Using Dropbox with encrypted files

The following article contains links to specific sites and pages which may change. Please tell us about broken links.

Note that one of the products below - Boxcryptor - has been acquired by Dropbox and may no longer be available.  (The expectation is that the functionality will eventually be available within Dropbox directly.) So you may find that you cannot follow this "recommended method".  This page will be updated when the future of Boxcryptor becomes clearer.

 

Here is a recommended method.

What you will need:

  • A Dropbox account
  • A Boxycryptor account (free for two devices, otherwise 36€ at time of writing)

Why?

With most Dropbox accounts, Dropbox stores your files in plain text in servers in the USA and all around the world. In theory, a Dropbox systems administrator could open your files and read them, as could anyone who somehow hacked into Dropbox, or got hold of the hidden links to your files.  (If you have a Nuffield College Dropbox account, the data is stored in the EU, but it is still saved in 'plaintext'.)  You may be involved in a project which mandates that your data be encrypted, but you may still have to share that data with colleagues.  Boxcryptor and Dropbox may give you a way to meet this challenge.

Boxcryptor can work ‘within Dropbox’ (and various other ‘cloud’ providers) to encrypt your data using an algorithm called AES-256. If you put a file into an encrypted folder, Boxcryptor encrypts that file before it is copied up and placed in a folder within a Dropbox server. Now, if someone hacks Dropbox, or a rogue employee looks at your stuff, they will simply not be able to decipher that file.

Boxcryptor is a “zero knowledge” service, which means that it doesn’t know, or hold, your password. This is great, but it also means that you really have to remember that password. Please consider using a password manager!

Install Dropbox on your preferred machine first

If you do not yet have an account, create one and then install the Dropbox client.

Instructions: https://help.dropbox.com/installs-integrations/desktop/download-dropbox

Install Boxcryptor

Boxcryptor can be used to encrypt your files that contain sensitive or personal data. It works within Dropbox, so that you can use the usual Dropbox file interface and share in the same way as you share via Dropbox. Note that sharing of encrypted files means that the other person (your share-ee also needs a Boxcryptor account).

N.B. It is also possible to securely transfer files to people who do not use Boxcryptor or Dropbox, by using Boxcryptors Whisply application (simply shows files in a web browser).

Go to https://www.boxcryptor.com/en/for-individuals/ and follow the instructions to create a personal account and install the client.

For even better protection

Note that you can use two-factor authentication (2FA) with Boxcryptor. Some data and research projects may begin to mandate the use of 2FA. You can use an authenticator app (several are available) or a hardware device (security key) like a Yubikey.

A note about use (top tip)

Separating out encrypted and unencrypted folders is useful as there may be much of your work which does not contain sensitive or personal data, and you may wish to share these with other people who use Dropbox only.

If your primary way of working is to NOT share personal data…

…your Dropbox folders may look like this:

Note that, in this example, most of the folders are unencrypted, with one folder (actually named “Encrypted”) which is used to house personal and sensitive data which you never share.

If you need to share files containing personal (or sensitive) data…

…(this is the top tip):

  • Name the main folder something meaningful (e.g. Finances, Tutees etc.)
  • Create another folder (or folders) within that which you tell Boxcryptor to encrypt
  • Share the parent folder with your collaborators
  • Change (manage) the permissions on the subfolders using Boxcryptor

In the above example, you would share the ‘Shared with Finance team’ folder using Dropbox, and ‘manage the permissions’ via Boxcryptor of the two encrypted folders shown with green dots. (These are emphasised with red arrows in the diagram above.)

More tips…
  • When you share a file or folder with another Boxcryptor user (right-click > Boxcryptor > Manage Permissions), you identify the user via their email address. Thus, you must know the email address that they use with their Boxcryptor account (e.g. department, College, personal?)
  • If you want to create groups to make sharing easier, then you may need to upgrade your account
  • If you do not use groups, please remember that when revoking access via Dropbox (or Boxcryptor) may not be immediate: the change may take some time to synchronise and the user you are trying to remove may have access for a little while longer.

If you find that you need to create a Boxcryptor team which contains several people at Nuffield College, please contact IT@Nuffield and we should see if we could justify a “Company” subscription.

A final note about information security

The advice above avoids one principle of information security: that of unauthorised access. However, another principle of infosec involves the danger of data loss. Using Dropbox for important College or research project documents or data is still problematic if the file in a personal Dropbox account is the only up-to-date copy.

When a member of staff (or of your research team) leaves the College (or group), Dropbox documents under their control may simply disappear. Similarly, accidents happen with personally-managed accounts and documents can be lost. The College has an IT department that works hard to ensure that files are available and backed-up all the time, but personal Dropbox is out of its view and control.

Solution:

(At the time of writing Dropbox will not synch to a network drive, unfortunately.)

  • Almost always edit live documents on the College file server.  Occasionally copy documents into Dropbox, but see those as copies to be shared (and overwritten).
  • Set up a timer job which copies folders from your Dropbox folder on your desktop computer to folders on your network drive (but be careful about editing a file which will get overwritten)
  • Get IT@Nuffield to help you with a script which properly synchs files
  • (A Nuffield College Dropbox account may help a little with the disappearing files issue, but please take extra care with files which really belong to the College or a research group, rather than you personally.)

It has to be said that Dropbox is not a great solution for managing personal data or business-critical information for the College or research groups, but in the narrow use-case where personal data has to be shared beyond the College, the use of Boxcryptor and Dropbox may help.