What program would you use to encrypt your data before uploading it to the cloud?

Discussion in 'privacy technology' started by Dchz92, Jun 3, 2013.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Darn. Do you have a link for this?
     
  2. Reciprocate

    Reciprocate Registered Member

    Joined:
    Aug 14, 2013
    Posts:
    2
    Using AEScrypt at present, but not because I have any expertise as to it's true measure of security. Learned of it through Google's "Duplicatti" project.
     
  3. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    I'm not sure about that. It's possible I'm missing something, or he missed something in his description, but I don't see why essentially having two different volumes would aid in cryptanalysis. From what he described, that's what it sounds like you would have. The only possible way it would help an attacker is if you explicitly told him "this is basically the same volume, I just changed some of the contents." But even then, in a practical sense, it wouldn't help at all really.

    An attacker would have to closely analyze a lot of changes of a long period of time to even begin having an advantage in crack it.

    But see the TC documentation on Security Requirements and Precautions for details on pitfalls.
     
  4. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Thanks JackmanG, that's probably where I read it.

    "IMPORTANT: If you store the backup volume in any location that an adversary can repeatedly access (for example, on a device kept in a bank's safe deposit box), you should repeat all of the above steps (including the step 1) each time you want to back up the volume (see below).

    If you follow the above steps, you will help prevent adversaries from finding out:

    Which sectors of the volumes are changing (because you always follow step 1). This is particularly important, for example, if you store the backup volume on a device kept in a bank's safe deposit box (or in any other location that an adversary can repeatedly access) and the volume contains a hidden volume (for more information, see the subsection Security Requirements and Precautions Pertaining to Hidden Volumes in the chapter Plausible Deniability)."

    and also

    "Volume Clones

    Never create a new TrueCrypt volume by cloning an existing TrueCrypt volume. Always use the TrueCrypt Volume Creation Wizard to create a new TrueCrypt volume. If you clone a volume and then start using both this volume and its clone in a way that both eventually contain different data, then you might aid cryptanalysis (both volumes will share a single key set). Also note that plausible deniability is impossible in such cases. See also the chapter How to Back Up Securely."

    You say it could only help an attacker if you told him "this is basically the same volume, I just changed some of the contents" but if you're regularly uploading slightly different versions of your truecrypt volume to a service that the attacker has access to, this is going to be obvious without having to tell him.
     
  5. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I had a quick play with Cryptsync but it seems that unless I encrypt the folder/filenames, it exposes a bit too much information about my files for my liking and if I do encrypt them, it makes it impossible to find a specific file when I need to, so I don't think that's going to be practical. At least with a Truecrypt archive, once downloaded and unlocked you can browse through the files to find what you're looking for.
     
  6. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,887
    Location:
    US
    Im using WinRaR. Im new to the this encryption... You guys think WinRaR is solid? The data is a bunch of pics but I just like to keep things private and not have same NSA/gmail jack ass lurking through my files.
     
  7. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    So if you dont create a new volume every time, what other things can a cryptographer infer, other than the fact that it might be a hidden volume?
     
  8. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    I think WinRAR is fine for casual encryption, but not for serious encryption because you can still see the file names inside encrypted archives (although maybe the new WinRar 5 beta has dealt with this). Also, they don't allow the use of keyfiles (which I like for cloud storage and similar). The encryption scheme is AES-128 for rar files and some weaker proprietary algorithm for zip files. AES-128 is fine (if you use a long password), but proprietary algorithms are always questionable.
     
    Last edited: Aug 15, 2013
  9. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    On the first page of this thread I talk about a much better alternative to WinRAR (which happens to also be FOSS)...7-Zip. I would use that, if you need compression. See the post here.

    If you just need some quick encryption of a file or two, or a quick container, I'd go with AxCrypt.
     
  10. MrWayne

    MrWayne Registered Member

    Joined:
    Aug 26, 2013
    Posts:
    23
    I have been using Dropbox + EncFs for a year, and it works great. For me, it's the perfect way to sync an encrypted folder with your folder in the cloud because you don't have to manually encrypt your data with TrueCrypt, 7Zip... right before uploading it.

    Here you have a quick tutorial:

    http://www.webupd8.org/2011/06/encrypt-your-private-dropbox-data-with.html

    Works like a charm in Linux :) I guess there are similar tools for Windows and Mac OS.
     
  11. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I think what I'm going to do is use EaseUS Backup (or Comodo but that seems very buggy) to create a backup in folder 1, then use cryptsync to mirror that folder to my Dropbox folder.

    That way, if the encryption used by the backup program is compromised (or it doesn't have any at all, as with EaseUS), it doesn't matter as Cryptsync is using 7-Zip's open-source encryption to encrypt the backup before it's uploaded to dropbox and it's better than using Cryptsync alone as that exposes the filenames (or makes it impossible to find a particular file if using the encrypt filenames feature).

    EDIT: Well that was the plan. However, Cryptsync is unable to encrypt/mirror my EaseUS backup file .PBD for some reason. I can manually 7-zip it to the same folder, so I don't know what the problem is.

    EDIT2: Ah, if I replace the zip files in the Cryptsync folder with the 64-bit ones it works. It seems to take a long while after it's actually created the zip file to finish syncing though, so it's probably better just to make a batchfile to run 7-Zip and add that as a scheduled task. It seems there's only a 32-bit version of the 7-zip command line though http://www.7-zip.org/download.html so I'm not sure this will work, I'll have to try.

    OK, this seems to work OK:

    EDIT: By default it uses ZipCrypto, which is not as secure as AES256 apparently, so I've added -mem=AES256.

    7za a -psecret -mem=AES256 "d:\backups\data backup\Dropbox\EaseUS Data Backup.zip" "d:\backups\data backup\EaseUS Data Backup\*.*"

    EDIT2: Aha, I was wondering why it wouldn't show the command window whilst running, which I want it to do so I can see it's running as scheduled. Turns out it doesn't show the window if "Run whether user is logged in or not" is ticked. I also found I had to fill in the Start In box with C:\Program Files (x86)\7-Zipa\ (note, without quotes) otherwise nothing happened when I ran it.

    I'm not sure how this will work with Dropbox and whether, when the zip is updated each week it will be able to upload only the difference or will have to upload the entire file each time.

    I guess this method is still vulnerable to the same risk as with uploading changing versions of a TrueCrypt container, so it might be best to forget about using Cloud services for backups altogether, certainly for sensitive/private files anyway.
     
    Last edited: Aug 29, 2013
  12. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    That was some good info. Thanks for sharing your experience with all that.

    Well, it may not be the most streamlined, but I feel like the process I described here is pretty secure.

    Particularly for long-term backups that you don't need to change, I see nothing wrong with using the cloud, provided you're simply uploading encrypted containers.

    Obviously wanting a constant updated backup of changed files makes it more difficult, but I still think that process is workable.
     
  13. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Thanks JackmanG. I had a look at your process and it's very helpful.

    I've actually found that running 7-Zip as a task rather than using Cryptsync has a major drawback.

    With EaseUS ToDo Backup, making incremental backups it creates sequential containers, so the first will be Backup.PBD, then the next time and changes will be in Backup2.PBD and so on.

    Using a 7-Zip scheduled task, this puts everything in a single zip, such as Encrypted Backup.zip, so obviously this is going to change every time the task runs and adds more files to it, not to mention it doesn't seem able to tell that a certain file is already in the zip, so it has to compress and add every .PBD each time.

    Cryptsync has a big advantage here as it zips each file seperately, so I get Backup.zip, Backup2.zip. This means that Dropbox or whatever won't have to re-upload the zips that have already been uploaded but only the new ones, which might be very small if not many files have changed/been created since the last backup. I think it can also tell that it's already zipped/synced a file, so it doesn't have to re-zip the .PBDs it's already done each time.

    So I've gone back to using Cryptsync for now as it seems to be the best way to simplify the process and minimise uploads to the Cloud service.

    I actually think using a non-sync service like Mega makes more sense for backups, as you'd only have to accidentally delete a backup file from Dropbox and it would sync and delete it from your HDD as well, leaving you with no backup (unless you'd made another copy, which of course you should) and with EaseUS and Cryptsync, you only need to upload the new incremental .PBDs (encrypted with 7-ZIP) each time. EaseUS lets you browse the backups to restore files, so if you don't keep the unencrypted .PBDs on your HDD, you'd just need to decrypt them with 7-Zip (or download them first if you don't have a local copy) and then browse and restore your files.
     
  14. anniew

    anniew Registered Member

    Joined:
    Mar 15, 2013
    Posts:
    92
    Thanks JackmanG and others here who provided some good feedback on my questions.

    I too apologize for the slow response! :D
     
  15. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    I use 7-zip before uploading to the cloud storage.:):thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.