Tim's Blog

Information, Technology, Security, and other stuff.

Moving to Dropbox and Boxcryptor

Published 2014-09-13

So Dropbox have unleashed Dropbox Pro, offering a 1TB plan for AUD$10.99/month. I was a paying customer with Dropbox a couple of times in the past, but I always dropped it because it simply didn't offer enough storage space for what I was paying, and I wasn't keen on the idea of paying more than $10/month for a level of cloud storage that I needed. Storage should be cheap.

Now because of this 1TB plan I figured I might try to simplify my backup strategy even more, and try to get some Syncronisation/Automation happening with it, so I forked over some cash and have come up with the following.

##Re-evaluating my Backup Strategy

I've been lugging around external drives as my main hub of data for a while now (here's a post about it), but one of the big issues I've always had is the fact I suck at keeping the information in sync consistently. Even putting a calendar entry in to remind me doesn't work. If my routine is disrupted, then it's quickly forgotten.

So now I've decided to replace my 1TB External drives with a 1TB Dropbox account.

When I upgraded my Dropbox account and started to load it with data, I realised that I hadn't considered that the Dropbox folder is in my home folder by default. I quickly filled up the SSD that my OS runs on. Woops.

So to get the space I needed I chose to move the Dropbox folder onto a 1TB external drive for my main computer (as I don't have 1TB of free space on any internal drives), which I'll leave plugged into the computer at all times. I've encrypted the drive as well so it's no concern if somebody takes it.

If the drive is disconnected, then Dropbox will kill itself until you put the drive back.

This diagram below pretty much sums up my new strategy. Each machine I use will have Dropbox installed on it, and they'll all push their changes up to the cloud, solving my sync problem. The little green house icons are CrashPlan, which I use as a secondary backup service for data that can't go into Dropbox (like my home folders, or gigantic files not often accessed). I may ditch CrashPlan though if I can't find any value in it in the future.

Backup Strategy

I can use Selective Sync with Dropbox to sync only the necessary data to my machines that don't have as much space, like my Mac or my Work PC.

##Maintaining Security Now I think you'd be insane to put everything into Dropbox. The employees of the company can access the information within if they wish, or they can hand it over to authorities if requested. And the service is a US-based company, so even being in Australia my data is still under US jurisdiction (even if the data is sitting on an Australian server).

Until they adopt some form of Zero-Knowledge capability, they cannot be trusted completely. It's not a tinfoil hat kind of fear I have, it's just a fear of the imperfections of humans. A simple oversight is all it takes to expose your data, and I don't want my financial information or emails being leaked like that.

So to get my Private information into my Dropbox to still reap the benefits of the cloud, I installed Boxcryptor, which is a sweet little tool that encrypts files in your Dropbox before they're sent up to Dropbox. It's like adding a Zero-Knowledge layer on top of the service.

Boxcryptor basically acts like EFS on Windows (the installer actually recommends to disable EFS so there's no confusion), and to access your data you need to go through a virtual drive that it mounts to your computer. I've tried to run it on my Mac to see what the experience is like on there, but it won't currently run on the Yosemite beta.

If you sign out of the application, then the virtual drive is simply disconnected.

Here's the configuration changes I made to boxcryptor to help strengthen it:

  • Don't remember password. I think it's safest to require intervention at boot for the decryption of your files, in case somebody gets a hold of your PC and you don't have disk-level encryption enabled, or they can bypass authentication to the machine.
  • Enable Filename Encryption. Optional, but I think it's safer to do this. A lot can be inferred by the names of files. This does require the paid version though.
  • Disable Start with Windows. You should only use the application when you need it, otherwise the convenience will expose you to more risk.

Why Dropbox specifically?

I have evaluated most of the cloud storage providers, and the one thing that I have come to care most about of them is stability. I want a service provider that I know will be there in 5 years time.

  • SpiderOak is a few years old, but I still find some latency in the product's ability to keep in sync across machines, meaning I can't trust that some file I put on one machine will make it across to the others in a timely manner.
  • Mega was promising with its 50GB of free storage and supposed zero-knowledge policy, but it's really hard to trust that a venture by Kim Dotcom now won't have the plug pulled on it.
  • OneDrive, Google Drive and iCloud all have very pricy options for 1TB of storage, and they're tied to one platform.

I guess I like Dropbox for being a standalone player in the market. They essentially pioneered the consumer cloud storage industry and they've still maintained their platform independence. As I mentioned before, they can't be trusted with anything really important as they're not zero-knowledge, but they can be trusted to keep the service running and to always be neutral to platform support.

I think if they were taken over by Microsoft or Apple or another one of companies that like vendor lock-in for their customers, then I'd probably start looking for an alternative again.