Over the past few years, there are so many services for remote storage and synchronization of user data that it is almost impossible to refuse to use them. Nonetheless, confidentiality issues are stopping many. In the end, uploading files to the cloud, we transfer them to someone else's computer, which means that someone else can have access to our information except us.

On the other hand, it is difficult to abandon the many amenities that data storage services give us: having a backup copy of files, the ability to access your documents from any device from anywhere in the world, and conveniently transferring files to other people. You can find several ways to solve the security problem of remote file storage. Some of them will be discussed in this review.

⇡ Cloudfogger- free encryption for any cloud

Perhaps the easiest way to take care of the security of files stored in the cloud is to manually encrypt them. To do this, you can use password-protected archives or one of the many existing encryption applications. But for those who deal with a large number of documents that are constantly being amended, such methods are not very suitable. Since services for remote file storage save us the need to manually upload files to them, the encryption process should be automated. This can be implemented using the specialized Cloudfogger program. It works with Windows, Mac, and can also be installed on devices with Android and iOS.

The application encrypts data using 256-bit encryption using the AES (Advanced Encryption Standard) algorithm before they are uploaded to the cloud. Files are transferred to Dropbox and other cloud storage servers exclusively in an encrypted form, so access to them can only be accessed if Cloudfogger is also installed on the device from which you want to open the file.

It is very convenient that encryption does not cause inconvenience in the work: the key to access files is entered only once, when the system boots, after which you can work with them in normal mode. But if, for example, the laptop is stolen, then at the next start, the attacker will no longer be able to find out the contents of the files in the protected folders.

At the beginning of working with Cloudfogger, you need to create an account (moreover, for greater security, you can disable the password recovery option, but in this case it is strongly discouraged to forget it). Then the application itself will try to find the folders of the popular cloud services Dropbox, SkyDrive, Google Drive and others. But even if Cloudfogger did not cope with this task in automatic mode, you can still manually select the directories whose contents you want to encrypt.

In addition, it is possible to define individual files from any other folders. This is easiest to do using the Explorer context menu - Cloudfogger adds its own list of commands to it.

It is also possible to exclude individual directories and files from the folders protected by Cloudfogger from encryption. Such data will be uploaded to cloud services as usual. It should be borne in mind that after the synchronized folder is protected by Cloudfogger, it will take some time to reload the data from it to the cloud storage.

Another feature of Cloudfogger is the sharing of encrypted files with other people. If the data contained in the cloud storage is protected by the application, standard methods for sending links to other people will not work. But if you allow access to files in the Cloudfogger interface, you can safely share them with other people. Files encrypted by Cloudfogger can be transferred on a USB flash drive or sent by mail.

Technically, file access works like this: each Cloudfogger (.cfog) file contains a unique AES key, which is encrypted in the file itself. These 256-bit keys are protected by RSA keys that are unique to each user. Decryption takes place only if the user whose RSA key matches the one specified in the header of the file .cfog is trying to access the file. If there are several such users, data on their keys, respectively, is entered in the file headers.

Another specialized solution for securing files on cloud services is Boxcryptor. Originally created as an add-on to Dropbox, today this application supports all popular services for remote file storage. True, encryption of data stored on only one service is available in the free version, and encryption of file names cannot be enabled.

Boxcryptor automatically detects the presence of installed clients of popular services for storing files in the cloud (even Yandex.Disk is supported), creates a virtual disk and adds the corresponding folders to it. In the settings you can manage all the connected folders: add new ones, temporarily disable encryption, and so on.

The service offers support for all major platforms, both desktop and mobile. There is even an extension for Google Chrome. To work with Boxcryptor you will need to create an account - it is strongly discouraged to forget your password!

⇡ Tresorit   - cloud service with increased attention to security

If, for security reasons, you are not yet using any services for remote file storage, you should pay attention to the young Tresorit project, launched about six months ago. The service was created as an alternative to standard solutions for storing files in the cloud and is ready to provide a much higher level of file privacy.

Tresorit provides user-side file encryption. Thus, all data is stored on the service servers in an encrypted form. A strong AES-256 algorithm is used for encryption. When creating a user account, they are warned that in the event of a password loss, it will be impossible to access data on the remote server. There are no ways to recover the password, since the password is not stored anywhere: neither in the installed application, nor on the service servers. And for users who have lost their password, Tresorit developers offer the only solution - register again.

For increased security you will have to pay by abandoning some familiar functions. For example, you can’t access your files from someone else’s computer - Tresorit does not have a web interface. So far, developers have not even promised such an opportunity, explaining this by the fact that JavaScript has many vulnerabilities. However, given the possibility of installing the Tresorit application on mobile devices, this drawback does not seem so serious - after all, if there is no way to carry a laptop everywhere, then the smartphone is almost always with the user.

To exchange files, invitations sent by mail are used. By setting up shared access, you can assign different roles to people: some can only view files, others can make changes to them and add new files to folders, and others can also invite new users.

⇡ MEGA- secure 50 GB in the cloud with synchronization

Until recently, the new brainchild of Kim Dotcom could hardly be considered as an alternative to the usual services for remote file storage. The fact is that the only way to upload files to it was to drag them into the browser window. Accordingly, there was no talk of automatic loading or synchronization.

But with the release of the Android application, as well as the beta client for Windows, the service has these two most important features.

We already wrote about the service itself and the security principles on the basis of which it was created in the material “Kim Dotcom's Mega-Return: 50 GB in the Cloud for Free,” so we will focus only on the main points. So, MEGA was created as a response to the closure of Megaupload by the American authorities. The servers that store user data are located in New Zealand. All files are encrypted on the user side, that is, before sending to the service, so it is impossible to access them without knowing the password. Unlike Tresorit, MEGA works in a browser and allows users to view lists of files, delete and move them, but online viewing is not available because they are encrypted. To view the file, you must first download it to disk. A 2048-bit RSA key is used for encryption, and a forgotten password cannot be recovered, since it is also an encryption key.

At first, users did not even have the opportunity to change the password entered during registration, but now this opportunity has appeared. Moreover, if the user has already logged into his MEGA account in the browser, but does not remember the current password, he can change it by entering a new one and then clicking on the confirmation link in the email that is sent to the email address associated with the account.

The MEGASync client allows you to synchronize the contents of any folders on the disk with virtual folders in your Mega account. Right at the initial setup, you can choose which folders where you want to backup.

Later in the application settings, you can add additional folders. Client settings also make it possible to view information about free space (recall, Mega offers as much as 50 GB for free), limit download speed, use proxies.

The MEGA client for Android allows not only downloading files stored on the server, but also automatically uploading to the service all the photos and video files taken by the device’s camera. Also in the client are all the basic operations for working with files: delete, move, create links to files for sharing with other people, search.

⇡ Conclusion

The presence of files on the computer, the contents of which no one should know, is not a reason to refuse to use services for remote data storage. You just need to take care of confidentiality by installing software to provide additional protection or by preferring one of the services with encryption on the user side. The most attractive among all the solutions considered is Mega. The service offers a very large amount of disk space for free, provides encryption of files before downloading to the server without the use of additional utilities, and also makes it possible to view the list of files and manage them in a browser and from a mobile device on Android.

Good day, dear readers of the site. I think many people wondered about the security of cloud data storages, many store confidential personal data in them, and no one wants that, even by accident, this information would get to third parties. This can help data encryption.

But it is quite a long time to encrypt every single file, uploading a crypto-protected container to the repository and updating it completely every time even with a minimal change to the attached files is not logical. The Cryptomator application can help solve this issue.

Cryptomator is an application for encrypting data sent to cloud storage, i.e. encryption does not take place on the data server, but on your computer. This approach has its pros and cons:

Pros:

• There is no need to authorize the application in the cloud storage.
• Higher speed of the file encryption / decryption process, as It depends only on the performance of your system and the program itself.
• Data can not be sent to the cloud storage.
• The program is completely free and is an Open Source project. Everyone can learn the code on the GitHub site.

Minuses:

• you need a cloud service client for data synchronization, or WebDav access (more on that below).

Install Cryptomator

In Ubuntu, Mint, ElementaryOS, the installation comes from the PPA repository. Enter the following commands into the terminal:

sudo add-apt-repository ppa: sebastian-stenzel / cryptomator
  sudo apt-get update
  sudo apt-get install cryptomator

Or you can download the deb package on the developer's site.

In Fedora, OpenSUSE, CentOS and other distributions using .rpm packages, cryptomator is installed by downloading the RPM package for 32bit and 64bit systems from the official site. Cryptomator is also available in the AUR repository.

As you can see, installing the program does not require much effort.

How to use Cryptomator

We launch the application and see a simple control window:

As you can see in the image, I have already created one crypto store.

Push button "+"   in the lower left corner, a file manager opens where you need to select a storage location (I recommend a folder automatically synchronized with a cloud service) and the name of the encrypted file and its name.

Then enter the password for access to the crypto store.

And push Create Vault, then you will be prompted to re-enter the password to unlock the finished storage.

It is necessary to copy the data for encryption into it, for example, I copied the .rpm package of the application itself. The program window will display a graph with the encryption / decryption process, a red and green line for the encryption and decryption process, respectively.

After the encryption process is completed, click   Lock Vault. Then you can synchronize data with the cloud service. After encryption, the files take on a similar appearance.

This file contains a file with the name "masterkey.cryptonator", it is used to decrypt the store when adding item 1 of the finished store.

Conclusion

As shown above, the installation, configuration and use of the program does not require additional skills and knowledge other than the basic ones and every beginner who wants to secure their data can work with it. Unfortunately, the interface and functionality of the Cryptonator application for Linux systems is much lower than for Windows and MacOS, it remains to be hoped that the developer will do this.

Similar entries:

I have already spoken about the complexity of the situation with business and cloud technologies (in fact, and not only with business, but with any client that stores any confidential information). On the one hand - convenience and economy, giving an advantage over competitors. On the other hand, the “dampness” of algorithms and information protection mechanisms, which, having materialized even with a single data leak over several years, can result in such losses, both in the material sense and for reputation, that all the savings will go to waste.

However, if we approach the issue comprehensively, then the probability of implementing the worst-case scenario can be significantly reduced. In the end, the salvation of drowning people is the work of the drowning people themselves. Client-side file encryption alone adds an additional important security barrier - after all, they are not decrypted on the storage server. Another option would be to use more secure services.

Encryption is a more reliable method, but imposes certain restrictions on working with files. In particular, encrypted files cannot be viewed online, they are more difficult to transfer to other users - in order to view the contents of the encrypted file you will need at least a password, and in some cases also a program for decryption.

Before delving into the details, I recommend consulting an article () published earlier on information security and cloud technologies, from there you will learn in particular why it is so dangerous to use the same password twice and how to set up two-step authentication in Dropbox (which will significantly reduce the chances of breaking into your account with little or no effort on your part). And now - in more detail about today's topic.

Create container in TrueCrypt

- This is an open-source cryptographic software that creates a cryptographic container on the hard drive in which you put files, or folders with files. The container is displayed as a folder or a separate subsection on the hard drive and “outside” is visible as a large array of binary data that cannot be accessed without a program and knowledge of the passphrase. Using TrueCrypt, you can work with data inside an encrypted archive as if it were a regular folder. Encryption / decryption operations are performed on the fly. In such an archive, you can safely work without fear that someone else will gain access to important data, and for greater safety (after all, loss of information due to a technical malfunction is also a common phenomenon), it makes sense to store such an archive in your Dropbox folder .

Why Dropbox? There are several reasons. Firstly, Dropbox has no limit on the size of the stored file, which allows you to make the cryptocontainer arbitrarily large. Secondly, Dropbox can detect changes in the structure of synchronized files and copy only them. In practice, this means that when making changes to a huge archive, Dropbox will only synchronize a small part of the data that has been modified, and not the entire file, as most other services do.

Create an archive in the cloud using BoxCryptor

  If you still use a cloud service as a storage, then why not create a crypto archive right there? Apparently, the creators of the popular application argued this way, which, contrary to what you might think from the name, works with any cloud service. BoxCryptor creates a crypto archive in the folder of the selected service, where all files are stored that you can add and modify there through the virtual disk created by the program. There are also applications for mobile platforms, which will allow you to access the crypto archive from your tablet / phone. There are applications for Android (works with crypto archives stored in Dropbox / Google Drive, Skydrive support is promised in the near future) and iOS (only works with archives stored in Dropbox, Google Drive and Skydrive support is promised in the near future). The free version of BoxCryptor can work with only one archive and does not encrypt file names, otherwise there are no restrictions. Similar services are provided by competing CloudFogger and SecretSync services.

Use a cloud service with client-side encryption support

Until now, it was only about actions to protect information from the client, which you need to take on your own. However, there are cloud services where this process is automated. This is particularly SpiderOak and Wuala. The principle of work of their clients is such that before sending information to the server it is encrypted by the client locally, as a result - even the service owners themselves do not know what is stored on their servers, since the key is stored in the client software. The installation and configuration of the SpiderOak client is slightly more complicated than Dropbox, but there are unique features, such as password protection for shared files, etc.

Encrypt single files

  If you do not have many files or you just need to send the files in encrypted form, it makes sense to just pack the necessary files into an encrypted archive. The popular 7zip archiver is perfect for such tasks - just select the “encryption” option and create a password when creating the archive.

Full disk encryption

  Consider the reverse situation - you are constantly working with confidential information of a significant amount. In this case, it makes sense to use full-disk encryption solutions like FileVault for OS X, BitLocker for Windows, or EncFS for Linux. Such solutions can be used both to create a separate encrypted partition on the hard disk and to encrypt the entire disk. In the latter case, only a small section that contains the system’s boot files remains unencrypted, and both authentication passwords and more complex authentication and authorization methods, such as a USB stick, on which the key is written, can be used as authentication methods. Such protection methods slow down the system and make file recovery very problematic in case of failure, but provide the most data security. Of course, all data stored in cloud services will also be encrypted, since they will be downloaded to the cloud already encrypted, however, it will be impossible to access them through the web client.

Unfortunately, cloud service developers do not really care about data security. Even the most popular of them (Dropbox, Google Drive) can not boast of "native" encryption. Fortunately, there are already utilities that provide encryption in the cloud, moreover, they work on the client side, thereby increasing file security during transfer. Probably the most popular data encryption tool in the cloud is Boxcryptor.

Boxcryptor is a data encryption program specially optimized for cloud use. It allows you to safely transfer and store data in cloud storage. Boxcryptor supports all popular cloud storage: Dropbox, Google Drive, OneDrive, etc.

Boxcryptor working principle

Boxcryptor creates a virtual disk on the computer that allows you to locally encrypt data before downloading it to the cloud. When a file or folder is added to the storage, their contents are encrypted on the fly during copying. Boxcryptor uses AES-256 and RSA algorithms for reliable information protection.

The disadvantage of this encryption is that the data in the cloud becomes inaccessible when downloading through a browser. But the developers took this into account, and added the ability to cancel encryption for any files added to the cloud in order to provide other (not having a key to Boxcryptor) users access to the data. There is also the ability to securely provide access through user keys.

Tariff Plans

There are several Boxcryptor tariff plans: Free, Unlimited Personal, Unlimited Business. More details can be found on the developer's website (link at the beginning of the article). But the functions of the free version for personal use are quite enough.

Supported OS

Boxcryptor supports both desktop and mobile operating systems. There are versions for Windows, Android, iOS, Mac OS X, Linux.

Using Boxcryptor

Install Boxcryptor

Before installing the program, it is desirable that the cloud storage client (Dropbox, Google Drive, etc.) is already installed. In this case, Boxcryptor will automatically detect and mount the data folder in the cloud.

Installing Boxcryptor is no different than installing a regular program. During the installation process, you will need to select the system reboot checkbox when the program is installed, otherwise the installer will give an error.

You will also need to enable the installation of the virtual device driver.

Boxcryptor setup

After installing the program and rebooting, you will see the following window.

Boxcryptor allows you to create both a remote and a local account. In the second case, security will be even higher, since the key is not transmitted over the network, but only you are responsible for its storage and if it is lost, the data will not be recoverable.

To create a local account, click on the ellipsis (picture above). Then in the field "Local account" you need to click "Setup account".

We put a checkmark, thus confirming the responsibility for storing the access key file and click the "Create key file" button.

In the next window, we create a password and tick off the agreement with the terms of use and privacy policy.

Again we agree with the understanding that the responsibility for storing the password lies with us.

The next window will show the local account information. Click the "Next" button, thus confirming this data.

In the next window you need to select a tariff plan. Click on "Free", then on the "Next" button.

The last welcome window will indicate successful account creation. Click "OK" and you will see the login form on your local account. Enter the password you have previously created to enter it.

A usage guide should appear - "Tutorial" (you can close it right away) and a Windows Explorer window with already connected cloud storage (Dropbox in my case).

In the explorer window, in addition to logical drives, you can still see the virtual drive, in which there is a folder that refers to a folder in the cloud storage.

To encrypt a file, right-click on it and select the "Boxcryptor\u003e Encrypt" command.

After encryption in the Boxcryptor virtual drive folder, the file can be operated as usual. But in the storage directory and on the server it will be encrypted.

Also, when you try to add files to the storage, a request for encryption will pop up.

If you have several cloud storage clients installed, they are managed in the settings (Boxcryptor’s icon in the Windows tray\u003e Settings) on the "Locations" tab.

Recently, users are becoming more mobile, freelance services are more in demand, and companies are moving to remote jobs. In these conditions, more than ever, the availability of data becomes important whenever, wherever and from any device (both stationary and mobile). At the same time, the demand for cloud storage services is growing, both from individual users and companies.

Using cloud storage allows you to publish your files, edit them and share them with friends and colleagues. Using cloud storage services, you can not only store the files themselves, but also the history of their changes, as well as synchronize data on their devices.

Amid growing interest in cloud storage, the need arises to protect data stored in the clouds. Some cloud service providers provide the ability to backup and encrypt data, but there are various independent services that provide data protection when they are stored in cloud storage. Just about one of these services that supports most cloud storage providers - Boxcryptor service - we will describe in this article. This service is implemented by the German company Secomba GmbH (Werner-von-Siemens-Str. 6, 86159 Augsburg).

  Boxcryptor System Requirements

Boxcryptor service is presented by the manufacturer in the following formats:

• Plugin for Google Chrome browser.
• Portable version.
• Version requiring local installation.

This article discusses a version that requires local installation. The service supports deployment on the following platforms:

• Windows XP SP3 and later (with the .NET Framework 4.0).
• macOS X 10.7.5 and higher.
• iOS 7 and above (iPhone / iPad / iPod).
• Android 4.0.3 and higher.
• Windows Phone
• Windows RT
• Blackberry 10.

For the local version of the service to interact with cloud storage, you must have:

• User accounts for cloud storage where you plan to keep encrypted versions of files.
• Free space on local storage in the amount corresponding to the volume of files hosted in cloud storage and to be encrypted. In general, the free space on the local disk should be comparable to the amount of space provided by cloud storage, for example:
• Yandex.Disk provides 10GB;
• Dropbox - 2GB;
• Google Drive - 15GB;
• Box - 10GB;
• OneDrive - 15GB;
• Amazon S3 - 5GB;
• CloudMe - 3GB;
• iCloud Drive - 5GB;
• Telekom - 25GB, etc.

  Functionality

The composition of the available functionality of the service depends on the type of subscription (license) purchased.

Table1 . FunctionalityBoxcryptor depending on the type of subscription

Functionality	Short description	Availability as part of a subscription
		Free	Unlimited personal	Unlimited business	Company package
Using AES-256 and RSA Encryption Algorithms	Encrypt the contents of files hosted in the cloud	Yes	Yes	Yes	Yes
Secure sharing	Providing third parties access to their encrypted files	Yes	Yes	Yes	Yes
Mobile App Support	The ability to deploy the application on mobile devices	Yes	Yes	Yes	Yes
File Name Encryption	Masking the name of a file hosted in cloud storage	Not	Yes	Yes	Yes
Unlimited cloud platform support	The ability to protect data not on one but on several cloud storage	Not	Yes	Yes	Yes
No quantitative limit on supported devices	The ability to deploy the service on more than two devices	Not	Yes	Yes	Yes
Technical support	Availability of unlimited technical support from the manufacturer	Not	Yes	Yes	Yes
Create user groups	The ability to group users into groups for subsequent file sharing with the group as a whole	Not	Not	Yes	Yes
Commercial use	The ability to use the service for corporate purposes	Not	Not	Yes	Yes
Personal use	Ability to use only one user	Yes	Yes	Yes	Not
Using a subscription by more than one user	The ability to add an unlimited number of users to use one subscription (license).	Not	Not	Not	Yes
Master key	The ability to decrypt company files available to its employees without knowing their passwords	Not	Not	Not	Yes
Reset company user passwords	The ability to reset and replace passwords of company users used in encryption without losing access to data in encrypted company files	Not	Not	Not	Yes
Active Directory Support	Boxcryptor user synchronization with users from the company Active Directory	Not	Not	Not	Yes
Policy Definition	Creation of security policies in order to meet internal and external requirements (password length, encryption of file names, etc.)	Not	Not	Not	Yes
User and device management	Centralized user and configuration management	Not	Not	Not	Yes
Audit	Monitoring user behavior in order to detect suspicious security events (unsuccessful login attempts, violation of established policies, etc.) and responding to them	Not	Not	Not	Yes
Two-factor authentication	Using two-factor user authentication with Duo Security	Not	Not	Not	Yes

  Boxcryptor Subscription Cost

Boxcryptor subscription pricing is as follows:

• Free - for free.
• Unlimited Personal - 36 € ($ 48) per year.
• Unlimited Business - 72 € ($ 96) per year.
• Company Package:
• 8 € per user per month - for 1 year purchase.
• 6.4 € per user per month - when purchased for 3 years.

For a full subscription for personal use (Unlimited Personal), the manufacturer provides a 25% discount for students.

The Free, Unlimited Personal, and Unlimited Business subscriptions are for 1 user only:

• Free and Unlimited Personal - application for personal use only (protection of personal information) by only one user. These subscriptions are intended for individuals;
• Unlimited Business - an application not only to protect personal, but also corporate information, but again only by one user. This subscription is oriented, as a rule, for employees of a legal entity or for individual entrepreneurs. Only taking into account the fact that each employee has his own subscription (license).

Unlike personal subscriptions, the Company Package subscription allows you to add an unlimited number of users for a single license.

  Work with Boxcryptor

  Installing the desktop version of Boxcryptor service

The service is quite easy to use, especially with regard to the limited range of functions provided as part of the Free and Unlimited Personal types subscription. Although it is these two types that may be most in demand among Russian users. To take advantage of the proposed features, you need to download the distribution kit for the corresponding platform from the manufacturer’s website.

In the framework of this article, the work of the service is examined using the example of a distribution for the most common platforms for a Russian user: Microsoft Windows and Android. At the time of preparation of the material, the Boxcryptor 2.3 version is available on the manufacturer’s website for the Microsoft Windows operating system, and version 2.1 is available for Android (as well as Beta version 2.49.559). For other platforms, the composition of the functions is similar - a detailed description of the service functions for each platform is given by the manufacturer on its website in the relevant user manuals.

When installing the product, it is proposed to read and accept the "License Agreement" concluded between the manufacturer of Secomba GmbH and the end user, as well as the "Data Protection Policy".

After installation and launch, you will need to authenticate, if you have a Boxcryptor account, or create such an account.

Picture1 . Registration in the desktop versionBoxcryptor onWindows

When you create an account (profile), a notification is displayed that you need to remember the password, otherwise access to all encrypted files will be lost. Only by agreeing to this and accepting responsibility for saving the password, you can continue the registration.

Here, as part of the creation of the profile, you will need to determine the type of subscription (license).

Picture2 . Choosing a subscription type in the desktop versionBoxcryptor onWindows

You have to choose from only three types, the fourth and most complete type of Company Package subscription is available for selection only on the site (where the profile is also filled for this type). Manufacturers offer the following trial periods for subscriptions such as Company Package and Unlimited Business:

• Company Package - a trial period of 30 days to familiarize yourself with the functionality.
• Unlimited Business - free testing for 1 week.

Activation of these features is available only through the web interface from your Boxcryptor account.

When you select a subscription of the types Unlimited Personal or Unlimited Business, the browser will launch and the payment page will open in it.

After all the selection and payment procedures are completed, the service itself is launched.

In the version installed on the smartphone with the Android operating system, authentication will also be required.

Picture3 . Authentication inBoxcryptor onAndroid

On first start:

• The corresponding icon appears in the notification area in the lower right corner of the screen.
• The "Tutorial" on working with the service opens.
• The service automatically searches for cloud storages associated with the device, and in case of their absence, a settings window opens.
• In the "Explorer" appears the created virtual disk used for file encryption and synchronization with cloud storage.

Picture4 . The first launch of the desktop versionBoxcryptor onWindows

If any cloud storage is already connected to Windows, it will appear in the “Explorer” of Boxcryptor in the virtual disk area.

Picture5 . Virtual disk contentsBoxcryptor in the desktop version onWindows

Further work on encrypting and decrypting files (directories) is carried out within the framework of this Boxryptor virtual disk with its associated cloud storages (for example, Dropbox).

The first launch on a device with an Android operating system will also require the definition of cloud storage that is mapped by Boxcryptor.

Picture6 . First startBoxcryptor onAndroid and cloud storage definition

  Boxcryptor setup

In order to configure the service parameters, it is necessary to select the corresponding item (“Settings”) in the context menu that is called up on the icon in the notification area (see Figure 4). All basic and advanced settings are performed within the corresponding tabs of the Boxcryptor Settings window.

Picture7 . Desktop SettingsBoxcryptor onWindows

The definition of local directories, which are used to store important information to be encrypted using Boxcryptor, is done by clicking "Add" on the "Locations" tab and then selecting the directory of interest.

To link the cloud storage indicated on the “Location” tab to Boxcryptor, just click on the word “Link” and fill in the appropriate configuration forms.

Picture8 . Cloud storage binding in desktop versionBoxcryptor onWindows

As a result of adding a local directory and binding the cloud storage, the corresponding locations will appear in the list.

Picture9 . Directory and cloud storage connected in the desktop versionBoxcryptor onWindows

The parameters of the account for which the subscription to the service is assigned can be adjusted on the “Profile” tab. Parameters that can be edited (“First Name”, “Last Name”, “Email” and “Password”) are marked with a symbol. In addition, this tab provides:

• Information about the type of subscription.
• The ability to generate a master key necessary to restore access to encrypted company data in the event, for example, the dismissal of the employee responsible for this data. This feature is available only for a Company Package subscription.
• The ability to export keys to ensure work with the service in the absence of a network environment (offline).

Picture10 . Desktop account configuration optionsBoxcryptor onWindows

In order to provide access to the encrypted file stored in the cloud, for example, work colleagues will need to form a group and add them to this group. However, there is one caveat: you can add to groups only those who are also Boxcryptor users (with the same type of subscription). Within these settings, you can:

• Add and exclude group members.
• Leave the group.
• Reassign (revoke) the authority of the group owner to the group member (by selecting the participant and calling the context menu on it).

Picture11 . Creating a group in the desktop versionBoxcryptor onWindows

More precise adjustment can be performed using the configuration parameters, tab "Advanced". The main set of parameters allows you to adjust the name of the Boxcryptor virtual disk created by the service and the corresponding letter, as well as configure the ability to simultaneously start the service with the operating system, check for updates and encrypt file names. Manufacturers themselves recommend activating file name encryption only if it really is necessary, since this type of encryption affects system performance (especially with a large number of files). For the possibility of finer tuning, you will need to select “More settings”.

Picture12 . Advanced Desktop SettingsBoxcryptor onWindows

In the advanced settings, the following parameters can be turned on / off:

• “Enable recycle bin usage” - is responsible for deleting files and directories in the recycle bin, from where they can be restored.
• “Connect as a hard disk” - during installation, Boxcryptor creates a virtual disk for encrypting files and directories, and this option allows you to give the disk physical status from the point of view of the system.
• “Connect for all users” - is responsible for the availability / inaccessibility of the Boxcryptor drive to all users whose accounts are present at the workplace where the service is deployed.
• “Enable long path support” - allows you to remove / set the path length limit to a file of 256 characters. However, this can cause problems with systems that do not support long lengths.
• “Connect in Windows Volume Manager” - allows you to add a Boxcryptor virtual disk to the Windows Volume Manager.
• “Do not show files and folders starting with a dot” - allows you to exclude / include from the composition of visible files those starting with a dot. Such files are generated, as a rule, by cloud storage services, and their accidental encryption can lead to irreparable consequences.
• “Hide files and folders if their names cannot be decrypted” - this option allows you to hide those files with encrypted names for which the user has no rights to decrypt them.
• “Do not show OneDrive warnings” - allows you to exclude warnings generated when working with OneDrive cloud storage services, since this cloud storage has the ability to save files to the cloud without synchronization with local storage, and Boxcryptor only encrypts files locally.
• “Automatically detect removable drives” - allows you to define plug-in removable storage media as locations attached to Boxcryptor.
• “Automatically detect network drives” - allows you to identify network drives as locations attached to Boxcryptor.

Boxcryptor on Android has a more modest set of configuration parameters. Automatically activated are: encryption of file names, zeroing of service settings after three unsuccessful authentication attempts, as well as file preview. An interesting feature is “Set PIN protection” - it allows you to protect the service from unauthorized access and will require entering a PIN code if you call the service while it is running in the background.

Picture13 . The composition of the settingsBoxcryptor onAndroid

Having configured the service taking into account your own needs, you can start using it directly for the purpose of encryption and decryption.

  Encrypt and decrypt files and directories in Boxcryptor

The general principle of encryption implemented in this service resembles the tale of Koshchei the Immortal: Koshchei’s death in a needle, a needle in an egg, an egg in a duck, a duck in a hare, and so on. In this service, several cryptographic keys act as such components, each of which is closed (encrypted) by the next in the chain of algorithmic encryption actions. In general, several cryptographic entities (keys / passwords) can be distinguished:

• Password.
• AES key.
• RSA Key Pair:
• Public key
• Private key.

And already depending on the initiator of cryptographic transformations, the keys AES and RSA are determined for:

• User.
• Companies (User Groups).

Keys are generated directly on the user's device when creating a user account or company (user group). All keys are sent to the Boxcryptor server, except for the user password, but all of them are encrypted (except for the RSA public key).

Picture14 . The general principle of file encryption implemented inBoxcryptor

All file encryption / decryption operations are carried out only locally on users' computers, and only then synchronization with cloud storage is performed. The file encryption procedure is:

• Formation of an individual key for the file (AES key).
• Encrypt the file on this key.
• Encrypting the file key on the user's RSA public key. How many users will be granted access to the file, so many times this operation is performed in order to create a “secret” for each user.
• Adding the encrypted file keys for each user to the end of the encrypted file contents - this is the encrypted file.
• Encryption of RSA user private keys based on user password.
• Keeping all secrets on Boxcryptor server.

File decryption is performed in the reverse order; only the private key is used instead of the RSA public key. However, all these transformations are hidden from the user's eyes.

This service captivates by its ease of use for encryption and decryption. All operations are performed in one click. It is necessary to use the “Explorer” within the Boxcryptor virtual disk to select a file located in the cloud storage, call the context menu on its name and click “encrypt” or “decrypt” (depending on the purpose). In the case of encryption, a green square with a lock appears next to the file name, indicating the fact of encryption.

Picture15 . Desktop EncryptionBoxcryptor onWindows

Directly in the cloud storage itself, the file will be renamed by adding the extension “.bc” to it. The appearance of its display in the cloud storage is also changing. To see this, just call the context menu on the encrypted file and select the option “Show source in Dropbox”. When you open an encrypted file directly in the cloud, a message appears about the need to convert it and select the encoding. A fragment of such a message is shown in the figure below.

Picture16 . Display encrypted file in desktop versionBoxcryptor onWindows andDropbox

Directories are encrypted in the same way. When encrypting a directory, the suffix “_encrypted” is added to its name, and a green square with a lock appears on the directory designation in the “Explorer”.

Another way to encrypt a file is to move / copy it to a previously encrypted directory. Thus, it is automatically encrypted.

Picture17 . Automatic file encryption in the desktop versionBoxcryptor onWindows

As mentioned earlier, this service can carry out encryption not only for cloud storage, but also to protect locally hosted files. The steps are similar. Encrypted and source files are stored in cloud storage, locally on the user's device (when protecting locally located files) and in the Boxcryptor virtual disk. Files do not enter the Boxcryptor server in any form. You can open an encrypted file in a readable form only within the Boxcryptor virtual disk or after copying it from this disk. In the original location, the encrypted file will be opened in an unreadable form with the output of the corresponding notifications (message about the need to convert it and select the encoding).

In the absence of a network environment, files can be encrypted within the Boxcryptor virtual disk, and the synchronization icon “” will be displayed on their image, and when the network appears, synchronization with cloud storages will be performed.

Decryption is carried out by selecting the item "Decrypt" and leads to the receipt of the source file. If decryption is applied to the directory, then all files contained in it are automatically decrypted.

Picture18 . Decryption of the file in the desktop versionBoxcryptor onWindows

When using the service on devices with the Android operating system, encryption is also quite simple. As part of the service, it is necessary to go to the cloud storage directory of interest and use the "" button to select a file on the device to upload it to the cloud. Just at the time of loading, the service will display a message about the need to decide whether encryption should be performed.

Picture19 . File encryption inBoxcryptor onAndroid

  Managing access rights to an encrypted file / directory in Boxcryptor

Granting access to the encrypted directory is carried out through the context menu called on the encrypted file. Access can be granted to a group of users (added at the stage of setting up the service) or to an individual user (indicating his email address). Again, there is a nuance - access can be granted only to those who are Boxcryptor users, and it can be granted, respectively, by those who have the necessary rights.

Picture20 . Managing access rights to the encrypted object in the desktop versionBoxcryptor onWindows

When registering in the operating system with a different account, access to the Boxcryptor virtual drive will be limited. Accordingly, another user, if he does not have the necessary permissions, including those set when configuring the service (the “Connect for all users” parameter - see Figure 12), is not that he will not be able to use files located within the virtual disk, he just will not see such a resource. In fact, it is on this disk that the files are encrypted for their subsequent placement in the original storage (and on the virtual disk itself they are stored in open form).

  Providing an encrypted file to a non-Boxcryptor user

If you need to transfer the encrypted file to a person who is not a user of Boxcryptor, this can be done due to the integration of the product with the Whisply service. To implement such a transfer, you can use the corresponding context menu item called on the encrypted file in the "Explorer".

Picture21 . Secure file transfer encrypted in the desktop versionBoxcryptor onWindows through the serviceWhisply

After that, the Whisply service page related to the file transfer will open in the browser. To complete the transfer, you will need to go through the following steps:

1. Verify that the file being transferred is correct.
2. Define file access settings: time after which the file will become inaccessible to anyone; the recipient can download the file only once or repeatedly.
3. Set password.
4. Send the download link (including the method of sending: to the email address, SMS-message or copying to the clipboard for subsequent submission to the addressee).
5. Send password (similar to sending a download link).

Picture22 . Work with the serviceWhisply file transfer encrypted inBoxcryptor

As a result of these steps, the recipient will receive an encrypted file with the ability to read it. In addition, if you change the encrypted file in the cloud, the recipient will have the opportunity to get the most current version of the file using the same link, but only during the validity period of the link.

  Boxcryptor File Name Encryption

Encryption of file names, as well as encryption / decryption of a file, is carried out through the context menu. As a result of name encryption, the file name in the cloud storage will be represented by a collection of hieroglyphs (except for the extension “.bc”).

Picture23 . Encryption of the file name in the desktop versionBoxcryptor onWindows

You can restore the normal file name by canceling the encryption of the name through the context menu.

  Boxcryptor User Master Key

This function allows you to receive encrypted company files if the user has forgotten the password or quit without transferring his authority to other users. To generate such a key, you need to go to the “Profile” tab in the Boxcryptor settings and click “Generate” in the “Master key” line. In the window that appears, you must enter the passwords for the new key and generate the key itself. After generation, the generated key must be entered into the appropriate policy via the web interface.

Picture24 . Desktop master key generationBoxcryptor   on theWindows

If you need to use the master key, you just need to unlock it by entering the appropriate password on the "Profile" tab in the service settings. This will allow the responsible person to access all encrypted files of all company users.

  conclusions

We examined the main functions of the Boxcryptor service, designed to protect the data of individual users and companies as a whole when they are placed in cloud storage. For individual users, three types of subscription are offered:

• free - Free - with limited functionality;
• paid - Unlimited Personal - advanced features compared to Free;
• paid - Unlimited Business - the most complete set of functions, designed to protect not only personal but also business information of individual employees, small companies and private entrepreneurs.

Companies are offered a separate type of subscription, which is the most comprehensive and represents an independent business package - Company Package.

A distinctive feature of the Company Package is the presence of functions focused specifically on the company, for example:

• Generating a user master key and resetting user passwords, providing the ability to decrypt company files in case of loss of passwords with which encryption was performed.
• Active Directory support, which allows you to synchronize Boxcryptor user accounts with user accounts from the company’s Active Directory, which makes life easier for the system administrator.
• User and device management that facilitates centralized management of all company users and service configuration parameters on corporate devices.
• The ability to conduct an audit (monitoring) that facilitates the detection of uncharacteristic user behavior.
• Two-factor authentication that provides user authentication through the use of Duo Security.

The main advantages of the service are:

• Variety of supported platforms: Windows XP SP3 and higher, macOS X 10.7.5 and higher, iOS 7 and higher (iPhone / iPad / iPod), Android 4.0.3 and higher, Windows Phone, Windows RT, Blackberry 10.
• The presence of a portable version (for platforms Windows, macOS, Linux).
• A large number of supported cloud storage services: Yandex.Disk, Dropbox, Google Drive, Box, OneDrive, Amazon Cloud Drive, Amazon S3, CloudMe, Cloudwatt, Cubby, Egnyte, GMX, iCloud Drive, livedrive, Orange, SDS, SpiderOak, storegate, Strato HiDrive, SygarSync, Telekom, WEB.de.
• Performing encryption / decryption of local storage files.
• Intuitive interface.
• Availability of a free subscription.
• Using reliable and time-tested encryption algorithms - RSA and AES.
• The ability to work offline and subsequent synchronization with cloud storage.
• Perform encryption / decryption in one click of the mouse.
• Perform encryption / decryption on the fly.
• "Automatic encryption" of files when they are placed in an encrypted directory.
• The ability to securely provide access to the file.
• Restoring access to encrypted company files using a master key.
• The presence of an extension for the Chrome browser.
• Protection against unauthorized access. When starting the service, you must enter the password for the Boxcryptor user account. Access to the service may be limited by the user account of the operating system.
• Technical support from the manufacturer for users of paid subscription types.

The disadvantages of the service include:

• The minimum set of functionality in a free subscription.
• Decreased system performance when using file name encryption (especially in the case of a large number of files).
• The absence of one of the most widespread in Russia cloud storage providers, Mail.ru. However, manufacturers offer to contact them, if you did not find the necessary one in the list of supported providers, they will conduct a check.
• Inability to perform certain operations directly in a locally installed version of the service (requires the use of a web interface), for example:
• Select the type of Company Package subscription and activate the trial period of 30 days.
• Add the policy associated with the generated master key.
• The lack of automatic connection of cloud storage associated with the Boxcryptor user account when it is launched on mobile devices with the same account. That is, on new devices where Boxcryptor is installed, cloud storage service providers must be detected and added automatically, but on mobile devices they must be added manually.

Additionally