14 August 2012

Dropbox Security, From TrueCrypt to BoxCryptor and 1Password

(If you want to skip the below and just get the recommended answer, go buy Boxcryptor and 1Password on all your platforms.  Job done.)

When Dropbox had various security issues last year (the no passwords required for some hours was the kick I needed to sort my security out), I started using Truecrypt to contain all sensitive material I was keeping in Dropbox.  Truecrypt felt good as it was opensource, free, stable, secure, and reasonably usable on OS X and MS-Win.

While I felt a 1000x better about my security situation, I also lost a lot of the convenience of Dropbox by moving to Truecrypt:
  • File sync.  Truecrypt stores its filesystem in a single file.  While Dropbox is efficient at syncing big files at a block level, it doesn't cope well with changes to that file happening roughly concurrently from two or more locations.  If you mount your Truecrypt filesystem from two or more machines and make even vaguely concurrent changes (within a sync activity for example), you end up with two conflicted Truecrypt files.  One quickly learns to only open the Truecrypt volume on one machine at a time.
  • Multi-platform access.  One thing Dropbox did well was to have clients available on all major platforms.  I could access my Dropbox files from OS X, MS-Win, iOS, Android and Linux.  When I switched to TrueCrypt, I was limited to PC, Linux and Mac only (and one at a time at that), no mobile/tablet access.
  • Password management.  I won't say much about this other than it became harder using Truecrypt.
That was last year.  One of the great things about tech is that problems that need solving tend to get solved if you're patient enough.
Enter Boxcryptor for file security and improvements to 1Password for password management.
While there are a number of solutions available to encrypt what you store in Dropbox, I consolidated onto Boxcryptor:
  • Secure.  Uses AES-256.  No cloud aspect to Boxcryptor and therefore no third party has my master key and can take a peak at my data.
  • Plays nice with Dropbox.  Boxcryptor uses a folder+file structure (aka "package" on OS X) with each file encrypted separately enabling Dropbox efficiently sync.
  • Multi-platform access.  Working clients on all major OSs.  At least read access on iOS and Android.
  • Stable.  I've not had a single crash or corruption yet (although I'm still backing up more frequently than I might otherwise).
  • No major delays in supporting the major OS upgrades.
  • It allows for up to 2GB for free and more if you license it.  2GB is a lot.  Once I got comfortable with it I bought a license to get rid of the 2GB restriction.  I feel the license is a nominal cost versus the upside of more user friendly security and vendor support.
I considered Datalocker, Cloudfogger, Hyperdrive, and encrypted zip files.  All of them failed in one or more of the above.
An aside on Dropbox and sharing files:  I don't retain Dropbox's easy sharing of (encrypted) files using Boxcryptor.  Encrypted zip files still perfectly acceptable and secure way to e.g. share a single file in Dropbox with colleagues so long long as you unzip into a secure location and not into Dropbox.  Then you have to zip+encrypt and move the result back into the shared folder in Dropbox.  Zipfile usability compared to regular Dropbox sharing and syncing is poor as a result.  Note that today Boxcryptor doesn't appear to (easily) support multiple concurrently-open Boxcryptor filesystems.  When it does I could see having a Boxcryptor filesystem dedicated to sharing a set of folders/files with a specific workgroup.  Each group to have its own Boxcryptor filesystem - still somewhat painful but better than zip files.
Moving on to password management.  I have to admit my previous method wasn't overly secure and certainly TrueCrypt decreased it's usability.  As I was digging into secure storage, I also had a hunt around for how to improve password management.
Enter 1Password.  Yes, it's been around awhile, but used to be very OS X centric.  I don't know when they went multi-platform but they have.  While they've been the premium (i.e. expensive!) choice for OS X password management for awhile, the lack of support for other platforms had always been a showstopper for me.
Here is the thinking that led me to 1Password:
  • Multi-platform: MS-Win, OS X, iOS, Android.  It's not on Linux, but I don't use a Linux desktop for the 1Password primary use case anyway.
  • Secure.  While I can't keep 1Password's database in Boxcryptor's filesystem (I could, but I lose mobile/tablet access), the 1Password security approach is fine.  My passwords don't go to another third party password service to maintain them.  While Dropbox has my password files, they are encrypted.
  • Plays nice with Dropbox.  The 1Password DB is also a folder+file (package) structure, just like Boxcryptor.  As a result, Dropbox syncing works well.
  • Well supported browser plugins.  I use Chrome and Safari and both are well supported.  Support isn't quite so good on mobile/tablet platforms, but it's better than what I had before.
  • Widely used.  The tech community seems to widely use it.  While not a particularly scientific measure, it seems to be on its way to being a "best practice" solution in my peer group.
I've now deployed 1Password's database into Dropbox.  It'll take me awhile to load all my credentials into 1Password but I think it's a durable investment.
One downside is that 1Password isn't overly cheap.  You have to pay for licenses for each platform (Android still free).  However, just like with Boxcryptor, I think it's worth the cost for the stability, support, and commitment to keep up with OS changes.
I did have a serious look at and play with Keepass for password management.  I like that it's free and opensource.  I liked aspects of it's design and usability.  However there were a few factors that put me off:
  • Fiddly.  There are two different and somewhat competing database and application tracks, 1.x and 2.x.  Both are under active development.  There are various "unofficial" platform ports of each track to various OSs.  You have to pay attention to what version you use on e.g., OS X to make sure it's compatible with the version you use on iOS.  
  • Not keeping up with OS upgrades.  The main OS X port indicated support for OS X 10.6 as most recent and today OS X is at 10.8.  I don't want to be the beta tester for new Keepass releases - what I'm securing is too critical to mess about with.
  • The Keepass database is a single file, meaning that like with TrueCrypt you might have to deal with Dropbox sync collisions.
As a result, I'm an even happier Dropbox user now that I have secured files and passwords and reasonable usability to access both.  All in the licenses across all the platforms for both Boxcryptor and 1Password cost me about $125 (£80).  Yes, this is a lot, but conversely I now feel like I have the best of both worlds - the convenience of Dropbox and the comfort of strong security where it's needed.