Workspace-scratchpad

toggle-button

Selecting an Encryption Method for Cloud Storage

Encryption methods for cloud storage

It's likely that there is no one "perfect" method to encrypt data for transit and storage in the cloud. Not unless you fully trust SSL and the cloud storage service you are going to use. But you probably wouldn't be here if you trusted both of them. And all but one the methods I know of has a salient flaw. So the first step is to pick your poison.

  • Type 1: The salient flaw in this method is that client-side files reside in an unencrypted folder in your computer. If you're confident nobody will be able to gain access to your computer, that may not concern you.
  • Type 2 is vulnerable to user error. There are two folders for this method, and if the user stores any clear-text files in the encrypted folder they will be uploaded as clear-text files.
  • Type 3 is vulnerable to the same flaw as Type 1, namely the unencrypted client-side folder.
  • Type 4 might not appear to have any fatal flaws. But there is no such thing as fool-proof, so it's just a fool-resistant method. The problem with Type 4 software is that it is a cumbersome manual process. Unless you understand what's going on thoroughly, you're bound to make a big mistake. Your data will probably always be secure, but you may loose access to it.

What do I use? I cascade VeraCrypt with Tresorit for my most sensitive documents. Why? First, cascaded encryption processes reduces the odds that a hacker will succeed in accessing my data is greatly reduced. Second, although Tresorit has Type 1, VeraCrypt removes the unencrypted folder hazard.

The comparison table below is a kind of textual flow chart that describes how each method works. After you've partially digested that, proceed to Overview of the main cloud storage methods to learn more about the pluses and minuses of the Types that appeal to you.

Comparison Table

Type & Examples
Client-side file
Access/Storage
Encrypt >>
<< Decrypt
Encrypted Files
Sync with the Cloud
Type 1
Tresorit
Spider Oak
Unencrypted folder Integral with the cloud-side processes. Triggered by user or cloud changes. Local encrypted files are stored in RAM only. Sync is integral with the encryption process. Sync is triggered by user changes or cloud changes.
Type 2
 
BoxCryptor
Cryptomator
Cloudifile
Viivo 
Virtual drive
Triggered by user changes or cloud folder changes.
Local encrypted files are stored directly in the special folder assigned by/to the cloud sync service.
Sync is controlled by the cloud service. Sync is triggered by cloud folder changes or cloud changes
Type 3
 
Cloudfogger
Unencrypted folder
Triggered by user changes or  cloud folder changes. The encryption process must be running or new files or changes will not be be encrypted.
Local encrypted files reside in RAM only. Cloud-side transfer is driven by the encryption process. These files exist client-side only when the encryption process is running. 
The sync process itself is controlled by the cloud service. Sync is triggered by the encryption process or cloud changes
Type 4
 
VeraCrypt
CryptSync
Virtual drive or virtual file system (works much like a virtual drive).
Unencrypted content is only available when the encryption process is running. The content is only virtual, but can be copied or written in clear-text.
 
Encryption is integral with local storage in one single encrypted container file. Changes are written directly to the container.
Local encrypted files are stored in one single file:  (volume | vault | container| archive)
Sync is controlled by the cloud service. Sync is triggered by changes in the container file. Cloud-side changes require reopening the client-side container file. There will be conflicts if changes  from multiple clients collide.

Overview of the main cloud storage methods

Type 1 = [Unencrypted folder] << >> [Integrated encryption & cloud sync] << >> [Cloud storage]

  • Examples: Tresorit | SpiderOak
  • Description: This method includes  an integral cloud-storage account. On-the-fly encryption goes straight to the cloud (as does unencryption back from the cloud). Encryption and syncing software is combined. Encrypted content exists only in memory and in transit during sync with the cloud. The plain-text (unencrypted) files reside in an ordinary system folder.
  • Pluses:
    • It is unlikely that clear-text files will inadvertently go to the cloud through user error.
    • It's unlikely that clear-text files will be lost.
    • Combined encryption and sync enables finer-grain processes. Functions like economical storage of previous versions in the cloud, file-by-file shareable encrypted links, and collaboration are examples.
    • Local files are always available in plain-text, even when the encryption process is not running.
  • Minuses:
    • Local files are not encrypted at rest by the process, as they are in Type 2. You need to add independent local encryption if you want those files to be encrypted at rest.
    • There are not many free products using Type 1 encryption.

Type 2 = [Virtual Drive - virtual clear-text files] << >> [Encryption] << >> [Folder - encrypted files] << >> [Cloud sync] << >> [Cloud storage]

  • Examples: BoxCryptor | Cryptomator | Cloudifile | Viivo |
  • Description: The key words here are "Virtual Drive". That's in contrast to the "Unencrypted Folder" of Type 1. User files are always encrypted. They are accessed as virtual clear-text files. The encryption software stores encrypted files in a location associated with the cloud sync/storage service being used. Choice of those services is independent from the encryption software.
  • Pluses:
    • Client-side files are always encrypted
    • Compatible with a wide range of cloud storage services, e.g., Dropbox, OneDrive, Amazon AWS.
    • The flexibility cloud provider choice enables choice of features, functions and price.
    • Physical (local) files are always encrypted at rest.
  • Minuses:
    • Pitfall: The folder for encrypted files is an ordinary folder. If  the user places any clear-text files directly in that folder they will not be encrypted in the cloud.
    • Client-side files are not available in clear-text if the encryption process is not running. (You need use the password to open the encrypted container.)

Type 3 = [User Folder - clear-text files] << >> [Encryption] << >> [Folder - encrypted files] << >> [Cloud sync] << >> [Cloud storage]

  • Examples: Cloudfogger
  • Description:  User files are contained in a local clear-text folder. The encryption software places encrypted files in a location associated with the cloud sync/storage service being used. Choice of those services is independent from the encryption software.
  • Pluses:
    • Compatible with a wide range of cloud storage services, e.g., Dropbox, OneDrive, Amazon AWS.
    • The flexibility cloud provider choice enables choice of features, functions and price.
  • Minuses:
    • Pitfall: The folder for encrypted files is an ordinary folder. If the user places any clear-text files directly in that folder they will not be encrypted in the cloud.
    • Local files are not encrypted by the process, as they are in Type 2.

Type 4 = [Virtual drive - clear-text files are virtual only] << >> [Encryption] << >> [Encrypted volume - single encrypted file] << >> [Cloud sync] << >> [Cloud storage]

  • Examples: VeraCrypt | TrueCrypt (not recommended |
  • Description: User files exist only in the encryption container. The encryption container/vault/volume is a monolithic (single) encrypted file. They are accessed as virtual clear-text files. Cloud sync and storage is provided by independent cloud services.
  • Pluses:
    • Very robust encryption is available. I use VeraCrypt in this Type 4 configuration, but watch out for the pitfall (below in minuses) if you do.
  • Minuses:
    • Cloud sync will be slow and use a large amount of bandwidth if the cloud service does not use block-updates (syncing just the changed part of that big encrypted file-continer file).
    • Pitfall: Unless the encryption process is set up exactly right, the cloud sync process will not detect that the encrypted volume contents have changed. That means the changed volume will not be synced with the cloud.

Type 5 = [User Folder - clear-text files] << >> [Encryption] << >> [Encrypted archive - single encrypted file] << >> [Cloud sync] << >> [Cloud storage]

  • Example: CryptSync (Augmented 7-zip process, which also provides 7-zip compression) | Others?
  • Description: The encryption process mirrors the clear-text files directly in an encryption container ("archive" in the case of CryptSync/7-zip). They can be accessed independently (directly from the archive).
  • Pluses:
    • 7-zip is encryption is time-tested.
    • 7-zip compression is fast and effective.
  • Minuses:
    • This is an unconventional encryption system.
    • Cloud sync will be slow and use a large amount of bandwidth if the cloud service does not use block-updates (syncing just the changed part of that big encrypted file-continer file).
    • Local files are not encrypted.
    • Pitfall: The encryption container is an editable multi-file archive. If  the user places any clear-text files directly in that archive they will not be encrypted in the cloud.

Related article

Best Free Encryption Utility for Cloud Storage

Please rate this article: 

Your rating: None
0
No votes yet