This week on my regular trawl through kickstarter a security key for cloud storage called the Qi4BXOX – in particular for Dropbox happened to catch my eye. The Qi4BOX (pronounced “key for box”) is a USB dongle that looks like a standard thumb drive which allows you to individually encrypt files in Dropbox. The files will only be accessible if you have the USB dongle plugged in.
After reading the marketing material it seemed rather a poor solution – it still allows the cloud provider to see the individual file names and metadata, it completely breaks mobile access, they did not go into detail about how the cryptography work which is always a worry and most importantly the cheapest version would be $170 (around £106) and you if you were looking to use it as a collaboration tool you would need at least 2.
After a little research I’ve come up with two possible ways to get an encrypted cloud solution. There are a number more but these should fit most people’s needs. The first is to use on your machine encryption yourself and the second is to change cloud providers to one that has security built in.
Performing the encryption on your own machine yourself sounds intimidating and is somewhat complicated to setup but once you have done so is almost a seamless experience. Following similar instructions to those here I have set my system up to have a virtual Truecrypt volume stored in my Dropbox. This means that there is glob of data which to Dropbox looks a huge randomly filled file but with the proper (automatically running) programs on my PC appears as an extra totally secure and synced drive. This method keeps all files, file names, sizes and metadata totally covered and uses open source trusted encryption techniques and while it does break the mobile access to those files has the huge advantage to allowing you to subdivide your Dropbox space to insecure (where you might keep you family photos) and secure (where you would keep your financial info). Most happily this solution has one other big advantage – its totally free.
The second solution that occurred to me was to use a cloud provider that gave you encryption. This is almost certainly not as secure as doing it yourself as you can not ever know what the cloud provider is actually doing in detail as they keep in quiet for commercial reasons but is still much much more secure than no encryption. A good example of this would be Bitcasa. They encrypt each file as it is synced from your computer and sent to their servers and would find it difficult to view your data. With the Bitcasa approach they would be able to see all file names and metadata and have some limited on server decryption ability but you would overall be much safer than using standard Dropbox. Noted security podcaster Steve Gibson did a excellent round up of all of the available cloud services security policies and technologies and if you are considering this route it is well worth a read or listen.
If you want extra security for your cloud saved documents there are a number of ways to go, Truecrypt, Bitcasa or Qi4BOX all offer different strengths and weaknesses but in the wake of the Snowdon revelations it should be something that we all consider.