Today we can easily access lots of free services “in the cloud” for documents sharing, photo publishing and filessynchronization. Most user will be happy to have same pics or documents available on different devices (think about a “classic” scenario with a single user accessing data from Home Desktop, company laptop and personal iPAD) forfree but we must think securely when we move or copy personal information across the internet.Dropboxcompromission is a clear example about “cloud security”. In this post I will try to explain how the data can be lost and how we can improve data protection using Free Software over different platforms.
Following diagram show a classic “cloud synchronization” based on DropBox and similar services:
As you can see the data has been protected only during the communication from the devices and the servers, but notlocally on the sources or the destination. Usually you must consider your data not secure all over the three main components:
- 1)Personal devices (Desktop, Laptop, PDA, Smartphone, etc…):
Probably you can control the access to the device (phisically or logicallY) even if unauthorized access is still possible (exploit, password steal, etc…).
- 2)Communication layer (HTTP,HTTPS,FTP, etc…):
Probably you can control only a little part of this layer, from the device to external firewall, but not the entire communication path. Peoples with access to routers, firewall and network segment can easily intercept yourdata stream.
You cannot control any aspect of those hosts. when your data has been saved in the cloud they can be accessedfrom lots peoples: system administrators, backup software, replication scripts and attackers.
In order to protect your data all around the cloud I would like to explain how the encryption can help us !
Encryption helps to protect files, communications, devices, web access, etc… against unauthorized access: there is many encryption system using different algorithms available today. In this how-to we will use TrueCrypt.
TrueCrypt is one of the best encryption tools available: itâ€™s free, cross platform, easy to manage and secure. Using TrueCrypt we will encrypt all the information stored in the cloud: on the source host, inside the communication and on the cloud servers.
What we need to securely synchronize the files:
1)Dropbox client and account (you can create your account for free and download the client for Windows, Linux and Mobile devices)
2)TrueCrypt software. It is available for Windows, Linux, Android, eccâ€¦.
First of all we need to download and install DropBox client. Then it is necessary to createÂ a personal account. If you need assistance to complete this steps please refer to DropBox Installation Guide here.
When your DropBox setup has been completed you can create your virtual crypto disk and share it across DropBox cloud:
- Download and install TrueCrypt software from here
- Create a new virtual disk clicking “Create Volume” -> “Create an encrypted file container” -> “Standard True Crypt Volume”
- Choose as destination folder the same you are using for DropBox synchronization
- Select AES-Twofish-Serpent as Encryption Algorithm
- Select SHA-512 as Hash Algorithm
- Choose the virtual hard disk size: plese note that DropBox will synch ENTIRE FILE when you will change it. The Encrypted Volume size must be at maximum 100 Mb for a 7 Mbit/s ADSL users, because the updating process will use upload bandwith !
- Type a password and then confirm it: the password must be complex (uppercase,lowercase, numbers and symbols), quite strong (more than 30 chars) and not related to any personal or public information about you. Also important is to store the password in a safe place.
- Choose NTFS or FAT for format type.
- Click on format.
Now you have your personal and encrypted hard drive securely stored “in the cloud”. In order to use it you need to have TrueCrypt installed over all clients or you can use portable version.