BoxCryptor: Secure Your Dropbox

Two factor authentication entered public testing this week and is being welcomed with open arms by the security conscious among us.  But since the very first release of Dropbox, I have hungered for the ultimate in personal information security: the ability to specify a personal encryption key for my account and the data contained within.  While I consider two factor authentication a serious win for security, I still won’t trust the cloud with any truly sensitive information until I know that my files are wrapped in encryption that only I can decode.

Enter BoxCryptor, an application that runs on a Mac or Windows computer.  It creates an encrypted folder, essentially a secure disk image that is placed on the local drive.  Simply save this file into the Dropbox folder and the BoxCryptor folder actually becomes a mounted drive on your Mac desktop.  When creating the BoxCryptor folder, the user is asked to enter their own encryption key.  Any files that are saved into this mounted drive (or into the BoxCryptor folder inside the Dropbox folder since they are one and the same) is then encrypted and synced to the Dropbox cloud just like normal Dropbox data.  The only significant difference is that the data has been encrypted prior to leaving the local computer.

In short, BoxCryptor provides the type of security I have been waiting years for Dropbox to institute.  My files, whether they are sitting on the Dropbox servers or any of the devices that sync with my Dropbox will contain the cyphered version of my files— secure and protected from prying eyes.  Even if they wanted to, Dropbox employees could not access my information.  The most they would see is a stream of random, incoherent gibberish.  The way it should be!

So what are the downsides?  There are a couple.  None are deal breakers under normal circumstances.  First of all, users can no longer access their Dropbox files via the Dropbox web page.  Technically the files are still there and listed accordingly, but downloading any of them would result in a file that is no longer readable.  This is because your browser has downloaded the encrypted copy of the data.  Grab the data from your Dropbox folder when you have BoxCryptor installed and configured and that same file is decrypted on the fly and becomes usable with no addition intervention.  The user experience is seamless.  But no more access through the web browser.

The next issue is the Dropbox app on smart-phones and tablets.  It will no longer work for much the same reason as the web based interface.  Yes, the app will have access to the Dropbox and its data, but any files downloaded or accessed directly will be interfacing with the encrypted version of the file.  Before the file can be used, it must first be decrypted by the BoxCryptor app (for iOS and Android).  In order to make this operation seamless within the more limited confines of the mobile device, BoxCryptor simply supplies a free app that is used in place of the Dropbox app.  The BoxCryptor app decrypts and encrypts the data on the fly as needed just as the desktop application.  Users just need to remember to use the BoxCryptor app when loading data from the secured directory.

BoxCryptor is also very flexible.  When installed, it creates an encrypted folder inside the root directory of the Dropbox folder.  This means that the encrypted folder is really only a sub-folder of the main Dropbox.  This has several advantages.  First of which is that it becomes very easy to keep some files encrypted while leaving other files unsecured.  Keeping some data outside of the encrypted directory can be a good thing.  Take the Public folder that is a default part of the Dropbox install.  Encrypting the contents of the public folder would leave the files unreadable to anyone who might need to access the files via a download link.

One of Dropbox’s most useful features is the ability to share a folder with other Dropbox users.  If a user shares a folder that is inside an encrypted directory, the person on the other end of the share would not only need to have BoxCryptor installed but also needs to be configured with the first users encryption key in order for the data to be readable.  But since the Public folder and any share folders are outside of the BoxCryptor directory by default, each users can maximize security and eliminate any need to share their encryption key.

Are you and your friends hardcore security junkies?  Or are you collaborating on sensitive documents that must be shared via Dropbox?  Upgrade from the BoxCryptor Free Edition to Unlimited Personal or Unlimited Business and BoxCryptor provides the ability to create multiple secure directories with individual encryption keys.  This way you can have your main BoxCryptor directory secured with a key that only you have access to.  At the same time you can create an additional BoxCryptor directory in your Dropbox with a folder inside that is shared with your partner.  This directory is secured with a key that is separate from your personal folder.  This separate key is one that you share with your partner.  Your partner will use that same key when setting up a share folder on his system.  And once the mutual share is in place you will be cross-syncing information that is entirely opaque anyone trying to intercept it along the way or read it off the storage server in the cloud.

Put simply, BoxCryptor is an ideal solution for Dropbox’s shortcomings.  It is a seamless translator of information for the computer.  It encrypts data before Dropbox transmits it up to the cloud and decrypts data before your local software needs to access it.

BoxCryptor has a free version that allows users to create a single encrypted folder.  The mobile apps are also free.  The paid version adds support for unlimited encrypted folders.  So, in theory, it would be possible to encrypt your Dropbox as well as your Google Docs folder and your SkyDrive.  Or just create multiple folders with separate keys that you can more safely share with other users.  All editions use AES-256 bit encryption.  The paid versions also offer the ability to encrypt the file names in addition to the files contents making the data completely opaque.

Visit BoxCryptor.com for more information as well as download a free version.  If you are security conscious and have been waiting a solid solution for securing your Dropbox data, this is an ideal solution.

Update: 8/31/12 3pm
We had a great question asked below.  Matt wanted to know how BoxCryptor compared to using TrueCrypt to accomplish the same sort of secure subsection of Dropbox.  I just posted a followup post explaining the distinct advantages that  BoxCryptor has in this situation.

(Visited 33,371 times, 1 visits today)
7 Responses to BoxCryptor: Secure Your Dropbox
  1. Paul Reply

    Downloaded. Using it, so simple!

  2. James Reply

    Fantastic! This is just what I need. Trust no one. Never assume that the guys running the server are going to keep their mitts off your data. You’re all nuts if you just take them at their word! It doesn’t matter who “they” are!

  3. Matt Reply

    What advantage does this offer over Truecrypt? I’ve been using that method for encrypting sensitive information on my Dropbox account for a while now.

  4. Tomasz Stasiuk Reply

    I was wondering if the entire “container” had to be unmounted for the encrypted files to sync. Thank you!

    • Steve Manke Reply

      A great question! No need to dismount the image. All of the files on the image are synced in real time, or as real time as Dropbox normally runs. It’s virtually seamless.

      I continue to use this software every single day. It has become a vital part of my workflow!

  5. Steve Reply

    I use the packrat feature in Dropbox. Can I use that feature with Boxcryptor?

    • Steve Manke Reply

      Steve,

      I believe packrat will continue to function as normal. I don’t use that feature, but the normal Dropbox account maintains a certain number of old revisions of files each time it is updated (just not unlimited like packrat). I have tested my revisions inside of Boxcryptor and they are still being saved on the Dropbox site. And those revisions also remain encrypted.

      Based on that, I’m going to say yes. But if you can post back with a definitive confirmation once you have a chance to confirm, it would be greatly appreciated!

      Also keep in mind the BoxCryptor is essentially one new directory inside your Dropbox. So you can utilize its encryption by saving sensitive files into the BoxCryptor folder/image, or you can use normal Dropbox features (such as sharing) by simply keeping those files outside of BoxCryptor inside the normal Dropbox directory. It really is the best of both worlds.

      One piece of advice: When you create you BoxCryptor volume, use a crazy long and complicated password. Something you will only really be able to re-enter is you copy and paste it in. That will only add to BoxCryptor’s already strong encryption. No matter why cyphers are used, this is something most security researchers suggest these days.

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.