Two factor authentication entered public testing this week and is being welcomed with open arms by the security conscious among us. But since the very first release of Dropbox, I have hungered for the ultimate in personal information security: the ability to specify a personal encryption key for my account and the data contained within. While I consider two factor authentication a serious win for security, I still won’t trust the cloud with any truly sensitive information until I know that my files are wrapped in encryption that only I can decode.
Enter BoxCryptor, an application that runs on a Mac or Windows computer. It creates an encrypted folder, essentially a secure disk image that is placed on the local drive. Simply save this file into the Dropbox folder and the BoxCryptor folder actually becomes a mounted drive on your Mac desktop. When creating the BoxCryptor folder, the user is asked to enter their own encryption key. Any files that are saved into this mounted drive (or into the BoxCryptor folder inside the Dropbox folder since they are one and the same) is then encrypted and synced to the Dropbox cloud just like normal Dropbox data. The only significant difference is that the data has been encrypted prior to leaving the local computer.
In short, BoxCryptor provides the type of security I have been waiting years for Dropbox to institute. My files, whether they are sitting on the Dropbox servers or any of the devices that sync with my Dropbox will contain the cyphered version of my files— secure and protected from prying eyes. Even if they wanted to, Dropbox employees could not access my information. The most they would see is a stream of random, incoherent gibberish. The way it should be!
So what are the downsides? There are a couple. None are deal breakers under normal circumstances. First of all, users can no longer access their Dropbox files via the Dropbox web page. Technically the files are still there and listed accordingly, but downloading any of them would result in a file that is no longer readable. This is because your browser has downloaded the encrypted copy of the data. Grab the data from your Dropbox folder when you have BoxCryptor installed and configured and that same file is decrypted on the fly and becomes usable with no addition intervention. The user experience is seamless. But no more access through the web browser.
The next issue is the Dropbox app on smart-phones and tablets. It will no longer work for much the same reason as the web based interface. Yes, the app will have access to the Dropbox and its data, but any files downloaded or accessed directly will be interfacing with the encrypted version of the file. Before the file can be used, it must first be decrypted by the BoxCryptor app (for iOS and Android). In order to make this operation seamless within the more limited confines of the mobile device, BoxCryptor simply supplies a free app that is used in place of the Dropbox app. The BoxCryptor app decrypts and encrypts the data on the fly as needed just as the desktop application. Users just need to remember to use the BoxCryptor app when loading data from the secured directory.
BoxCryptor is also very flexible. When installed, it creates an encrypted folder inside the root directory of the Dropbox folder. This means that the encrypted folder is really only a sub-folder of the main Dropbox. This has several advantages. First of which is that it becomes very easy to keep some files encrypted while leaving other files unsecured. Keeping some data outside of the encrypted directory can be a good thing. Take the Public folder that is a default part of the Dropbox install. Encrypting the contents of the public folder would leave the files unreadable to anyone who might need to access the files via a download link.
One of Dropbox’s most useful features is the ability to share a folder with other Dropbox users. If a user shares a folder that is inside an encrypted directory, the person on the other end of the share would not only need to have BoxCryptor installed but also needs to be configured with the first users encryption key in order for the data to be readable. But since the Public folder and any share folders are outside of the BoxCryptor directory by default, each users can maximize security and eliminate any need to share their encryption key.
Are you and your friends hardcore security junkies? Or are you collaborating on sensitive documents that must be shared via Dropbox? Upgrade from the BoxCryptor Free Edition to Unlimited Personal or Unlimited Business and BoxCryptor provides the ability to create multiple secure directories with individual encryption keys. This way you can have your main BoxCryptor directory secured with a key that only you have access to. At the same time you can create an additional BoxCryptor directory in your Dropbox with a folder inside that is shared with your partner. This directory is secured with a key that is separate from your personal folder. This separate key is one that you share with your partner. Your partner will use that same key when setting up a share folder on his system. And once the mutual share is in place you will be cross-syncing information that is entirely opaque anyone trying to intercept it along the way or read it off the storage server in the cloud.
Put simply, BoxCryptor is an ideal solution for Dropbox’s shortcomings. It is a seamless translator of information for the computer. It encrypts data before Dropbox transmits it up to the cloud and decrypts data before your local software needs to access it.
BoxCryptor has a free version that allows users to create a single encrypted folder. The mobile apps are also free. The paid version adds support for unlimited encrypted folders. So, in theory, it would be possible to encrypt your Dropbox as well as your Google Docs folder and your SkyDrive. Or just create multiple folders with separate keys that you can more safely share with other users. All editions use AES-256 bit encryption. The paid versions also offer the ability to encrypt the file names in addition to the files contents making the data completely opaque.
Visit BoxCryptor.com for more information as well as download a free version. If you are security conscious and have been waiting a solid solution for securing your Dropbox data, this is an ideal solution.
Update: 8/31/12 3pm
We had a great question asked below. Matt wanted to know how BoxCryptor compared to using TrueCrypt to accomplish the same sort of secure subsection of Dropbox. I just posted a followup post explaining the distinct advantages that BoxCryptor has in this situation.