Child Item

Encrypting local copies of shared files and synchronizing

Hi,

I understand that encryption of the local copy of Dropbox files is my responsibility.

For various reasons, I do not want to encrypt the entire PC with Bitlocker and a boot password. I am using VeraCrypt and encrypting only those chunks of data that are "sensitive".

I am using Dropbox to work with various clients. If I encrypt my local copies of the files and then synchronize them, my clients have to unencrypt (with VeraCrypt) and each client needs their own password! (A nightmare to manage... even if they would be willing.)

VeraCrypt works by having an encrypted volume (a file) that is mapped to an unencrypted folder with a drive letter (L:\, for example). The unencrypted folder 'vanishes' when the file is unmounted, and this happens automatically when I switch off the computer or log out.

I create unencrypted file-level backups by backing up the unencrypted mounted folder to a (separately) encrypted location. Can I do the same with Dropbox?

To clarify:

If I create a file with VeraCrypt and map it to a folder (D:\) and then set DropBox to synchronize with \ (assuming I can do this), how will the mounting and unmounting of this volume be reflected? Will unmounting of \ (containing the local copies of DropBox files) be seen as having deleted them, so synchronization will delete them from the cloud side? Or will it just be seen as the drive not being available (as if it were a portable drive)? And conversely, if Dropbox starts first, will the absence of the mounted folder be an issue?

I can do some testing myself - but first will have to ask clients to unshare their files with me so things don't start synchronizing unexpectedly. I'm trying to avoid asking them to do that (and then reshare them afterwards) if people already know that this does not work.

Thanks in advance,

Alison

Find more posts tagged with

Desktop

Delete

Sync

Insightful

Dislike

Closed - Partially Delivered

Accepted answers

Jay

Thanks for the detailed requirements, Alison. Sounds like how TrueCrypt works when I use it occasionally by mounting a folder of the encrypted file.

Long story short, it wouldn’t work the way you want it to, since it will see it as a hard drive that no longer exists, and thus the folder will be ‘missing’.

You’ll get an error message almost instantly, and in the worst case scenario, it’ll start to delete files from your account, thinking that the files were all deleted at once.

It’s similar to how having your Dropbox folder syncing on an external drive works, and my post here about the potential effects of that would apply here.

Hope this helps to clarify matters!

All comments

Jay

Thanks for the detailed requirements, Alison. Sounds like how TrueCrypt works when I use it occasionally by mounting a folder of the encrypted file.

Long story short, it wouldn’t work the way you want it to, since it will see it as a hard drive that no longer exists, and thus the folder will be ‘missing’.

You’ll get an error message almost instantly, and in the worst case scenario, it’ll start to delete files from your account, thinking that the files were all deleted at once.

It’s similar to how having your Dropbox folder syncing on an external drive works, and my post here about the potential effects of that would apply here.

Hope this helps to clarify matters!

ap8

Thanks very much for the prompt reply, Jay.

Pretty much as I feared, and I'm trying to remove the human being (me) from the equation as much as possible. I could prevent the Dropbox app from starting until everything is ready, but therein lies madness. Mine!

If it was just me needing to access the files, I'd encrypt before synchronising...

The only other things I can think of are:

To create an encrypted partition that unencrypts on boot... but that is *almost* back to the Bitlocker scenario. (Others occasionally use my PC, I'd have to give them the boot password, and then we have humans in the loop again. :-)
To stop their files from synchronizing so I have to access them online. Safer but MUCH less convenient!

I'll pass the problem on to the clients and see what their suggestions are - only two or three (so far) are affected. Either they will have thought of something already and not told me, or will not have given it a moment's thought...

Alison

Jay

I hope you find a solution that’ll give you the least amount of admin to do on your end!

ap8

Just a sanity check... it sounds like the only really safe option is to encrypt the whole system and unencrypt on boot, so nothing can start synchronising until after the unencryption has completed.

Boca

If I understand your need... it sounds like I am doing the same thing without any issues.

I have a Veracrypt vault which looks like a single file ( eg A) to Dropbox but, when unencrypted, it mounts a new drive letter which can contain files B,C,D etc.

When I make changes to B,C, D then close the vault, this causes a change to A which prompts Dropbox to sync it.

I can access fille A ( and un-encrypt/encrypt) it from several locations.. using the same password.

Hope this helps.

Dave_Rasch

In TruCrypt and VeraCrypt you can set up the container without a password but with one or more key files.

I have my user able to run the veracrypt command via sudo without a password, then I have my key file(s) on a USB drive, and then use this command line in linux to mount automatically.

sudo veracrypt -t -k "<where the usb drive mounts>/<keyfile>" -p "" --non-interactive --pim=0 --fs-options=owner --protect-hidden=no /<dir>/<encrypted container> /<mnt point>/Dropbox

Put the USB drive in and run the mount script that I have; mounts it and starts dropbox

To remove I run a umount script; stops dropbox and unmounts the container

So far I have had no luck geting it all working the way I like with udev ... but that will come along.