Workspace-body

toggle-button

In a Hurry?
Go to details...  Go straight to the Quick Selection Guide
 
Introduction

Most cloud storage services claim they "take every precaution" to keep your data secure. For example, most use encryption to make sure your files are secure in transit. They "have internal policies and controls" to ensure that employees don't access your files. But things do go horribly wrong.

On-the-fly encryption is the the most convenient way to protect your files in transit and in the cloud. That's where client-side products like SpiderOak, Tresorit and Cryptomator come in. Client-side on-the-fly encryption assures that your files never leave your computer in an unencrypted state.

Once it is properly set up, good client-side, on-the-fly encryption applications require no direct action by users. They and their client-side processes have fast, direct access to unencrypted files. But encryption adds complexity (things do go horribly wrong), and local backups are still important.

There are pitfalls and limitations in most systems for cloud-storage encryption. They are briefly described below in the "Minuses" for each system type.

The analysis of common ways to implement on-the-fly, sometimes called transparent encryption is here in the introduction because deciding which type of encryption you need is often the quickest way to narrow your choices to what will work for you.

Type 1 = [User Folder - clear-text files] << >> [Encryption & Cloud sync] << >> [Cloud storage]

  • Examples: Tresorit | SpiderOak
  • Description: Implements on-the-fly encryption straight to the cloud. Encryption and syncing are combined.
  • Pluses:
    • There is no way that clear-text files will be sent to the cloud through user error.
    • Combined encryption and sync facilitates finer-grain processes. Functions like economical storage of previous versions in the cloud, file-by-file shareable encrypted links, and collaboration are examples.
    • Local files are always available in plain-text , even when the encryption process is not running.
  • Minuses:
    • Local files are not encrypted by the process, as they are in Type 3. You need to add independent local encryption if you want those files to be encrypted at rest.
    • There are not many free versions of Type 1 encryption.

Type 2 = [User Folder - clear-text files] << >> [Encryption] << >> [Folder - encrypted files] << >> [Cloud sync] << >> [Cloud storage]

  • Examples: Cloudfogger
  • Description:  User files are contained in a local clear-text folder. The encryption software places encrypted files in a location associated with the cloud sync/storage service being used. Choice of those services is independent from the encryption software.
  • Pluses:
    • Compatible with a wide range of cloud storage services, e.g., Dropbox, OneDrive, Amazon AWS.
    • The flexibility cloud provider choice enables choice of features, functions and price.
  • Minuses:
    • Pitfall: The folder for encrypted files is an ordinary folder. If the user places any clear-text files directly in that folder they will not be encrypted in the cloud.
    • Local files are not encrypted by the process, as they are in Type 3.

Type 3 = [Virtual Drive - virtual clear-text files] << >> [Encryption] << >> [Folder - encrypted files] << >> [Cloud sync] << >> [Cloud storage]

  • Examples: BoxCryptor | Cryptomator | Cloudifile | Viivo |
  • Description: The key words here are Virtual Drive, not User Folder of Type 2. User files are always encrypted. They are accessed as virtual clear-text files. The encryption software stores encrypted files in a location associated with the cloud sync/storage service being used. Choice of those services is independent from the encryption software.
    • The target folder -- [Folder - encrypted files] -- is located in the local "Cloud storage" service file structure. for example, in the Dropbox folder of your choice.  The cloud storage process will uploaded/downloaded files to keep the local and cloud copies in sync. The "Virtual drive - clear-text files" element only appears when the encryption process is started.
    • The virtual drive is integrated with the local file system and has a drive letter assigned, for example R:\. It shows up in the top level of the storage structure. That's in "This PC" for Windows 10 for example. Both users and client-side processes interact with the contents of that virtual drive just as they would with any physical drive. The virtual drive resides in PC memory. Both it and its contents evaporate when the encryption process is not running.
  • Pluses
    • Compatible with a wide range of cloud storage services, e.g., Dropbox, OneDrive, Amazon AWS.
    • The flexibility cloud provider choice enables choice of features, functions and price.
    • Physical (local) files are always encrypted at rest.
  • Minuses
    • Pitfall: The folder for encrypted files is an ordinary folder. If  the user places any clear-text files directly in that folder they will not be encrypted in the cloud.

Type 4 = [Virtual drive - clear-text files are virtual only] << >> [Encryption] << >> [Encrypted volume - single encrypted file] << >> [Cloud sync] << >> [Cloud storage]

  • Examples: VeraCrypt | TrueCrypt (not recommended |
  • Description: User files exist only in the encryption container, and are always encrypted. The encryption container/vault/volume is a single encrypted file. They are accessed as virtual clear-text files. Cloud sync and storage is provided by independent cloud services.
  • Pluses:
    • Very robust encryption is available. I use VeraCrypt in this Type 4 configuration, but watch out for the pitfall (below in minuses) if you do.
  • Minuses:
    • Cloud sync will be slow and use a large amount of bandwidth if the cloud service does not use block-updates (syncing just the changed part of that big encrypted file-continer file).
    • Pitfall: Unless the encryption process is set up exactly right, the cloud sync process will not detect that the encrypted volume contents have changed. That means the changed volume will not be synced with the cloud.

Type 5 = [User Folder - clear-text files] << >> [Encryption] << >> [Encrypted archive - single encrypted file] << >> [Cloud sync] << >> [Cloud storage]

  • Example: CryptSync (Augmented 7-zip process, which also provides 7-zip compression) | Others?
  • Description: The encryption process mirrors the clear-text files directly in an encryption container ("archive" in the case of CryptSync/7-zip). They can be accessed independently (directly from the archive).
  • Pluses:
    • 7-zip is encryption is time-tested.
    • 7-zip compression is fast and effective.
  • Minuses:
    • This is an unconventional encryption system.
    • Cloud sync will be slow and use a large amount of bandwidth if the cloud service does not use block-updates (syncing just the changed part of that big encrypted file-continer file).
    • Local files are not encrypted.
    • Pitfall: The encryption container is an editable multi-file archive. If  the user places any clear-text files directly in that archive they will not be encrypted in the cloud.
Cautionary Notes on Encryption
  1. Recent revelations about NSA crippling, or hacking encryption software are sobering if you store or transfer sensitive data via the internet. I would not suggest that it is prudent to trust any of the products listed here to protect your information from government agents or nation states, or determined cyber criminals.
  2. It still seems reasonable at this point to trust these products for protection from most hacker attacks.
  3. It is possible to inadvertently upload unencrypted files to cloud services using some of the solutions described here. See the notes under BoxCryptor and Viivo in the discussion below.
  4. Operating systems are messy: Echoes of your personal data -- swap files, temp files, hibernation files, erased files, browser artifacts, etc -- are likely to remain on any computer that you use. For example, when you encrypt and compress files, clear-text versions that existed before you compress/encrypt the file or clear-text copies that are created after you decrypt/decompress it may remain on your hard drive. It is not difficult to extract those echoes.
  5. Further advice about how to use encryption are discussed in Encryption is Not Enough, including what you need  beyond encryption to be sure your private data is not lost or exposed.

New encryption applications often appear when an individual reads up on applied cryptography, selects or devises an algorithm, maybe even a reliable open source one, and then implements a user interface, tests the program to make sure it works, and thinks he's done. They are not. Such a program is certain to harbor fatal flaws.

"Functionality does not equal quality, and no amount of beta testing will ever reveal a security flaw. Too many products are merely buzzword compliant; they use secure cryptography, but they are not secure." --Bruce Schneier, in Security Pitfalls in Cryptography

 
Discussion
Sub-section (may need to hack)
more content
 
Related Products and Information
 
Quick Selection Guide

SpiderOak

4
 
Gizmo's Freeware award as the best product in its class!

Combines a web service with a stand-alone program
SpiderOak provides 2 GB of free cloud storage, along with client-side encryption. More storage is available for a fee. You can select as many local files or folders as you'd like - within the storage limit- for backup and sync. Your files are remain unencrypted on your synced devices, but are always encrypted before transmission and in the cloud.
SpiderOak keeps previous versions of files you back up - which is good - but those versions count against your 2 GB allocation. Although you can delete old file versions, 2 GB could get to be a little tight eventually. The user interface is logical, but it's a bit complex to discover it all if you want to use more than basic options.
4.8.4
20 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.

Cryptomator

4
 
Runs as a stand-alone program on a user's computer
Open-source, which makes independent cryptographic review possible. Simple user interface and discovering features and settings is fairly intuitive. Compatible with a wide range of cloud storage services. Fast sync with the cloud. The wide range of cloud provider choices enables choice of features, functions and price. Client-side files are always encrypted at rest.
The local folder that contains the encrypted files is an ordinary folder. If users place clear-text files directly in that folder instead of the virtual drive they will still be uploaded but will not be encrypted in the cloud.
1.0.3
55 MB
32 and 64 bit versions available
Open source freeware
There is no portable version of this product available.
OSX, Windows, Debian­based Linux (Ubuntu, Linux Mint, etc.), plus iPhone/iPad app (Android app in the works)

Sync

4
 
Combines a web service with a stand-alone program
Simple to install and simple to use. Clean and powerful with proven encryption. File versioning. Easily tailor what you want to sync and store on each of your devices. Sync and their servers are Located in Canada (no Patriot Act). Also has the "pluses" of Type 1 encryption as referenced in the Introduction section of this article.
The (minor) "minuses" of Type 1 encryption as referenced in the Introduction section of this article.
1.1.7 as of 2016-04-28
3.7 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.

Sync features. Concise but complete users manual. Quick video.

Windows, Mac OS X, plus Andriod and iOS apps

BoxCryptor

3
 
Runs as a stand-alone program on a user's computer
On-the-fly encryption gives you transparent access and quick sync for encrypted files when signed in. Strong security. Simple operation. For Windows, Mac, iPhone, iPad, and Android. Some users will find the virtual drive with an assigned letter convenient (but see Cons).
The file system interface could lead to confusion, with files left unencrypted in the cloud (see discussion above). Requires Microsoft .NET. Only one encrypted folder is allowed in the free version, and it is limited to 2 GB.
2.15
62 MB
32 bit but 64 bit compatible
Free for private use only
A portable version of this product is available from the developer.

Requires Microsoft .NET

Tresorit

2
 
Combines a web service with a stand-alone program
Possibly the most secure choice of products listed here. A cloud storage account is included as part of the service. Tresorit has a clean, simple interface. Sync works quickly and well. Well written support documentation. You can recover previous versions of files. Has worked very reliably for me. Tresorit operates under Swiss laws, and uses Irish and Dutch servers (no Patriot Act).
The current free version is severely hobbled. See note in the discussion. Local files are not encrypted (but it's highly unlike that they will be lost in processing).
3.0
15 MB
32 bit but 64 bit compatible
Unrestricted freeware
There is no portable version of this product available.
 
 
Editor

This category is maintained by volunteer editor philip. Registered members can contact the editor with any comments or suggestions they might have by clicking here.

 
Tags

encrypt cloud storage file folder

Back to the top of the article.

 

Please rate this article: 

Your rating: None
0
No votes yet