Dropbox: How Does BoxCryptor Compare to TrueCrypt?

Following a post earlier this week extolling the virtues of BoxCryptor, I received an email from a reader asking how it compared to TrueCrypt when it came to securing the contents of a Dropbox.  This was such a great question that it warranted a followup post all its own.  For the unfamiliar, TrueCrypt is a great open-source end to end encryption tool.  It is a software package that does a lot of things and does them very well.  Many of its features are beyond the scope of this post.  We are going to take a look at the features as they pertain specifically to Dropbox.

TrueCrypt allows users to create an encrypted disk image anywhere on the computers file system.  In this case, users have been choosing to create that image inside the root of the Dropbox folder.  This means that the encrypted TrueCrypt image is then synced back to the Dropbox server cloud and all other client systems attached to that Dropbox account.  In order to use this encrypted disk image, the user must first mount it on a Mac or Windows PC.  Once the image has been mounted, files can be copied to and from the image as though the mounted image were an attached USB thumb drive.  The advantage being that any files stored on this mounted image are encrypted by the simple virtue of being saved to the TrueCrypt disk image.

There are several problems with this configuration.  First is that, while the disk image is mounted, the contents of the TrueCrypt file cannot sync back to the Dropbox cloud.  So real time sync is really out.  So the users workflow must consist of mounting the disk image that is stored in the Dropbox.  The user can then copy data to or from the image, or work on files directly off of the disk image saving their revisions back to the image.  When finished, the user then dismounts the virtual disk.  At this point Dropbox picks up the change to the TrueCrypt file and then uploads the entire TrueCrypt disk image file to the Dropbox server cloud.

This is the second problem.  Dropbox has no way of identifying the files modified within the TrueCrypt disk image.  Dropbox sees only as single file, the TrueCrypt disk image file, and identifies that it has been modified.  Since it sees that image as a single file, it uploads the entire file up into the cloud.  Dropbox’s ability to only sync back modified files has been eliminated in this situation.  This means that, in many cases, there is a tremendous amount of overhead involved in the uploading and downloading of the encrypted disc image since the entire file is transferred with every single revision of the images contents.  Not the end of the world if your TrueCrypt image is 1-2 MB.  But for users storing gigabytes of data in an encrypted format, this becomes an untenable sync situation.

Both of these issues are entirely mitigated with the use of BoxCryptor.  BoxCryptor creates an encrypted folder inside of the Dropbox directory, it does not create a virtual disk image.  This might get a little confusing since, when the encrypted folder is created, the BoxCryptor application also mounts a virtual hard drive on the Mac desktop as a shortcut to the contents of the encrypted folder.  Placing files inside of the virtual disk icon on the desktop is the same as going into the Dropbox directory and opening the BoxCryptor folder and placing the file in that location.

Lastly, the TrueCrypt solution is ripe for conflict.  The contents of the disk image cannot be mounted on a second workstation if they were left open on the last workstation.  Forgetting to dismount the image on one computer before opening it on another computer will either result in the corruption of the image, or a duplicate copy of the data with no means to reconcile its change files with the contents of the duplicate disk image stored in the cached Dropbox on another workstation.  Confusing?  Yes.  Messy?  Yes.  Likely to happen?  I consider it only a matter of time before this situation bites a user in the ass.

Additionally, the TrueCrypt solution leaves users on mobile devises such as smartphones and tablets out in the cold.  There is no client app the allows access to the data in this situation.  But with BoxCryptor there is a client app that allows easy access to all of the encrypted information while on the go.

It can be a little confusing, but the important takeaway is that BoxCryptor keeps its encrypted files inside a folder inside of Dropbox.  And, because of this, Dropbox has the ability to sync only the changed files within the BoxCryptor directory.  There is no need to send the entire contents of the BoxCryptor directory into the cloud.  This means there is a massive savings on bandwidth, upload and download time, savings in sync overhead, and it also means that Dropbox has the ability to index the BoxCryptor info for changes in spite of the high level encryption.

Put more simply, TrueCrypt is a way of getting the job done.  BoxCryptor is a more efficient and user friendly way of working with secure Dropbox files.  Once its installed and configured, accessing the encrypted data is as seamless as access to the unencrypted data in Dropbox.  Find more information on BoxCryptor here.

40 Responses to Dropbox: How Does BoxCryptor Compare to TrueCrypt?
  1. John Gilbert Reply

    You say: “Dropbox sees only as single file, the TrueCrypt disk image file, and identifies that it has been modified. Since it sees that image as a single file, it uploads the entire file up into the cloud.”

    I suspect you have not fully investigated this. I have found that Dropbox only uploads those parts of the TrueCrypt container file which have changed. It does not upload the entire file. From this point of view TrueCrypt is a workable solution for encryption with Dropbox.

    I have checked a few cloud services (Box, SkyDrive, etc.) with TrueCrypt containers. All, except Dropbox, do upload the whole container file. This is one of the ways that Dropbox is superior, in my opinion, to other cloud synchronisation services.

    I do agree with your other comments about TrueCrypt being tricky to use. In practice I only use it very infrequently.

    On the positive side, you might add that TrueCrypt is an open source product which has built a reputation over many years as one of the best (most secure) encryption products – and it is free. BoxCryptor will need to establish a reputation.

    Perhaps: BoxCryptor for easy encryption with Dropbox and TrueCrypt just for something you need to keep really really secure.

    • smanke Reply

      @John,
      A very valid point! But I don’t think that is the case here since the contents of the TrueCrypt file are cyphered prior to the upload to Dropbox. As a result, I don’t think that Dropbox is able to find the delt for the changed data in the same way it does when the file is plain text. At least according to the test that I ran, TrueCrypt was reuploading the entire encrypted image whenever it contained any kind of modification.

      I did only run limited testing. I would like to go back and see if TrueCrypt offered different types of disk image options. It is also possible that new features have been added since I did my test last year. I had originally hoped to use TrueCrypt as I now use Boxcryptor, but that massive upload with every change was a deal breaker. I currently keep well over 2GB of data secure with encryption.

      I would prefer an open source solution for its transparency, but I am very impressed with Boxcryptor as a solution.

  2. Tom Reply

    dropbox does divide files in chunks of 4 mb and check if they are already uploaded (deduplication). if so, they won’t be uploaded again. in truecrypt prefs you have to check ‘preserve modification timestamp of file containers’ but this should be standard setting. so if you alter 4 kb file in 500 mb container, db won’t upload the whole container again as the sync will be done after a few minutes.

  3. aol Reply

    boxcrypt does not encrypt file names in the free version. 7zip encrypts to the same standards AES256 and also encrypts filenames, and also makes self extracting files where no programs are needed to decrypt. 7zip is also totally free unlike boxcrypt and there are free programs to decrypt 7zip files for Mac, Pc and iOS.

    forget boxcrypt unless you are one to upload gigabytes of data to the cloud instead of small files at a time.

    • Steve Manke Reply

      I took a look at 7zip (http://www.7-zip.org/). While a cool product, and free, it fills a completely different need. Where BoxCryptor encrypts and decrypts files seamlessly on the fly, 7zip is a compression tool that lets you compress and encrypt files manually.

      This is useful, but not in the same way. For example, I’m working on my new novel. My manuscript is stored inside the BoxCryptor volume inside of Dropbox on my Mac. Every time I save my Scrivener project, the file is saved to my Mac’s hard drive. BoxCryptor instantly encrypts that saved file and Dropbox automatically uploads the encrypted file to the Dropbox cloud and syncs the file with all of my Dropbox enabled devices.

      In that example, all I had to do was save the file like normal on my Mac. Nothing unusual was added to my workflow. Since I was saving my file to my BoxCryptor location, everything was automatic. My file was secured with rock solid encryption and it was instantly backed up.

      If you ask me, this is nothing short of brilliant!

      • Jon Reply

        use cryptsync to combine the single file/folder on-the-fly encryption of 7zip with the unlimited and on the fly sync with dropbox or any cloud service that uses a folder to sync files.

  4. AJ Reply

    Your analysis is flawed. You’ve written this article based on assumptions and not actually using the tools together.
    I’ve been using dropbox + Truecrypt for 2+ years. I have 1GB truecrypt containers that sync in a few seconds if a tiny fill inside the container is modified. All you have to remember is to let truecrypt modify file timestamp (in preferences).

    • Steve Manke Reply

      AJ,

      I did test the configuration first hand. What you are explaining was not my experience. But thanks for the feedback. I’ll take another look. Maybe there was something different about your configuration.

      But I still question the larger issue. I would like to double check and see what happens when two laptops working offline modify different files on the Truecrypt volume separately. When both machines go back online, will both revisions made to different parts of the Truecrypt volume be synced to the Dropbox cloud or will one of the Truecrypt images win out and overwrite the changes made to the other.

      With Boxcryptor its not a concern. I’ll have to give Truecrypt as whirl and see what happens. But if you have first hand experience or care to test with your setup, please post back.

      But, fwiw, I am not casting assumptions. I’m posting based on my first hand tests. Admittedly I have less experience with Truecrypt but I would like to compare them evenly in this scenario.

      Thanks!

  5. Jan Heldal Reply

    You describe the situation based on having a TrueCrypt diskimage inside the Dropbox-folder. Why wouldn’t you rather have the Dropbox-folder inside a TrueCrypt diskimage? Would this not eliminate all the mentioned problems? It would not add an extra encryption-level to the copy of your files residing in the cloud, but it should protect you (and your entire dropbox) in the case of a lost or stolen computer.

    • Steve Manke Reply

      That’s a great idea, but I’m not sure its possible. To be honest, I thought there was a reason that wouldn’t work but it escapes me right now. The TrueCrypt image would need to be mounted before Dropbox opened which is problematic but not an insurmountable issue.

      Could there be a conflict if two machines had the folder open and syncing at the same time? It seems like 2 computers would be able to stay in sync in real time if they had a duplicate disc image that used the same cypher.

      Mobile access would be an issue. I don’t think there is any kind of mobile app that would allow access to the data. That could be an advantage or disadvantage depending on your use case.

      Sorry, I’m just thinking out loud here. I thought there was a major issue that kept this from being a good solution but it escapes me right now. It must have been a bigger issue than just making sure that Dropbox started after the TrueCrypt image mounted.

      Does anyone have an idea? Has anyone tried it? I feel like I’m missing something. It’s a great question…

      • Bogdan Reply

        reason is simple: dropbox etc will be very happy to peek into your files, you will only encrypt them on your local endpoints this way.

    • Victor Reply

      How do you ensure that your files are actually encrypted when it gets to the dropbox servers under this configuration??

      • Steve Manke Reply

        Testing the files encryption when using BoxCryptor is dead simple. You just login to Dropbox through the web page and download one of the files that was located inside of the BoxCryptor image. You will find that what was a rich text file will no longer open after being downloaded through the browser because it was pulled off the Dropbox server while it was still encrypted! Perfect, simple test!

    • John Reply

      Having your dropbox folder in a TrueCrypt image will not encrypt anything on dropbox. When you unmount your TC image you will be sure that nobody can read it from your HDD. However, anybody gaining access to your dropbox account will be able to get at your data.

  6. Donald Reply

    John, AJ, your success in 1GB TrueCrypt file sync attest to the power of dropbox’s deduplication algorithm.

    However, I have noticed one problem when I’m using TrueCrypt. TrueCrypt must be properly shutdown to ENSURE that all changes are written. While most people say “DUH, obviously”, think of a few scenario where this doesn’t happen.

    I have whole terabyte data on truecrypt. One time, I was doing housecleaning and moving (not copying, unfortunately) 200+GB files into a new truecrypt volume. I left it overnight, forgetting to plug in the power to my laptop. The move fails halfway, and I lost some 100GB of files.

    My vote goes with JAN’s solution of putting dropbox folder inside TrueCrypt, trusting Dropbox to respect my privacy. This way, if TrueCrypt fails, at least Dropbox has a copy of my file.

    • Jon Reply

      This defeats the whole purpose of encryption, which is to protect the file contents from unauthorized users.

      you can encrypt locally with truecrypt, and then use a separate file program to sync the file to dropbox. But yes, large containers will use more bandwidth and take longer to sync.

      But security is a convenience vs protection process. So you typically would use smaller containers and encrypt only the most important or sensitive data and back those files up separately. Then use whole disk/drive encryption for day-to-day security. For example, you have several MS Word files that you want to backup securely. You use cryptsync, boxcryptor, truecrypt along with dropbox to secure your backups. Locally you can use truecrypt, zip/rar/7z, ax crypt, or whole drive encryption. If your computer crashes or is compromised, you can still reinstall MS Word on a new computer and download the secure files and access them.

  7. paul Reply

    Hi

    Wrong way round

    I have a true-crypt container on my PC that is mounted on start-up.
    I have my drop-box and Sky-drive folders in this container with cloud fogger configured to encrypt data sync between my folders and cloud storage folders, works great.

    I just hold off auto start with drop-box and sky-drive for 1 minute using a script, just until my true-crypt volume mounts.

    This way my local sky-drive and drop-box folders are protected from prying eyes or laptop thieves and my cloud folders contents are encrypted so NSA or GCHQ cannot have a look.

    • larry Reply

      Thanks for this solution. I had been using the truecrypt container as you to hold the dropbox folder, but I also had additional truecrypt containers therein for truely sensitive data; but with cloud fogger now everything will be encrypted and I can do away with the additional truecrypt container! Brilliant! Best solution by far and it deserves more votes!

  8. paul Reply

    Sorry me again

    My way cannot be used with Google drive as ir doesnt allow for the drive folder to be a mounted volume

    Paul

  9. Janet Esparza Reply

    You can always use a cloud service that already has 256 AES encryption built-in, such as Copy.com or SpiderOak.
    Copy is a new service from the folks at Barracuda, gives you 15GB free plus 5GB extra if you use a referral link (such as https://copy.com?r=Ca33FM).
    SpiderOak is has been around for a while and is rock solid but only gives you 2GB free. The paid options are pretty good.
    Both are good options and beats the added hassle of using a separate encryption service IMO.

  10. Curt Reply

    Hello,

    On the issue of encryption via an app, like Boxcryptor … who has access to the password you use to locket he encryption? Does Boxcryptor have this password as per you user account? If so, wouldn’t it be just as secure to simply encrypt your files using disk utilities + Disk Image and then uploading to Dropbox. Obviously, you lose out on the convenience of encrypting and syncing all at once but … anyway, my concern is over whether the password encrypted files created by Boxcryptor are really zero-knowledge, client-side encryption. Anywone? Thanks.

    • Steve Manke Reply

      Great question. Your suggestion is valid. It would be a painful, manual process. Where with BoxCryptor, you just save a file into the BoxCryptor directory and the file is encrypted on your computer and then sent up into the cloud where it is stored in its encrypted state. If you open the file on your computer, it’s decrypted on the fly and opened in an entirely seamless process. You can click save and it’s re-encrypted— again, seamlessly.

      But even more importantly, and specific to the security part of your question, the password you use to cypher your files never leaves your computer. The files are encrypted on your computer prior to upload. So whatever cloud storage service you’re using (most likely Dropbox), doesn’t have any idea that your data is encrypted, let alone what the password might be. That password never leaves your computer.

      That’s the genius of the BoxCryptor service running on your computer. All of the files that are saved in the BoxCryptor directory are seamlessly encrypted on the fly as they are read and wrote by your computer, and before they are uploaded to the cloud storage service. It also means that each file is encrypted separately, rather than one single large file being encrypted/decrypted and uploaded/downloaded each time it’s accessed.

  11. Curt Reply

    thanks for the quick reply. Lots of good info, as I’ve never used Boxcryptor. So even Boxcryptor does not know your password – true cline side encryption?

    Also, is there really any difference between encryption techniques when it comes to AES 256? I see some comments saying Boxcryptor’s encryption methods aren’t as robust, but if it’s AES then it’s AES, no matter whose encrypting, no?

    Lastly, do you have any experience with Tresorit?

    • Steve Manke Reply

      I think people can debate one encryption technique vs another pretty much indefinitely. The only way to be sure about any of them is to see which ones stand the test of time. In that regard, AES 256 is solid. But in addition to that, RSA encryption is added. More on that can be found here:
      https://www.boxcryptor.com/en/encryption

      This link shows more details on how the data is encrypted on the fly:
      https://www.boxcryptor.com/en/dropbox

      Oh, and for what it’s worth, I’m not endorsed by BoxCryptor in any way. I’m just a big fan of the way they let me secure my cloud storage. I don’t trust my data in the wild without a solution like this. The fact that BoxCryptor is seamless is what makes it useful to me.

  12. Curt Reply

    You’re probably right. But to my main point, does BoxCryptor know your passwords? For example, if the NSA came calling for their assets, they’d have to say, we can’t open them cause we don’t know the passwords. Not that I’m worried about that lol. But it illustrates my point about being truly 100% client side encrypted, such that no one on the server/provider side has access to your assets?

    I do love the idea of the convenience of boxcryptor though

    • Steve Manke Reply

      Nope. BoxCryptor doesn’t know your password and neither does whatever service you’re storing your data on: Dropbox, Google Drive, Box.com, Cubby, OnceDrive… The password info is local to your computer. That never leaves your machine. Similarly, you can use the mobile version of the app to access your BoxCryptor files on your cloud services, but that’s because the mobile version of the app has been authenticated with your BoxCryptor credentials. So if you never install and add the credentials to the mobile app, it would not be able to decrypt the BoxCryptor data.

      The only devices that can decrypt the BoxCryptor data are the ones you provide the account info to.

  13. Curt Reply

    Is all this encryption available in the free version, or premium versions? Thanks man!

    • Steve Manke Reply

      The same level of encryption is supported in each version, based on everything I’ve read. I use BoxCryptor Classic on the Mac and iPhone. I am using the paid version, but I paid for it a couple of years ago, I think before the other versions became available.

      If free has the rest of the features that you need, you’re just as safe with that version. They just added features to the paid and non-Classic versions.

  14. Curt Reply

    cool. thanks for you help man. i will look into getting it. Peace.

  15. Jon Reply

    I’ve used CryptSync now for several months and found it to be a very easy method to backup and encrypt files simultaneously. I find that the ‘set it and forget it’ automation of cryptsync and imo the majority of mom and pop operations can use it to backup sensitive data. Keep in mind that the original files would be unencrypted on the SOURCE folder. If you want those to be encrypted, you’d have to do that separately.

    Truecrypt becomes more important if you want to hide the file altogether. Because ultimately you still have to unlock the truecrypt container to access the files. Solutions like CryptSync assume you want to work as normal with the (unencrypted) source files and back up only what you need securely to the cloud.

    • Steve Manke Reply

      I’ll take a look at CryptSync. That sounds interesting.

      Folks should keep an eye on TrueCrypt right now. There are a lot of questions at the moment about the future of the project and even the security of the latest build. Apparently the project’s home page on the web was updated recently with some troubling information that makes people suspect that the site was hit by hackers. But the site has remained in it’s odd state for an extended period of time drawing more doubt about the future of TrueCrypt.

      I haven’t been following the story too closely but a number of the tech podcasts I keep up with have been watching the story and it’s looking like TrueCrypt might be a project of the past (as unlikely as that might sound).

      I need to look into the story more closely. It’s startling, to say the least. But if the NSA was able to get their hooks into the project, the contributors might have bailed and not looked back. Stranger things have happened.

      One again, I’m not entirely up to speed on the latest from the TrueCrypt story. I just want folks to check out the latest new for themselves before committing further sensitive info to the protection of the project.

  16. Nathan Brazil Reply

    I was very excited about BoxCryptor until I noticed that they have move to a subscription only model for the personal version of the software. Yes, they still offer a free version, but although I might shell out $50 for the personal version I will not pay it every year indefinitely. Also, they don’t say what happens after my subscription expires (do my files become read-only or inaccessible?) or what happens if they go out of business. I see BoxCryptor 1 is still available as a one-time purchase so I may be forced to buy the older version. At least I will know it is mine.

    • Steve Manke Reply

      Nathan,

      FWIW, I didn’t like the idea of perpetual payment either. So I’m using the BoxCryptor Classic (the one time paid version), and I love it. I run it on my Mac Mini, my MacBook Pro, my iPhone, and if my HTC One ever boots up again, it will be running on there too.

      I’m glad they still offer BoxCryptor Classic for that reason. Like you said, you can use the free version, but I wanted to support the service. I just wanted to support it with a one time payment. I think we’re on the same page there!

  17. Carlos Lopez Reply

    Thanks for the great article.
    On the website of BoxCryptor I read about the “Master Key” option in the business version of the software. Although I can see why a company would like this (fired or deceased employees e.g.) it also makes me wonder about the security. Given the Snowden revelations, how unlikely is it the NSA can force BoxCryptor to provide them with this Master Key (or to build in a second super-master-key)? Given the way encryption works, the concept of a second password that can decrypt what the first password encrypted sounds disturbing.
    Any thoughts on that? The advantage of TrueCrypt is that the source code is public, which makes it very hard to build in a back-door. That’s not the case with BoxCryptor.
    regards,
    Carlos

    • Steve Manke Reply

      That’s a great question! I just read up on the business version of BoxCryptor, trying to find the part where they would explain this part specifically. I didn’t find what I was looking for, but I’m sure I understand where the confusion comes from.

      The Master Key is set by the company in question, not by BoxCryptor. So that Master Key is never known by BoxCryptor, or anyone that the company doesn’t share that key with. So, if your company designates a super complex Master Key for your account, you’re set. That information is never transmitted in the clear, so its not exposed to anyone while in transit.

      This link explains a lot about how the data is secured:
      https://www.boxcryptor.com/en/technical-overview#anc05

      You make a good point about the software not being opensource and how you can never be 100% sure of anything as a result. But, at the same time, there has been a lot of new concern about TrueCrypt as of late. Apparently the developers have been oddly silent for a very long time and the TrueCrypt site has even been updated to indicate that the product might not be as secure as once believed.

      I think the main part of your question was relating to where that Master Key comes from. Your company sets that key and controls that key. BoxCryptor never knows the password in question. So while that single password holds the power to unlock all of the data in the account, it’s also a single password that’s known only to the administrator who sets up the account. And that administrator is a part of your company.

      I hope that helps. Still, I encourage you to take any question directly to BoxCyrptor support. They have been very responsive to my questions in the past. I’m sure they can point you directly to the documentation that will put your mind at ease.

  18. Roland Reply

    I am looking for an encryption solution to use with Google Drive for just plain archiving of data, mainly financial statements, etc. I am making a real effort to go paperless, but even though I make frequent backups, would like the comfort of knowing all of my financial records (mostly PDF files) as well as Outlook .PST files are protected with copies in the cloud should a local disaster occur. I don’t really care about syncing capability and just want to be able to copy data periodically to Google Drive for storage, but am not comfortable with it being unencrypted. I DO NOT want the local copies of these files on my laptop to be changed or altered in any way. I’m interested to know if you see any difficulties with using BoxCryptor for this purpose?

    • Steve Manke Reply

      Roland,

      It sounds like this would fit you needs. It’s not the idea backup solution because the BoxCryptor volume sits on your desktop (Mac) or in My Computer (Windows) at all times. That means that, should you get a particularly nasty virus, your BoxCryptor is just another mounted volume as far as the virus is concerned. As opposed to a backup service like Carbonite or Backblaze that backs up your system in near real time an optionally encrypts your data using a key of your choosing.

      That said, I like how you’re thinking of keeping offline copies in your G Drive and not the live copy. It sounds like an ideal way to work. If the BoxCryptor volume is housed in your G Drive folder, anything you save to the BoxCryptor folder/drive will encrypt and then sync to Google automatically.

  19. Roland Reply

    That sounds great, Steve. I backup to a local external hard drive as well as a cloud backup service but guess I’m looking for the “belt and suspenders” peace of mind of also having the data reside on the Google Drive as well. I’ll check out BoxCryptor to handle the encryption. Thank you for being so responsive to questions!

  20. Stan Reply

    Truecrypt doesn’t use authenticated encryption. This is encryption that provides integrity checking as well in the form of an additional MAC code. As far as I can tell BoxCryptor doesn’t provide that security as well. Normally one would use AES encryption in GCM mode and not CBC which both truecrypt and boxcryptor use. For more info on authenticated encryption check the wiki article: http://en.wikipedia.org/wiki/Authenticated_encryption

  21. Steve Manke Reply

    I just ran across this. It’s a security audit of TrueCrypt in light of recent questions.
    http://lifehacker.com/truecrypts-security-audit-is-finally-done-with-mostly-1695243253

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.