Dropbox is one of the most popular cloud storage services in the world. With well over 175 million users, Dropbox was arguably the first cloud storage service that promoted mass adoption thanks to a referral program and an intuitive interface. Dropbox cemented its place on our mobile devices with a range of capable apps, and developers have figured out ways to use it for all kinds of purposes: server backups, Google Docs sync and browser add-ons, to name just three.
But with Dropbox, there’s one challenge: privacy. The company has recently been linked to the PRISM scandal; the US National Security Agency had reportedly considered including it in its surveillance program. But for users, the more practical risk is the lack of encryption. Unlike a service such as Mega, Dropbox allows its employees to access and decrypt files, and files stored on the service are actually decrypted so that some of its more advanced functionality can exist. This is perhaps its biggest weakness.
Dropbox Encryption Explained
Many commercial cloud storage providers offer encryption using the AES-256 algorithm. AES stands for Advanced Encryption Standard, and the ‘256’ means that your data is encrypted using a 256-bit encryption key.
In order to crack AES-128 – which is less secure – it would take a supercomputer almost 14 billion years. We can therefore presume that AES-256 is pretty secure.
Dropbox encrypts your data using industry standard encryption tools following the AES-256 standard, but the devil is in the detail. Dropbox holds the keys for the encrypted files. (Compare that with Mega).
That allows it to do two important things:
- It can decrypt your data to make certain features work.
- It can decrypt your data if law enforcement officials ask it to.
Additionally, some of the metadata sent from mobile devices is unencrypted.
This raises the question of whether Dropbox data is really, truly safe when storing data in the cloud. Cloud storage is often criticised for exposing user data to authorities, particularly under the scope of the US Patriot Act.
Dropbox does say that successful law enforcement requests are one in a million. But with its apparent willingness to decrypt on (legal) demand, Dropbox has ruffled a few feathers.
How to Improve Dropbox Encryption: TrueCrypt vs BoxCryptor
Several developers have mad add-on tools for Dropbox that put encryption back into the hands of the user, not the cloud storage provider. Let’s look at a few briefly.
BoxCryptor can be used to encrypt files before they are sent to a cloud storage service. It works with Dropbox, Box, Google Drive, Skydrive – basically any cloud storage service that allows you to explore files in your browser.
BoxCryptor works by creating a new password protected drive on your computer. Any file stored on that virtual disk can be opened as normal, but is individually encrypted. The encrypted file is synced to Dropbox; the only person who can see it is the local user with the right password. When the computer is offline, BoxCryptor still functions.
BoxCryptor has apps for Windows, OS X, iOS, Windows 8 and Android. Most of its features are available using a free account.
TrueCrypt is completely free and open source. It allows a user to encrypt a file or a group of files, or an entire disk, protecting them with a key. The encrypted data can be mounted like a drive, providing you have the password, and data can only be viewed when decryption mode is active. Encrypted data looks like random characters, so a hacker would never know if it’s worth decrypting or not.
TrueCrypt is secure but slow, and it’s also rendered useless by malware – including malware you might not know is installed. The software runs on Windows, OS X and Linux
Conclusion: Which Dropbox Encryption Is Better?
The difference between BoxCryptor and TrueCrypt is the method of encryption. While BoxCryptor encrypts files one by one, TrueCrypt encrypts all of your files in a bundle (a container), and that is then sent to the cloud storage provider.
In practice, both work well. But with TrueCrypt, your files are bundled. If you need mobile device support, go with BoxCrypt; if you want to guarantee the software is free for life, TrueCrypt is the better option.