Encryption On Cloud

Discussion in 'privacy technology' started by rethink, Jan 30, 2015.

  1. 142395

    142395 Guest

    Even with paid service, I couldn't find.
    I guess this is due to their design. The major reason to use those cloud will be share contents. So probably those encryption solution don't want to loose that merit cuz if they do so, they will loose potential customer. As you know, if private key is on your side, sharing is impossible unless you copy or send your key by your self. Thus only backup solution like Mozy provide it...
     
  2. 142395

    142395 Guest

    Great inof, thanks!:thumb:
    To be honest, I didn't know Duplicati before.
     
  3. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,290
    Location:
    EU
    another option is Peazip with Task Scheduler. You simply create archives of the files you want, have Peazip compress and encrypt them where you like, for example in your OneDrive/Dropbox folder. And it's done.
     
  4. 142395

    142395 Guest

    That's not an option. OP wants private key not stored on cloud so that even if password or any other information (key file etc.) were leaked or national agency tried brute force with super computer, nobody can decrypt.
     
  5. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    Ah, I didn't realize you only wanted to use major cloud services. From what people have come up with in this thread, it seems like Duplicati is as close as you're going to get to what you want. And Syncthing if you want real time snycs, as Tadoussac explains. Maybe not as convenient as you would like, but seems like it would get your the security you want.
     
  6. 142395

    142395 Guest

    I think closest approach would be encrypting contents locally by Truecrypt or sth using key file, and never store the key file on that cloud.
     
  7. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    Isn't this also what Duplicati does? But since it's designed to work with cloud services and has a scheduler it would be more convenient.
     
  8. 142395

    142395 Guest

    Still different.
    Method I suggested is using symmetric key but don't store key file on cloud, so it's security relies on key file, not private key. But in practice it will be as much secure as not to put private key on server, as long as you carefully use and manage the key file, and unless there's a serious flaw in crypt program such as Truecrypt.
     
  9. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    I guess I don't understand how these things work enough to get the difference. Aren't both Duplicati and Truecrypt encryption programs that encrypt files on your machine? So they encrypt files on your machine, store all relevant keys on your machine, or whever you choose, and then upload encrypted blobs to whatever cloud location you choose. In both cases, there's no key file in the cloud. The cloud service has nothing to do with the encryption process, it's just the location for your encrypted blobs once you've done all the encryption on your machine first. Except Duplicati is built more to work with cloud services and automate some of the steps.

    What am I not getting?
     
  10. 142395

    142395 Guest

    Generally there're 2 types of encryption, symmetric and asymmetric. AES, blowfish, etc. are symmetric and RSA, ECC are asymmetric. Truecrypt only supports symmetric, it means it uses the same key to encyprt and to decrypt contents. In TC, this key never be saved on disk, it's only on memory. Key file is different from key, it is alternative to password or a kind of 2 factor authentication if you combine it with password. It's important to make 'good' key file and strictly manage this. 'Good' means adversary can't guess key file easily. It is better to save key file separately from your computer e.g. only in external drive.

    But Duplicati, according to Tadoussac, can use GPG for encryption instead of AES. GPG supports several types of cipher algorithms, and they include RSA and ECC. In those asymmetric encryption, A key to encrypt contents and a key to decrypt is different, usually they are called public key and private key. If you use public key to encrypt, only private key can decrypt it. Assume you set very weak password like "1234". In Truecrypt case, adversary can easily brute force it. But in asymmetric key case, whatever weak password you used to derive key pair (or to access your contents), adversary can't brute force contents as long as only you have private key (at least in current technology. Future may differ as Quantum computer is evolving).

    I hope it helps.
     
  11. Tadoussac

    Tadoussac Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    121
    Yes. This is correct. Duplicati's default encryption method is AES-256. gpg.exe can be selected as an alternative encryption mode when setting up a backup job - although this method will require the creation of a gpg/pgp key-pair (1 public and 1 private) as described by 142395.

    Duplicati itself is not an encryption application. It is a backup and restore system that can optionally utilize AES or GPG to encrypt your files before sending them to a cloud service. As I mentioned earlier, when you select the GPG mode, you use your private key to encrypt the selected backup files to yourself on your own device before they are uploaded to the cloud. You do not exchange any keys with the 3rd party cloud service provider. Neither your public nor private keys ever leave your machine when you use this configuration.

    Interesting development: box.com recently announced that it will introduce a new encryption design that will allow customers to manage and hold their own keys. Sounds promising - with some possible security weaknesses. It appears to be expensive, and focused on larger corporate customers - at least in its early stages:

    http://www.networkworld.com/article...box-gets-customer-managed-key-encryption.html
     
  12. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    Thanks for the detailed explanations 142395 and Tadoussac. That was helpful and interesting. It explained some terms that I've heard, but did not fully understand.

    It sounds like from what your'e saying that Duplicati with GPG, before uploading to the cloud, is more secure than Truecrypt. But I guess if you use Duplicati with AES then it stores the key on your machine and that's less secure than Truecrypt that does not store the key anywhere? Is that right?
     
  13. 142395

    142395 Guest

    It seems Duplicati uses AES Crypt when you chose AES. And from this post I could quickly find, I don't think they save the key on disk in plaintext (note: both TC and AES Crypt save volume or session key which actually encrypt/decrypt contents in encrypted state on disk. I don't want to complicate explanation, but TC encrypts volume key by header key.). I noticed they use CBC mode which is not secure enough for at-rest encryption, but as is always the case with crypt attack, actuall attack against CBC-AES are quite conditional. e.g. Copy-and-paste attack (aka Sector-Move attack) against CBC (actually, ECB and ESSIV too) which causes data leak requires attacker can freely read and write to entire encrypted storage AND he is allowed to read (in plain text) part of encrypted sector. Then he can decrypt nearly all encrypted contents. This slide describes it (slide 45). Also Bit-flip attack aginst CBC (CTR and ESSIV too) which causes modification to data requires attacker knows where the data he want to modify is on the encrypted storage exactly (what block on what sector). Usually these attack can only be done by insider. But anyway, TC is free from those attacks as it uses XTS mode in latest version, but it is just one aspect to assess security in crypt program, it's not easy to decide which is securer when it comes to crypt.
     
    Last edited by a moderator: Feb 13, 2015
  14. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    Okay, thanks 142395. I guess I've got a lot of things to learn. I appreciate the explanations. It definitely helps me get a better grip on how these programs work. And it's interesting to think about.
     
  15. 142395

    142395 Guest

    You're most welcome.:)
     
  16. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,290
    Location:
    EU
    Anybody tried this?

    http://stefanstools.sourceforge.net/CryptSync.html

    It basically mirrors two folders. One stays original, not encrypted. The other one, which can be anywhere (dropbox folder, etc) get AES encrypted. Thus the cloud gets only encrypted files.
    It works in background so any modification of any file in the non-encrypted folders is immediately reflected in the encrypted form.
     
  17. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    556
    Location:
    USA
    How reliable has Cyphertite been, in your experience? I'm trying it out now, and I was unable to connect this past Saturday (the day I set up the account, no less) and Sunday. I got a reply via email that there was an outage during the weekend, and then it was working on Monday and Tuesday. But today, it's down again.
     
  18. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,290
    Location:
    EU
    I've registered with Cyphertite too.
    Can I upload files with the browser or must I install their client? I guess I need the client...
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    So hey, just archive stuff, encrypt with GnuPG, and put it somewhere online. For example, these folks contacted me, and have given me read-only access to their server. So far everything seems cool. If there's anything that you'd like me to look at, please share.
    https://robustfiles.com/
     
  20. 142395

    142395 Guest

    I experienced that sometimes. My feeling is Cyphertite is still developing startup and suitable only for those who prioritize seruciry over speed, reliability, etc. or who had trouble in other secure cloud provide like SpiderOak.

    Maybe combining other service will be also good to complement reliability issue. I now have interest in Code42. I have Wuala and Tresorit account, but I use Wuala only on Android as it requires java, while Tresorit's data upload limitation is deal breaker for me...

    Or as mirimir said, make local encryption and use any cloud service you like. I myself do local encryption before uploading, so in my case its double encryption...simply because I'm paranoid about crypt.
    Right, you need client software. Browser access inevitably bring potential privacy issue, as SpiderOak admitted if you login via browser it can't guarantee zero knowledge so you have no choice other than believing they correctly erase and not store your data.
    Couldn't find a link in which SO recommended use of client software, but maybe this will help.
    http://blog.xot.nl/2013/12/08/some-reservations-about-spideroak-security/
     
  21. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
    Thanks for the link. It looks like they are called disk42 not Code42.

    They do look interesting. But like a lot of the recent encrypted services popping up, there is a real lack of information on their site. Who are they? How does their system work? Where are the servers located? Do they own and control the servers?

    I'm always a bit suspicious of some new encrypted service with a slick clean looking website and almost no technical details about what they're doing or who that are. It's one of the things I like about Tutanota, Protonmail, Countermail, SpiderOak. They are very forthcoming in a lot of detail about what they're doing and who they are.

    It's nice to talk a lot about the virtues of opensource code (the topic disk42 covers the most)--though people rarely actually point out that their code has not be reviewed by any third party. But if companies like this want people to trust them, they need to be more than a slick, simple website with very few details. From my perspective it's just a black box and I don't know what's inside it.
     
  22. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    351
  23. rethink

    rethink Registered Member

    Joined:
    Jan 13, 2015
    Posts:
    75
    Treesorit does not offer free account anymore?

    Edit: I was wrong,
     
  24. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    Coming from a linux user's perspective:

    I've tried tahoe-lafs, cyphertite, tarsnap, and many others.
    Tahoe-lafs feels like a real filesystem with terminal commands like cp -r etc, but make sure you set it at home or on a vps that has a good network.

    Tarsnap is excellent but is very slow when you need to restore files and if you have a ton of backups it can be a chore trying to find which backup to restore.

    Currently, I'm using cyphertite and it isn't very user friendly but all the metadata for your backups is on your machine which is nice. Cyphertite is very secure but you'll need time to learn the commands. The documentation is seriously lacking.

    SpiderOak is not getting any real development and bugs that existed for 8 months still plague its users such as folders don't restore in total and while your uploading your files and the queue gets jammed up and this can lead to waiting hours for the problem to clear up.
     
  25. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.