using this method with Wuala and it's been working well so far. Also Wuala does not seem to upload the whole container each time, so i think it's similar to dropbox and only updating the parts that have changed.

Tried cloudfogger and had a bit of a nightmare with it. so won't be using it again. I also use 7zip encrpytion for cloud storage, it isn't really a hassle for me but i don't add new files that frequently.
by DutchPete on 19. September 2013 - 11:36  (110865)

PQ, looking at the Wuala site it seems that they offer good client-side encryption with real security. The storage provider cannot be forced to hand over your data to government agencies as they do not have access to it. So why do you use TrueCrypt in addition to Wuala? Is it because you want an extra layer of security because you do not fully trust Wuala?
by philip on 22. June 2013 - 13:17  (108663)

Thanks for the feedback PQ. I've also noticed that some services only update a small fraction of my TrueCrypt volumes when I change the content. Evidently they hash each block of the file and only upload the ones that change. I didn't know about Wuala. I'll be evaluating it soon.
by Paranoid (not verified) on 28. September 2012 - 8:39  (99895)

I have used multiple Truecrypt virtual drives for many years, with no problems. I have recently started using Sugarsync in conjunction with those drives, again with no problem.

However, this combination does not provide complete security for two-way communication, because incoming files are stored in the My Documents folder. It would be easy to move this to a Truecrypt drive. The problem here, however, is that on start-up, Windows would not find the folder, so would create another. At the least, this would necessitate 'moving' the location of the folder at each start-up.

The solution would seem to be to use a system such as Cloudfogger to encrypt the files in the Truyecrypt drives. For synchronisation between, say, a desktop and a laptop, the same user-identity would be used on both machines. Thus, at all stages the files would be encrypted.
by philip on 28. September 2012 - 13:28  (99907)

I'm puzzled: Let's see if I understand how your setup works. You set up TrueCrypt volumes, say one on a desktop and a matching one on a laptop. You then open the volume on one machine and start Sugarsync, which uploads the files from the virtual drive to the cloud. Later, you open the virtual drive on the other machine, start Sugarsync, and it downloads any new and changed files from the cloud.

I see a problem if your objective is to have individual files encrypted while in transit and also in the cloud. The client-side encryption is undone when you open virtual drives, and Sugarsync is working with cleartext files. They are not encrypted in transit or in the cloud.

I also use TrueCrypt virtual drives, but I sync the TrueCrypt volumes themselves, not the contents of the virtual drives when they are mounted. Perhaps your objective is simply to have the files encrypted on the desktop and laptop when the volumes are not open?
by Paranoid (not verified) on 28. September 2012 - 17:32  (99918)

Philip

My main aim is to secure the files on the two computers. Encryption in the cloud is a bonus.

I've tested the concept with SecretSync and Dropbox. (SecretSync say that the system works with other cloud storage products, or I would not have bothered.) I located the SecretSync folder in a Truecrypt virtual drive. A file placed in that folder appeared (encrypted) in the SecretSync "Tunnel" folder in the Dropbox folder. Therefore, on the other machine it would arrive encrypted, and would be automatically decrypted in the corresponding SecretSync folder, which would also be in a Truecrypt virtual drive. That's how it seems to me, anyway, but I have not yet tested the second part (which is actually on a machine in another location; I access this, if needs be, with Logmein).

I note that you have reservations about SecretSync because it is Java-based. Given that CloudFogger permits five top-level folders, and does not use Java, this might be a better bet.
by philip on 28. September 2012 - 20:37  (99929)

That's great, Paranoid.

Just the kind of clever idea that a fellow paranoid would like to have invented. You're actually cloning one cleartext file into two independent ciphertext streams - one local, and one for the cloud. Splendid.

As for Java, I wonder if Oracle has the know-how to root out vulnerabilities before the hackers find them. They don't seem to come up with well conceived fixes when someone else finds one. I've cut out Java permanently. Not the liquid kind though.

Cloudfogger should work too. Cloudfogger has no tunnel. The files are always encrypted. You only see what looks like cleartext files through an on-the-fly file-system overlay. There are no static cleartext files. Cloudfogger streams virtual cleartext on demand (in both directions). I don't see any reason that nesting Cloudfogger in TrueCrypt virtual drives would not work though.
by Paranoid (not verified) on 28. September 2012 - 8:52  (99896)

I should perhaps have said that when I first starting using Sugarsync, there was indeed a problem. If Sugarsync was started before the Truecrypt drives were opened (the default, of course) SS assumed that the files had been deleted. When the Truecrypt drives were opened, all the previously synchronised files were deleted on the user-machine!

The worst aspect of that particular problem has been resolved; files are no longer deleted on the user-machine. If the drive is not found, the link is temporarily broken, but can be restored. The way to avoid the problem is to ensure that SS is never started before Truecrypt, and always closed before Truecrypt. One safeguard would be for the shortcut to SS to be on the virtual drive.

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here