Cloud Encryption

JGoodish

Cleared for Takeoff
Joined
Jun 10, 2006
Messages
1,419
Display Name

Display name:
JGoodish
Does anyone have experience with Boxcryptor or Cryptomator? I’m specifically looking for a solution which will permit local zero-knowledge encryption, syncing with a cloud service (such as iCloud or ObeDrive), and works across mobile and desktop OS.

Both of the products above claim to do all of that, but I’m not sure how gracefully they’re integrated with existing workflows.


Thanks!
 
Not enough information. What are you trying to accomplish.

Networking is having your data on a server down the hall and thinking that's a good thing.

Cloud is having your data on someone else's computer and thinking that's a better thing.

A request for encrypting your data kind of sounds like you're realizing it's not.
 
Not enough information. What are you trying to accomplish.

Networking is having your data on a server down the hall and thinking that's a good thing.

Cloud is having your data on someone else's computer and thinking that's a better thing.

A request for encrypting your data kind of sounds like you're realizing it's not.
That's not something the OP just dreamed up on their own. Zero-knowledge encrypted cloud storage is a growing market segment — SpiderOak was one of the earliest companies, but there are lots now. The idea is that you outsource storage without giving a third party access to your data.

It's interesting that companies like Google and Dropbox have shown no interest in offering zero-knowledge storage — that suggests they see business value in being able to read your data.
 
I’m aware of what zero knowledge storage is. What is being stored? Personal documents? Company email? Texts from your HS girlfriend that you don’t want your wife to see?
 
I’m aware of what zero knowledge storage is. What is being stored? Personal documents? Company email? Texts from your HS girlfriend that you don’t want your wife to see?
Even if it's just boring stuff like invoices, why would you want a cloud storage provider to be able to read it?
 
The integration part will be the hard part. SpiderOak works across platforms but it doesn't present itself as "just another drive" - it's more a backup & file exchange solution. It will keep a local backup.

I'm not familiar with either product you mentioned. The differences in file structures on the various platforms make it a bit harder, and the OS manufacturers don't seem to have incentive to make it a whole lot smoother - even some of the password managers could be better integrated.

As for zero knowledge, first thing to do is make sure that you're not running a phone-home key logger like MS has in Windows ('solely for product improvement' of course). In fact, key logging and spyware on your system has become "the way" to beat such encryption.
 
Even if it's just boring stuff like invoices, why would you want a cloud storage provider to be able to read it?

But the cloud storage provider promises to do it (read/own/manipulate) for my own good.

(green text to denote sarcasm)

The problems with the privacy notices and TOS (and lack of SLA) of providers like dropbox apparently are beyond the comprehension of many people who should know better.
 
BTW, Proton is supposedly working on an offering, but I don't know where that effort stands.
 
As for zero knowledge, first thing to do is make sure that you're not running a phone-home key logger like MS has in Windows ('solely for product improvement' of course). In fact, key logging and spyware on your system has become "the way" to beat such encryption.
What key logger is that? I read the statement as implying Microsoft includes a logger as part of Windows as a "feature"- did I understand the statement as you intended?
If so, where do they keep the log files?
 
What key logger is that? I read the statement as implying Microsoft includes a logger as part of Windows as a "feature"- did I understand the statement as you intended?
If so, where do they keep the log files?
They do as part of their "diagnostics" options. They also offer it in another place, too, where it offers to help build a vocabulary that Win 10 uses. This one is more troubling as it clearly states that it sends the typing data to Microsoft.

scrnsht.jpg
 
They do as part of their "diagnostics" options. They also offer it in another place, too, where it offers to help build a vocabulary that Win 10 uses. This one is more troubling as it clearly states that it sends the typing data to Microsoft.

View attachment 94031

Thanks much! I set those literally years ago and forgot about them, but it was good to verify an update didn't switch them back on.
Assuming those controls do what they claim, at least MS gave an opportunity to do something about it although they hid them too well for most users. I'd suppose someone would have found out by now if they were bogus settings that did nothing.
 
Not enough information. What are you trying to accomplish.

Networking is having your data on a server down the hall and thinking that's a good thing.

Cloud is having your data on someone else's computer and thinking that's a better thing.

A request for encrypting your data kind of sounds like you're realizing it's not.

Storing data in the cloud is certainly a better thing for convenience; it is not necessarily a better thing for security or privacy. Many cloud providers offer decent multi-factor authentication for account security and will encrypt data in transit and at rest, but they control the encryption keys, so the at-rest data really isn't private. It may not even be that secure, as you have no idea who has the ability to access it, with whom it may be shared, or whether it's really gone when you delete it.

It appears that the optimal way of maintaining the convenience but adding the privacy is with a utility which performs file-level encryption locally. Both Boxcryptor and Cryptomator claim to do that, but I don't have much experience with either. I've taken a quick look at Cryptomator, but I haven't put it through any type of stress test, nor have I tested it between devices (only on Windows 10).

The type of data being stored really makes no difference. With today's data mining, even small amounts of seemingly innocuous data can be collected and assembled to either identify you, or identify a significant amount about you. Social media companies and Google have built an entire industry around data mining, and there are many others in the business which may not be familiar names to most people.

Bill's comments on Windows 10 snooping reminded me to check those settings. Fortunately, my Windows 10 installation is a VM which is rarely powered up.
 
It appears that the optimal way of maintaining the convenience but adding the privacy is with a utility which performs file-level encryption locally. Both Boxcryptor and Cryptomator claim to do that, but I don't have much experience with either.
All zero-knowledge solutions encrypt and decrypt on your computer — the provider doesn't have the key, and (obviously) can't recover your password if you lose it, or share your data with authorities even if a court orders them to.

As I mentioned earlier, SpiderOak has been around forever, but there are lots of other companies in the zero-knowledge space now.

It's not as safe as keeping your data encrypted on a USB drive stored in a safety-deposit box — no cloud service is — but it's far more secure than Dropbox or Google Drive.
 
All zero-knowledge solutions encrypt and decrypt on your computer — the provider doesn't have the key, and (obviously) can't recover your password if you lose it, or share your data with authorities even if a court orders them to.

As I mentioned earlier, SpiderOak has been around forever, but there are lots of other companies in the zero-knowledge space now.

It's not as safe as keeping your data encrypted on a USB drive stored in a safety-deposit box — no cloud service is — but it's far more secure than Dropbox or Google Drive.

There are plenty of ways to create an encrypted archive on your computer, but unless files are encrypted and stored individually, those solutions really aren't suitable for cloud storage synchronization. When individual files change, you don't want to resync the entire archive to the cloud.

Software such as Boxcryptor and Cryptomator appear to encrypt files individually on the fly, and permit you to create "vaults" on your local cloud repository containing individually encrypted files, which then sync to the cloud as normal unencrypted files would do. My brief experience with Cryptomator suggests that this works as expected with OneDrive, and I suspect that it will work with other cloud services as well. Therefore, there is no requirement for the cloud service itself to support zero-knowledge encryption.

Why don't I just choose a cloud service which offers zero-knowledge encryption functionality? Well, I am a Microsoft 365 subscriber (for the Office applications), and I therefore have 1TB of OneDrive available as part of the subscription. I'd like to find a way to use what I'm already paying for if that can be done in a reasonably graceful way.
 
You can encrypt files yourself with OpenSSL. A simple script could monitor a folder and encrypt changed files, copying them over to the folder that's connected to OneDrive, and do the same in reverse as well.
 
You can encrypt files yourself with OpenSSL. A simple script could monitor a folder and encrypt changed files, copying them over to the folder that's connected to OneDrive, and do the same in reverse as well.

How well does that work on iOS?
 
I thought this was going to be a thread about the weather and was all prepared to whip out alto cumulus standing lenticular but nooooo, it has to be a nerd thread. :(
 
I thought this was going to be a thread about the weather and was all prepared to whip out alto cumulus standing lenticular but nooooo, it has to be a nerd thread. :(

This thread is about data privacy. My thread about the weather is titled, “Cloud Deletion.”
 
That's why I'm looking for a solution which works well, is relatively user-friendly, and integrates with multiple platforms.

Sorry, missed the mobile part in your original post.
 
Back
Top