Ask Slashdot: Keeping Cloud Data Encrypted Without Cross-Platform Pain? 107
bromoseltzer writes: I use cloud storage to hold many gigs of personal files that I'd just as soon were not targets for casual data mining. (Google: I'm thinking of you.) I want to access them from Linux, Windows, and Android devices. I have been using encfs, which does the job for Linux fairly well (despite some well-known issues), but Windows and Android don't seem to have working clients. I really want to map a file system of encrypted files and encrypted names to a local unencrypted filesystem — the way encfs works. What solutions do Slashdot readers recommend? Ideal would be a competitive cloud storage service like Dropbox or Google Drive that provides trustworthy encryption with suitable clients. Is there anything like that?
Good luck ... (Score:5, Insightful)
I hope you find what you're looking for, but I would suggest that:
This isn't possible.
Unless you own the crypto bits, and you know for a fact that they don't have any way to access your keys, you should assume any provider can probably comply with court orders and hand over your data.
Some of them might be peaking even if they claim not to be.
The only way you can be guaranteed your stuff is secure is to encrypt it yourself, and cut the cloud out of the process entirely.
There pretty much is no such thing as "trustworthy encryption" you didn't do yourself.
Re: (Score:3)
This is par for the course with cloud, aka, someone else's computer. If you want secure, you need to buy your own server, set it up with an encrypted file system, pay for colocation in a datacenter, and host everything yourself.
Re: (Score:2)
And even then your security can be compromised by anybody who can stick an usb stick into your server at the datacenter, or has physical access by other means. Therefore, you can't just chose some datacenter where you put down your server and this is it, you have to chose one thats guarded with video surveillance, and proper protocols. And even then, a data compromise can be maximum detected, but stopping is even harder. Also you have to trust the people guarding your server. What if they get an NSL? but of
Re: (Score:3)
You make it sound *onerous* but it doesn't need to be. You can buy many home routers with a USB port. Plug in a thumb drive and enable webDAV shares!
We've been using webDAV for many, many years to create a distributed, "cloud based" storage accessible anywhere with good security. (Authenticated webDAV over SSL is approximately as secure as the password)
Re: (Score:2)
I find there are multiple ways to skin this cat:
Scenario 1: Archiving. This is where one sticks files into some archiving program (ZIP, RAR, etc.) and then uploads the archive to some place like Amazon Glacier where it pretty much remains indefinitely until needed. This takes some thought, since even though uploading and keeping stuff on Glacier is inexpensive... retrieving it isn't cheap. One should figure out a size of archive that isn't hard to download, but not too small that documents and other ite
Re: (Score:2)
Does retyping the Tarsnap source code count as "doing it yourself"?
Not a chance (Score:2)
There pretty much is no such thing as "trustworthy encryption" you didn't do yourself.
And, let's face it, for all but maybe a few hundred out of the 7 billion people on the planet, even if you try to do it yourself it's probably going to fail under a true attack that is targeted at getting your information and there's a good chance your home-built system will just screw up your data altogether.
Saying the only trustworthy encryption scheme is the one you create only works if you're a cryptography and programming expert. Otherwise it's like hiding your life savings in safe you built entirely f
Re: (Score:3)
I never said create it yourself.
I said if you are looking for a "trusted encryption" being implemented by someone else on your behalf, there's a very high likelihood it's not secure from them. And if you want it to be secure form them, encrypt it yourself.
So, use a solution which exists, and which has a good reputation. But the cloud provider should be left out of the process of e
KeePass (Score:2)
Not a complete filesystem-level solution. But I'm pretty happy with KeePass for sensitive stuff.
Using the KeePassX client on Linux, with the .kdb file on Google Drive. .kdb back to Google Drive after making any changes.
KeePass2Android on our phones. We have a secret key not stored on Google Drive, and a passphrase to unlock that. Haven't had any trouble with the automatic sync of the
If encfs works fairly well on Linux, what's stopping you from getting http://linuxonandroid.org/ [linuxonandroid.org] working on Android and mou
Own Cloud, on a cloud VM with encrypted HD (Score:1)
Own Cloud, on a cloud VM with encrypted HD ?
Re: (Score:2)
Wouldn't a simple TrueCrypt container meet all the requirements?
Create a container and set up cloud sync with a service that only sends diffs. I believe Dropbox does that, for example. Mount the container on each machine, or mount it on a NAS and share it unencrypted locally, or whatever you want to do.
All the cloud service sees is a TrueCrypt container. Android has a few apps supporting TrueCrypt. All major desktop operating systems support it. It's probably the most trustworthy system out there, being bot
Re: (Score:2)
The only way you can be guaranteed your stuff is secure is to encrypt it yourself, and cut the cloud out of the process entirely.
This is completely true, the best you can get are some self-hosted services that work almost as seamlessly as commercial Clouds.
I use Bittorrent Sync, it is fast and has a good mobile app. You need to have a server running if you want availability. I have two: a 150€ NAS in my home network and a Linux worstation at work (I never turn it off anyway in case I need to work from home, and it restarts in case of power failure).
The only feature you miss is the possibility to one-click share a single file
Roll your own (Score:1)
Re: (Score:2)
with ownCloud or SeaFile, a Raspberry Pi 2, and whatever size USB you want.
Maybe for home use, but that's going to be pretty darn slow... You will effectively be limited to 1/2 of USB 2.0 speed (or less) because the Pi's network connection is via the single USB connection which is shared by that USB drive, the keyboard and the mouse etc.... Ouch...
Personally, I'd go with an old scrapped desktop PC running OpenMediaVault attached to your network. Just stuff in a cheap SATA interface or two, load up on cheap drives, raid them into a redundant array of some kind and then install
Half of USB 2 still saturates home Internet (Score:3)
You will effectively be limited to 1/2 of USB 2.0 speed (or less) because the Pi's network connection is via the single USB connection which is shared by that USB drive
Hi-Speed USB is nominally 480 Mbps half duplex and practically reaches half of that. If the storage shares a bus with a NIC, it could still saturate 120 Mbps. Home Internet is typically 3 to 50 Mbps down, and if you don't have a symmetric service like Verizon/Frontier FiOS, you get far less than that up.
Re: (Score:2)
You will effectively be limited to 1/2 of USB 2.0 speed (or less) because the Pi's network connection is via the single USB connection which is shared by that USB drive
Hi-Speed USB is nominally 480 Mbps half duplex and practically reaches half of that. If the storage shares a bus with a NIC, it could still saturate 120 Mbps. Home Internet is typically 3 to 50 Mbps down, and if you don't have a symmetric service like Verizon/Frontier FiOS, you get far less than that up.
Perhaps, but if you have this on your local network you will not be subject to the bandwidth limits of your ISP. I would usually be at home with most of my devices anyway, so I'm limited to the 802.1a/n link speed, which is going to fully push the Pi beyond it's limits. BTW, my FIOS connection is 25/25bps so, in my case I think it would be possible to nearly saturate the USB buss/CPU load of a Pi remotely, and for $10 more I could get 50/50, which would surely tax the Pi.
There is some serious bandwidth l
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Alternative version of roll-your-own: Host at some provider, use their client (or if you do not trust them, put a encrypted file system on top).
Mount that on a Linux machine.
Share that filesystem via SMB, so Android and Windows can access the files.
Boxcryptor (Score:1)
You might want to take a look at
https://www.boxcryptor.com/en/... [boxcryptor.com]
Mega (Score:3, Informative)
If you get rid of the mobile requirement, http://mega.co.nz/ [mega.co.nz] might be the solution for you.
Specifically designed by Kim Dotcom's folks so that they CANNOT access your data (so they don't tell if you've got financial paperwork or pirated movies). Has a method for sync'ing a local unencrypted filesystem into their cloud architecture.
Re: (Score:2)
How the fuck is this "Offtopic"?
Screw you, whoever moderated that...
Re: (Score:2)
I like Mega as well, but I felt the client for OS X was kinda clunky.
Re: (Score:2)
Really? I haven't had any problems with it. I mean I did when it was like "month 1" of the service going live, but it settled down fairly nicely over time.
Wuala (Score:1)
There's Wuala, which is essentially Dropbox with client-side encryption. It used to be free for personal use, but now plans start at 1 EUR per month. Also, the encrypted data is stored in Europe, which is nice. http://www.wuala.com [wuala.com]
If you don't have anything useful to say... (Score:1)
Shitpost!!!!!
SpiderOak (Score:3)
Re: (Score:3)
+1 for SpiderOak, but please know that their Android client is not Zero-Knowledge. It means that mobile use is...not quite as clean as one would like.
Re: (Score:2)
Yeah +1 for spideroak. But you still do need to trust them.
The source is closed. So you can't inspect and build the client yourself. So you have no way of knowing whether its really zero knowledge or not; or whether the client can or is sending the keys to the server etc.
They also specifically disclaim zero knowledge for web based access and mobile. The former should be obvious, but the latter is a bit of a surprise/disappointment.
Still I -do- generally trust them; and recommend them. Their business model i
Re: (Score:2)
Their mobile client is open source: https://github.com/SpiderOak/S... [github.com]
The desktop client is mostly unobfuscated Python bytecode and easily inspected, docstrings, symbol names and all, with a bytecode decompiler. Not good enough, but at least a bit more transparent than most.
Re: (Score:1)
CryptSync (Score:2)
It encrypts files with 7zip so you can still grab them from other platforms.
http://sourceforge.net/project... [sourceforge.net]
BT Sync (Score:2)
BT Sync - Aka "Bittorrent Sync" aka "Sync" is pretty close. In that setup, your own computers act as the cloud. Android and Linux clients, etc. I primarily use it to keep photos backed up from my phone to home, but also keep folders and movies on my home computer which sync with my phone as well.
It's not a "cloud solution" in the normal sense - you can't keep files on the cloud and dynamically choose which ones to push around later, but it's CLOSE and may suit your needs.
Re: (Score:2)
Syncthing looks interesting. Even has an Android client to boot.
Thank you for sharing.
I currently use BTSync, but it seems I have problems every time I upgrade, having to recreate the shares and such. Kind of a PITA.
I also firewall it, so it doesn't sync outside of my home or office network, so, hopefully keeping any potential back doors out.
Re: (Score:1)
Re: (Score:2)
What I don't like about BT Sync is that it requires a specific port to be open. OwnCloud just uses the standard https port, 443, which is open anywhere.
Tarsnap? (Score:3)
trustworthy encryption (Score:1)
I'm sorry, what?
nCryptedCloud for Dropbox encryption (Score:1)
If they did that they would lose clients (Score:1)
If the cloud provider created an encryption that even they couldn't work with they wouldn't have clients. For starters, search wouldn't work. Secondly, the average Joe would expect the cloud solution to be like someone holding something for him in a safe. Should he lose the key for the safe, he would still expect a way to prove his identity and have the owner of the safe open it for him on his behalf.
So your best bet is to go with a solution whose privacy policy states that they won't datamine your data for
Re: (Score:2)
Hmmm. Don't agree with this.
1. Spider Oak has built its business on zero-knowledge (Full Disc: not an employee or a fanboy, but a user. Like it, except for non-zero-knowledge on mobile/web)
2. There _is_ research going on about ways to compute on data without knowing the contents of the data. It's entirely likely that someone will solve search on zero-knowledge encrypted data, even though you and I don't yet know how it might work. (one way that comes to mind: zero-knowledge encrypt the query, then bounce th
Boxcryptor Classic (Score:1)
Supports EncFS on Windows and works well with different Cloud FS providers.
Dropbox & Boxcryptor (Score:1)
Dropbox combined with Boxcryptor Classic (Android & Windows) and Cryptkeeper (basically encfs) on Linux. Works for me.
pcloud.com (Score:2)
https://pcloud.com/ [pcloud.com] - they have end-user encryption, currently in the desktop versions, working on getting it in the web and mobile versions. The encryption sources are open and available at their github account ( https://github.com/pcloudcom [github.com] ), and they recently got an audit of the whole software and encryption schema.
(disclaimer - i worked there and helped design it)
OwnCloud (Score:2)
This being a tech site, I suggest you do it yourself and get a virtual private server somewhere, then install OwnCloud. It's extremely easy, just get a VPS at one of the nice providers like DigitalOcean or Linode, install Debian and use dmcrypt or ecryptfs to encrypt the filesystem.
Then share your files over HTTPS. Done.
Re: (Score:1)
As of about a year ago, Owncloud didn't handle large files well at all. Maybe it's gotten better since then, but I dumped it for sftp / rsync.
Down to the User (Score:1)
Keep Using EncFS (Score:4, Interesting)
I recently went through this same issue.
I tried lots of alternatives, but EncFS is still the best solution out there.
The best and most reliable windows port of EncFS is Safe.
http://www.getsafe.org/ [getsafe.org]
It does have some limitations, but in general it's the best solution out there.
They strive to be binary compatible with Linux EncFS and have versions for Windows and Mac.
Plus it's free and open source. (GPLv3)
Re: (Score:2)
Re: (Score:2)
Thank you, I didn't know about Safe. At one point I had to recover a backed up EncFS and ended up using a Linux VM to mount the encfs then copied everything out unencrypted.
Flip the solution (Score:2)
Seafile (Score:2)
Its crypto isn't perfect (they use some odd AES settings, and the design leaks some metadata) and every now and then I manage to bug the sync system and have to remove/re-add a file to get it to sync properly, but it has good clients for Linux (gui or cli), Windows, Mac, Android, and iOS, as well as web access (You have to give your passphrase to the server for that, which is security-harming in theory, it is s
git encrypt? (Score:2)
Mount the drive-storage solution 'normally', and use it as a local git repository.
If you use something like https://github.com/shadowhand/... [github.com] you can encrypt all files that you store in git, hence on the cloud. There are likely similar solutions for svn, and cross platform solutions.
Owncloud? (Score:2)
If you want your data to be secured then the only way really is to run a server yourself.
Re: (Score:1)
Forget Android (Score:2)
Mobile platforms are inherent insecure. Not only the OS is not designed to be secure (against what you're fearing), the manufacturers are not your friend (you already said "hello google"), but the apps are per default spyware as well. if you have installed a security framework, you will know, that 9/10 apps access data they do not need to function as very first action after being installed. Stuff like calendar, contacts, call log, android serial, active/installed apps ...
So on a mobile device almost everyth