As I mentioned recently, Dropbox is awesome. When using it, however, it’s important to think about security. The dropbox guys lock up your data nice and tight – but they hold the keys.
Think of it this way: You’re on a cruise ship, and you have a priceless diamond tiara (don’t we all?). You know it’ll be much safer in the ship’s vault than in your cabin. The ship’s purser is only too happy to watch over your valuables in their very strong safe. Now you can rest easy.
Except… there’s someone besides you who can open the vault. What if the government serves the purser with a warrant (or some other constitutionally-questionable writ) and takes your tiara? What if someone fools the purser into handing over your tiara? For most things, trusting the purser is fine, but that tiara is really something special. What you need, then, is a special box with a really strong lock. You give the purser the box and neither he nor anyone else can even see what’s inside, and you can make it a really strong box, so even if the purser hands over the keys to his vault, your stuff is still safe.
The same principle applies with Dropbox. It’s really convenient and pretty darn secure, but someone else is holding the keys. For most things, like my writing, no further security is necessary. Yet I have a few files that I don’t want to leave to someone else to protect, but I still want the convenience and data backup Dropbox provides. On my mac I’ve set up a very simple system that allows me to see my most secret files whenever I need to on any of my machines, but protects them from prying eyes. It’s actually pretty simple, and there’s almost certainly a direct analog on Windows.
The disk utility that comes with Macs can create an encrypted disk image using pretty dang strong encryption. If you put that image file in your dropbox, then any files you add to that virtual disk will encrypted and saved to your Dropbox when you unmount the disk. Here are the steps:
- Fire up Disk Utility (it’s in the Utilities folder).
- Click New Image
- Decisions, decisions….
- Name your new disk. If you name it “secret stuff” that will just make people curious.
- Size: For reasons I’ll go into shortly, I’d advise not making this any bigger than you really need. If you’re protecting text files, it can be pretty small. The 100MB setting is probably more than enough for most people.
- Format: Just use the default
- Encryption: I say, what the heck. Go for the maximum unless you’ll be using a really old machine.
- Partition: just use the default.
- Image Format: sparse disk image – this will keep the size of the actual disk file down. UPDATE – As of MacOS X 10.5, there’s a new option called “sparse bundle disk image”. DON’T USE THAT! It seems perfect at first (see below) but things get mucked up if there’s a conflict.
- Save. You will be asked for a password. You’ll not need to remember it, so make it good and strong, nothing like any password you’ve used anywhere else. Keep the “save in keychain” option selected. (If you need it later, you can find it with Keychain Access.) – Remember: this is the secret that protects all your other secrets.
- Voila! Put the disk image in your Dropbox folder. When you open the image file, a new hard drive will appear in finder. Anything you put on the drive will be added to the .dmg file you created.
- “Eject” the drive on that machine and open the .dmg on any other machines you want to share the information. While you remember your crazy password, get it saved in the keychains of your various machines.
A couple of notes:
- The .dmg file will only update when you “eject” the drive. So I advise you not keep it mounted most of the time. Open it, add/access the files inside, and close it again. If you open it on two machines at the same time, you will end up with two versions in your Dropbox folder.
- I advised saving your password on your keychain, but remember that anyone who can access your computer can also access your secrets. So you might want to consider not putting the password in your laptop’s keychain, for instance, if you think it might fall into the wrong hands.
- Since your secret files are saved as a single blob of data, you won’t have automatic backups of individual files. If you need to recover one, you’ll have to find the right version of the image file.
- Since your information is saved as a big ol’ blob, if you make a huge .dmg file it will eat up space in your Dropbox and burn up unnecessary bandwidth each time your save. ‘Sparse’ images only grow to the maximum as you use the space (but never shrink unless you intervene with Disk Utility).
- UPDATE – Apple has created a new format that saves the image file as a whole bunch of little blobs, rather than one big one. With that option, when you make changes, only the little blobs that changed need to get updated. This was to make Time Machine work better, and at first I thought it would be perfect for Dropbox. Then I spent a few minutes testing and discovered that the way Dropbox handles conflicts (two computers updating the file at the same time) gets royally hosed when you use this format. Bummer. So, don’t use it.
- It’s possible to set things up to protect individual files, but it’s complicated. Hopefully it won’t always be.
- Important! If you only store the password on one machine – Save it somewhere else also!. If you lose that password (if your hard drive crashes or your computer is stolen, for instance), you’re not getting into your strongbox. Ever. That was the whole point, after all.