How to secure your data in the cloud with Dropbox
Prevent snooping on your files
By Richard Plant | Techworld | Published: 16:29, 17 January 2011
Cloud storage services like Dropbox and Sugarsync offer a great deal of convenience, especially if you’re like me and need to sync files between your work and home PC, and perhaps to a laptop or mobile phone as well.
All this ease of use and ability to access your data from anywhere might be great for you, but it means the files you store in the cloud are easy for anyone who has your password to snoop on. Dropbox only requires an email address and password, and then a hacker could have access to sensitive business information, or personal photos and information you want to keep private.
So, how do you avoid this nightmare scenario? Here are a few simple tips on how to keep your synced files safe from prying eyes.
Related Articles on Techworld
The simple stuff
First, a few simple security tips that everyone should be taking with every application, online service and web-connected device they own.
Avoid open, non-password protected wireless networks like the plague
While most of the time, no one will be intercepting the information you are sending through the router in an open network, there is no way for you to be sure of that. Treat all open wireless points as possible security risks, and avoid visiting any site that requires your password. You never know who’s listening.
Use the HTTPS versions of sites
This simple fix will help you keep the data you send back and forward between your computer and websites like social networks private. While most sites require you to use a secure HTTPS connection to log in, they often switch back to transmitting in the clear afterwards. My favourite solution is to install the HTTPS Everywhere add-on for Firefox to force the encrypted connection. The add-on also secures your Dropbox website interaction.
Set a strong password
Remember to set a password that is not susceptible to guessing or brute force hacking. That means a mixture of upper and lower case characters, numbers and punctuation. Avoid using words that are in the dictionary, proper names and data like birthdays or anniversaries. If your phone supports PIN or password locking, enable that to secure your Dropbox app access.
I would suggest that you use a separate password for each site or service you use, but that’s asking a great deal of people to remember a mountain of randomly punctuated phrases. A less secure but more reasonable solution might be to use one set of passwords for low security sites like Facebook, another set for email and Dropbox, and the strongest set for Internet banking and PayPal.
The steps detailed above should stop casual hackers from being able to access your account. But what happens if your account password is somehow compromised? What if you’ve got sensitive data you need to protect, or you’re worried about police or government requesting your data directly from Dropbox?
If it came down to a court ordering Dropbox to hand over your data, the chances are they would be compelled to do it in order to stay in business. The best password in the world can’t stop someone who can ignore the safeguards on your account.
Dropbox doesn’t apply any kind of file protection to whatever you’ve stored on it by default. It’s really up to you to secure the files from someone who already has access to your account.
Thankfully, putting an extra shield in front of your files is pretty easy. Instead of simply storing the files and folders in your Dropbox folder, first create an encrypted volume and store that in the folder root. Then move everything you want to protect into the volume. Now, if anyone breaks into your account, the data will be encrypted and they will have to provide a password to get access to anything.
The application I use to do this is TrueCrypt. It’s an open source app that runs on Windows, Mac or Linux; best of all it won’t cost you a penny. This handy tutorial will walk you through the process of creating and mounting your encrypted volume.
See this page on the Dropbox wiki for more information and options for setting up an encrypted volume to contain your data.
Paranoid’s choice: Full-disk encryption
Dropbox currently stores its login credentials on disk, so it can connect automatically and you don’t need to provide a password every time you start your computer. So if an attacker gets control of your OS while you’re logged in, they’ve got access to everything on your Dropbox storage, as well as on your hard drive.
The only real way to stop this happening is to add a password to your user account, disable automatic login and make sure it prompts you to log in when waking from sleep.
To stop someone with physical access to your computer breaking in, you might want to set up full disk encryption, another layer of security between the attacker and your data. This guide is a pretty good intro on how to go about protecting yourself, although of course there are plenty of options and sneaky tricks to fiddle with.
If the FBI can’t break into drives secured this way, you should be safe enough.
Thanks to @DowntownKeiraB on Twitter for inspiration.