Selecting an Encryption Method for Cloud Storage

toggle-button

It's likely that there is no one "perfect" method to encrypt data for transit and storage in the cloud. Not unless you fully trust SSL and the cloud storage service you are going to use. But you probably wouldn't be here if you trusted both of them. And all but one the methods I know of has a salient flaw. So the first step is to pick your poison.

  • Type 1 has a salient flaw because your client-side files reside in an unencrypted folder in your computer. If you're confident nobody will be able to gain access to your computer, that may not concern you.
  • Type 2 is vulnerable to user error. There are two folders for this method, and if the user stores any clear-text files in the encrypted folder they will be uploaded as clear-text files.
  • Type 3 is vulnerable to the same flaw as Type 1, namely the unencrypted client-side folder.
  • Type 4 might not appear to have any fatal flaws. But there is no such thing as fool-proof, so it's just a fool-resistant method. The problem is that Type 4 software involves a cumbersome manual process. Unless you thoroughly understand what's going on, you're likely to make a big mistake. Your data will probably always be secure, but you may loose access to it.

What do I use? I cascade VeraCrypt with Tresorit for my most sensitive documents. Why? First, cascaded encryption reduces the odds that a hacker will succeed in accessing my data. Second, although Tresorit has the salient flaw of Type 1, VeraCrypt removes that unencrypted folder hazard.

The comparison table below is a kind of textual flow chart that describes how each method works. After you've partially digested that, proceed to Overview of the main cloud storage methods to learn more about the pluses and minuses of the Type(s) that appeal to you.

Comparison Table

Type:
Examples
Client-side file
Access/Storage
Encrypt >>
<< Decrypt
Encrypted Files
Sync with the Cloud
Type 1:
Tresorit
Spider Oak
Unencrypted folder Integral with the cloud-side processes. Triggered by user or cloud changes. Local encrypted files only exist in RAM. Sync is integral with the encryption process. Sync is triggered by user changes or cloud changes.
Type 2:
BoxCryptor
Cryptomator
Cloudifile
Viivo 
Virtual drive
Triggered by user changes or cloud folder changes.
Local encrypted files are stored directly in the special folder assigned by/to the cloud sync service.
Sync is controlled by the cloud service. Sync is triggered by cloud folder changes or cloud changes
Type 3:
Cloudfogger
A managed, but encrypted folder
Triggered by user changes or  cloud folder changes.
 
The encryption process must be running or new or edited files will be transfered to the cloud in clear-text.
Local encrypted files only exist in RAM. Cloud-side transfer is driven by the encryption process. 
 
These encrypted files exist client-side only when the encryption process is running. 
The sync process itself is controlled by the cloud service. Sync is triggered by the encryption process or cloud changes
Type 4:
VeraCrypt
CryptSync
 
Deprecated:
TrueCrypt
Virtual drive or virtual file system (works much like a virtual drive).
Unencrypted content is only available when the encryption process is running. Plain-text content is only virtual, but can be copied or written.
 
Encryption is integral with local storage in one single encrypted container file. Changes are written directly to the container.
Local encrypted files are stored in one single file:  (volume | vault | container| archive)
Sync is controlled by the cloud service. Sync is triggered by changes in the container file. Cloud-side changes require reopening the client-side container file. There will be conflicts if changes  from multiple clients collide.

Overview of the main cloud storage methods

Type 1 = [Unencrypted folder] << >> [Integrated encryption & cloud sync] << >> [Cloud storage]

  • Examples: Tresorit | SpiderOak
  • Description: This method includes  an integral cloud-storage account. On-the-fly encryption goes straight to the cloud (as does unencryption back from the cloud). Encryption and syncing software is combined. Encrypted content exists only in memory and in transit during sync with the cloud. The plain-text (unencrypted) files reside in an ordinary system folder.
  • Pluses:
    • It is unlikely that clear-text files will inadvertently go to the cloud through user error.
    • It's unlikely that clear-text files will be lost.
    • Combined encryption and sync enables finer-grain processes. Functions like economical storage of previous versions in the cloud, file-by-file shareable encrypted links, and collaboration are examples.
    • Local files are always available in plain-text, even when the encryption process is not running.
  • Minuses:
    • Local files are not encrypted at rest by the process, as they are in Type 2. You need to add independent local encryption if you want those files to be encrypted at rest.
    • There are not many free products using Type 1 encryption.

Type 2 = [Virtual Drive - virtual clear-text files] << >> [Encryption] << >> [Folder - encrypted files] << >> [Cloud sync] << >> [Cloud storage]

  • Examples: BoxCryptor | Cryptomator | Cloudifile | Viivo |
  • Description: The key words here are "Virtual Drive". That's in contrast to the "Unencrypted Folder" of Type 1. User files are always encrypted. They are accessed as virtual clear-text files. The encryption software stores encrypted files in a location associated with the cloud sync/storage service being used. Choice of those services is independent from the encryption software.
  • Pluses:
    • Client-side files are always encrypted
    • Compatible with a wide range of cloud storage services, e.g., Dropbox, OneDrive, Amazon AWS.
    • The flexibility cloud provider choice enables choice of features, functions and price.
    • Physical (local) files are always encrypted at rest.
  • Minuses:
    • Pitfall: The folder for encrypted files is an ordinary folder. If  the user places any clear-text files directly in the encrypted folder by mistake they will not be encrypted in the cloud.
    • Client-side files are not available in clear-text if the encryption process is not running. (You need use the password to open the encrypted container.)

Type 3 = [User Folder - clear-text files] << >> [Encryption] << >> [Folder - encrypted files] << >> [Cloud sync] << >> [Cloud storage]

  • Examples: Cloudfogger
  • Description:  User files are contained in a local clear-text folder within the cloud service's client-side folder. Encryption is managed as part of the sync/storage process. Choice of cloud services is independent from the encryption software. It can be Dropbox, OneDrive, etc.
  • Pluses:
    • Compatible with a wide range of cloud storage services, e.g., Dropbox, OneDrive, Amazon AWS.
    • The flexibility cloud provider choice enables choice of features, functions and price.
  • Minuses:
    • Pitfall: The folder for encrypted files behaves as an ordinary folder. If the encryption process is not running new or edited files in the client-side folder will be transferred to the cloud in clear-text (unencrypted).
    • Local files are always available as clear text, not encrypted as they are in Type 2.

Type 4 = [Virtual drive - clear-text files are virtual only] << >> [Encryption] << >> [Encrypted volume - single encrypted file] << >> [Cloud sync] << >> [Cloud storage]

  • Examples: VeraCrypt | TrueCrypt (not recommended See Related Article & Notes section below) |
  • Description: User files exist only in the encryption container. The encryption container/vault/volume is a monolithic (single) encrypted file. They are accessed as virtual clear-text files. Cloud sync and storage is provided by independent cloud services.
  • Pluses:
    • Very robust encryption is available. I use VeraCrypt in this Type 4 configuration, but watch out for the pitfall (below in minuses) if you do.
  • Minuses:
    • Cloud sync will be slow and use a large amount of bandwidth if the cloud service does not use block-updates (syncing just the changed part of that big encrypted file-continer file).
    • Pitfall: Unless the encryption process is set up exactly right, the cloud sync process will not detect that the encrypted volume contents have changed. That means the changed volume will not be synced with the cloud.

Type 5 = [User Folder - clear-text files] << >> [Encryption] << >> [Encrypted archive - single encrypted file] << >> [Cloud sync] << >> [Cloud storage]

  • Example: CryptSync (Augmented 7-zip process, which also provides 7-zip compression) | Others?
  • Description: The encryption process mirrors the clear-text files directly in an encryption container ("archive" in the case of CryptSync/7-zip). They can be accessed independently (directly from the archive).
  • Pluses:
    • 7-zip is encryption is time-tested.
    • 7-zip compression is fast and effective.
  • Minuses:
    • This is an unconventional encryption system.
    • Cloud sync will be slow and use a large amount of bandwidth if the cloud service does not use block-updates (syncing just the changed part of that big encrypted file-continer file).
    • Local files are not encrypted.
    • Pitfall: The encryption container is an editable multi-file archive. If  the user places any clear-text files directly in that archive they will not be encrypted in the cloud.

Related article & notes

  • Best Free Encryption Utility for Cloud Storage
  • Full-disk encryption, say with VeraCrypt or BitLocker, is a good alternative strategy. Everything is always encrypted, and you don't need additional software to secure storage in the cloud. ~Thanks for the tip go to member rogerms.

TrueCrypt is the seasoned but abandonded predecessor to VeraCrypt. It once met my criteria for selecting encryption software. The developers of TrueCrypt dropped a bombshell though. It's complicated.... TrueCrypt did pass a preliminary independent audit in 2015, but the dereliction of TrueCrypt now changes everything. For example, recent (September, 2015) vulnerabilities (which will never be patched) have been discovered in TrueCrypt.

Bizarre story behind TrueCrypt: The Atavist Magazine ran a special 7 episode series, The Mastermind, on the backstory of TrueCrypt and it's demise. [Index at Longform.org] It's a great read. Certainly more surprising than fiction. You can deduce a more plausible truth about the origins and demise of TrueCrypt from that series than from any of the many other stories on the internet. Scroll down to the bottom of each page to find the link to each next episode.

Please rate this article: 

Your rating: None
4.72222
Average: 4.7 (18 votes)

Comments

Thank you Philip for a wonderful set of articles on encryption and cloud storage. I wonder if the types of architecture (Type 1, Type 2, etc.) are industry recognised terms or terms you have coined yourself?

Also, in some of your other articles you have not mentioned Type 5.

Personally, I find it difficult to understand why Type 1 is not more common. Most people have a number of files and folders on their computer that they want to backup. To copy these to a local folder/drive for them to be backed up to the cloud is a storage burden. Why not just simply backup directly to the cloud? You said there are not many free solutions that use Type 1. This must mean that there are some but presumably you cannot recommend them or have not tried them out.

This is a really good attempt to set out the various combinational options that might be considered for cloud encryption. Having made a lot of use of this site, I thought that I would give something back by setting out my own experience.

First of all, I use Lotus 1-2-3 for almost everything. I mention that because some will wish to stop reading right there. However, the reason that I do so (I'm retired) is legacy scripts, and there is nothing to stop Excel users doing something similar.

Also, I am still using Truecrypt, despite the recent warnings. No-one is likely to get their hands on my virtual drives, so I am not too worried about the weaknesses that have been found. I will change to Vercrypt in due course, when I have reconciled myself to the extra time taken to open the virtual drives.

For cloud storage I use Dropbox, with the folder in a Truecrypt virtual drive. I tried Sync, but the problem was that anybody with access to the computer can access the website, even if the virtual drive containing the folder is not open. With Dropbox, however, this appears not to be the case.

I used to use Cloudfogger for the local encrypton, but found that it stopped working, and that unencrypted files were being uploaded. I can't, in fairness, rule out that there was an error on my part, but it caused me to look at other options. The one that I chose was Viivo. I am not sure why Viivo is described as using a virtual drive, because the method is essentially the same as for Cloudfogger.

To guard against unecrypted files being uploaded, I first copy them to a non-Dropbox (but Viivo-encrypted) folder, and then to the Dropbox folder when the .viivo extension appears. This is automatic with 1-2-3. I have a script which saves the file to this intermediate folder, loops until it finds the file with the .viivo extension, and then moves it to the Dropbox folder (which is also covered by Viivo, just in case).

So, I am covered against the risk of an unencrypted file being uploaded, and it is all automatic.

The only downside to this set-up is that the Truecrypt virtual drive must be opened before Dropbox is run, and this must be done before Viivo is run, which means that they cannot start automatically at start-up. However, that also introduces an extra element of security.

I enjoyed writing that, and hope that it helps someone.

Thank you for taking the time to write your comment sceptic. Feedback from readers, especially one as detailed as yours is not only a help to other readers, but it's valuable for editors to know about other viewpoints, and to see what's missing or not clear. In the case of Viivo vs Cloudfogger there is a critical difference. For Viivo the user interacts with what seems like an ordinary local folder where the user's unencrypted files reside. It's actually a virtual drive mapped to a folder instead of a lettered drive.

On the other hand, everything is handled within one local folder by Cloudfogger. Clear-text files use the same file space for both client-side and cloud-side. Evidently some kind of impound or hidden virtual drive/folder is used to manage the interface with the cloud. That's a little different from Viivo and the like. If Cloudfogger is not running, the client-side folder is booby-trapped. New or edited unencrypted files will be transferred as clear-text to the cloud, and the user will not know that's what happened.

Very good article. Personally I prefer to encrypt the entire system disk using VeraCrypt, or BitLocker in some cases. In that case even if the cloud provider stores the files unencrypted locally, they are actually still encrypted. Over the years I've run into some minor issues with the virtual drive method, especially with Office or XMind files.

I've recently switched to Sync.com for cloud storage, and so far I'm impressed.

Thanks, I hadn't thought of that Roger. I make a note of that in the article.

Great article. I'm not familiar with cloud storage so some interesting considerations were mentioned. I doubt I'll ever trust storage outside my control though.

Don't recall seeing posts by Phillip before but if this article is any indication, he will be a great addition to Team Gizmo. I don't really have a need for encryption services but there is some excellent information here for those who do.

philip is actually one of our longest serving editors and we value his contribution highly. :) MC - Site Manager.
Thank you. I'm pleased to know that you appreciated the article.