During the last months, Dropbox, the well-known synchronization tool, was hit by bad stories. First, they changed their EULA (“End User License Agreement“) which clearly stated that Dropbox employees could access your files in case of very specific cases like law enforcement procedures. I always blogged about this. Then, researchers discovered that some files can be shared between multiple accounts: Dropbox “deduplicates” them. If the hash of your new file matches the one of an already uploaded file, Dropbox will simply link it to your account. For Dropbox, this is for cost saving reasons (bandwidth & storage). And finally, this weekend, the worst story: During a software upgrade, all Dropbox accounts were available to anybody without authentication during a few hours! In my previous article, I was already dreaming of a Dropbox replacement but I did not find my “dream tool”. Honestly and apart the security issues, Dropbox does a wonderful job. I’m using it between several systems: Linux, Windows, MacOS & iPhone. So, yesterday I tweeted about any valid alternative and got several feedbacks. My conclusion remains the same: Dropbox is a must. At least in my case, if you need to sync files in a scenario different of mine, they are very nice alternatives!
It’s now time to take actions! Some people simply decided to cancel their Dropbox account, I can’t! To keep the integrity and confidentiality of your files, the only way is to manage the encryption by… yoursefl! Note that this is valid for ANY solution, not only Dropbox! From my investigations, the only alternative which encrypts the data on client side is Wuala.
The first step is to find a convenient way to perform the (en|de)cryption process. They are plenty ways to encrypt files and directories but with Dropbox, we have to keep in mind the multiple platforms involved. Google found an interesting tool for me. It’s called gpgdir:
“gpgdir is a perl script that uses the CPAN GnuPG::Interface module to encrypt and decrypt directories using a gpg key specified in ~/.gpgdirrc.“
What did I like?
- Free and easy to use
- Based on GnuPG – It is a free alternative to PGP and I already use it for years.
- Written in Perl using CPAN modules – This ensures the portability on multiple OS (Linux, Windows and MacOS).
Under Linux, the installation is pretty straight forward, they are packages ready for most of the distributions (For Ubuntu, you need to install “signing-party“). On Windows, you will need Cygwin. Once installed, just specify the key to use during the encryption process (via your $HOME/.gpgdirrc) and you are ready to go. Let’s test:
$ cd /tmp
$ mkdir mysafedir
$ echo "This is secret" >mysafedir/safefile.tmp
$ gpgdir -e mysafedir
[+] Executing: gpgdir -e mysafedir
Using GnuPG key: xxxxxxxx
Enter password (for initial encrypt/decrypt test)
Password:
[+] Encrypting files in directory: /tmp/mysafedir
[+] Building file list...
[+] Encrypting: /tmp/mysafedir/safefile.tmp
[+] Total number of files encrypted: 1
$
Just create a directory in your Dropbox repository which will contain the critical files to be encrypted using gpgdir. Now, how to automate this? The easy/dumb way is to create a crontab:
*/3 * * * * gpgdir -e -q -p $HOME/.gpgdirpw /tmp/mysafedir >/dev/null
This cron will run every 3 minutes and encrypt all files in /tmp/mysafedir. Did you notice the “-p” flag? It’s possible to put your password into a file and prevent any interaction with the user. Of course, it’s up to you to take the risk or not to write this information in a flat file!
An sexy alternative is to use the inotify tools! The following script will automatically encrypt new files created in our safe directory:
$ while inotifywait -q -r -e create /tmp/mysafedir
do
gpgdir -e /tmp/mysafedir -p $HOME/.gpgdirpw;
done
Let’s create a new file and… magic!
$ cd /tmp/mysafedir
$ echo "More and more secret" >newfile
$ ls
newfile.gpg safefile.tmp.gpg
The loop based on inotifywait could easily be started at boot time. Compared to the crontab solution, it does not consume resources until a new file is created in the directory.
As you can see, it’s quite easy to get rid of the Dropbox – or any other synchronization tool – security considerations by managing your own encryption!
Dropbox is a well-known online service which allows you to share files between computers. If, in the past few months, new outsiders came on the same market, Dropbox remains the number one. If files are synchronized between Dropbox software clients, they also provide features to share files with third-party who don’t have a Dropbox account. How? By creating “links” to those files. It’s easy: In your Dropbox folder, select a file, right click and select “Dropbox -> Get Link“. Your direct URL will look like this: “http://www.dropbox.com/s/wg0ih0qywujn77y/myfile.zip“. Then, share the URL with your peers who just have to point their browser to it to access your file. Easy!
). As you encrypt data by yourself, more CPU usage is required and a risk of data loss exists if you loose your password! (You are the only one to know it). About the security of your data, Wuala allows their users to share some free disk space to store blocks of data from user users. By doing this, you can get extra storage capacity (they call this “trading“). Nice but I’m not feeling comfortable with some piece of my data stored on other computers not controlled by the “service provider“. What will happen if their encryption algorithm is broken? From a pure networking point of view, Wuala can be detected as a Peer-2-Peer application. I still prefer Dropbox which works below the radar (it uses HTTPS). Here is a small overview of pro & con:
