Dropbox? gpgdir to the Rescue!

Locked FolderDuring the last months, Dropbox, the well-known synchronization tool, was hit by bad stories. First, they changed their EULA (“End User License Agreement“) which clearly stated that Dropbox employees could access your files in case of very specific cases like law enforcement procedures. I always blogged about this. Then, researchers discovered that some files can be shared between multiple accounts: Dropbox “deduplicates” them. If the hash of your new file matches the one of an already uploaded file, Dropbox will simply link it to your account. For Dropbox, this is for cost saving reasons (bandwidth & storage). And finally, this weekend, the worst story: During a software upgrade, all Dropbox accounts were available to anybody without authentication during a few hours! In my previous article, I was already dreaming of a Dropbox replacement but I did not find my “dream tool”. Honestly and apart the security issues, Dropbox does a wonderful job. I’m using it between several systems: Linux, Windows, MacOS & iPhone. So, yesterday I tweeted about any valid alternative and got several feedbacks. My conclusion remains the same: Dropbox is a must. At least in my case, if you need to sync files in a scenario different of mine, they are very nice alternatives!

It’s now time to take actions! Some people simply decided to cancel their Dropbox account, I can’t! To keep the integrity and confidentiality of your files, the only way is to manage the encryption by… yoursefl! Note that this is valid for ANY solution, not only Dropbox! From my investigations, the only alternative which encrypts the data on client side is Wuala.

The first step is to find a convenient way to perform the (en|de)cryption process. They are plenty ways to encrypt files and directories but with Dropbox, we have to keep in mind the multiple platforms involved. Google found an interesting tool for me. It’s called gpgdir:

gpgdir is a perl script that uses the CPAN GnuPG::Interface module to encrypt and decrypt directories using a gpg key specified in ~/.gpgdirrc.

What did I like?

  • Free and easy to use
  • Based on GnuPG – It is a free alternative to PGP and I already use it for years.
  • Written in Perl using CPAN modules – This ensures the portability on multiple OS (Linux, Windows and MacOS).

Under Linux, the installation is pretty straight forward, they are packages ready for most of the distributions (For Ubuntu, you need to install “signing-party“). On Windows, you will need Cygwin. Once installed, just specify the key to use during the encryption process (via your $HOME/.gpgdirrc) and you are ready to go. Let’s test:

  $ cd /tmp
  $ mkdir mysafedir
  $ echo "This is secret" >mysafedir/safefile.tmp
  $ gpgdir -e mysafedir
  [+] Executing: gpgdir -e mysafedir
      Using GnuPG key: xxxxxxxx
      Enter password (for initial encrypt/decrypt test)
  Password:
  [+] Encrypting files in directory: /tmp/mysafedir
  [+] Building file list...
  [+] Encrypting:  /tmp/mysafedir/safefile.tmp

  [+] Total number of files encrypted: 1
  $

Just create a directory in your Dropbox repository which will contain the critical files to be encrypted using gpgdir. Now, how to automate this? The easy/dumb way is to create a crontab:

  */3 * * * * gpgdir -e -q -p $HOME/.gpgdirpw /tmp/mysafedir >/dev/null

This cron will run every 3 minutes and encrypt all files in /tmp/mysafedir. Did you notice the “-p” flag? It’s possible to put your password into a file and prevent any interaction with the user. Of course, it’s up to you to take the risk or not to write this information in a flat file!

An sexy alternative is to use the inotify tools! The following script will automatically encrypt new files created in our safe directory:

  $ while inotifywait -q -r -e create /tmp/mysafedir
  do
    gpgdir -e /tmp/mysafedir -p $HOME/.gpgdirpw;
  done

Let’s create a new file and… magic!

  $ cd /tmp/mysafedir
  $ echo "More and more secret" >newfile
  $ ls
  newfile.gpg safefile.tmp.gpg

The loop based on inotifywait could easily be started at boot time. Compared to the crontab solution, it does not consume resources until a new file is created in the directory.

As you can see, it’s quite easy to get rid of the Dropbox – or any other synchronization tool – security considerations by managing your own encryption!

 

6 comments

  1. Warning, two big flaws with this! First, before the file is encrypted, dropbox will sync the file. That means the unencrypted file is in your dropbox history as an old version or deleted file and can be downloaded using the web UI. Second, you’re storing a GPG passphrase in a file! Bad idea.

  2. I use Truecrypt. It allows me to encrypt/decrypt on the fly everything that is stored in my Dropbox storage. Unfortunately this application is not available for iPhone. However Truecrypt is available for Windows, Linux & Mac. It’s free.

  3. Why not use EncFS (with FUSE) instead? It nicely integrates with system (no inotify/cron hacks needed), provides per file encryption…

  4. Kurt,

    Like I said in my post… The solution you will implement will directly depend on your own usage of the Dropbox application! Sharing across multiple people, multiple OS etc…

    There is no UNIQUE solution!

    /x

  5. Managing your own encryption is fine, but there is a problem whe you want to share a couple of files with person A and another couple of files with person B.

    If dropbox does not want to include encryption in their client, perhaps somebody wants to take your ideas and put them into perfection like automatically creating a key for every different folder and having the option to automatically share this key with other users you want to share this folder with?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.