Overview of data encryption in the clouds for Windows

In connection with the recent unexpected joy of free TB on Mail.ru Cloud, which quickly gave way to disappointment after reading its license agreement , I decided to do a little research on how to encrypt data in the clouds for Windows and collect all the interesting options in one place.



Input requirements are as follows:

• Cloud client does not know how to synchronize files block by block.
• The encryption method should provide the ability to quickly access any file on the cloud to update or decrypt it without having to transfer large amounts of spurious data.

The selected requirements mark the possibility of using Truecrypt crypto containers and multi-file archives. What options remain?

')

1) The most obvious is proprietary programs, positioned as a means to encrypt data in the cloud. For example, Boxcryptor, Cloudfogger and others like them. All of them work on the same principle: file-encrypt data on your disk on a file, and then use their Dokan or Eldos CBFS libraries to create their virtual decrypted representation. When working locally, files are transparently decrypted, and synchronized to the cloud encrypted.



Disadvantages of this approach:

• proprietary encryption software
• free versions of these services have some limitations
• subjectively: poor performance, especially when editing video. Besides, I use TrueCrypt in the encryption mode of the entire disk, and such an overhead of "encryption in encryption" looks ridiculous.

2) The encfs port for Windows is encfs4win .

In addition to open source, the advantage of this approach is that encf4win supports the --reverse option . In reverse mode, as opposed to standard, local data remains intact, and only their display on the virtual disk is encrypted. For encfs4win to work, the Dokan version> 0.6 library is required .



The mount point of the folder with your files on a virtual encrypted disk "X:" is created with the command:

encfs.exe --reverse D:\Archive\ X: 

In expert mode settings you need to choose whether to encrypt file names, and also change the size of the encryption key from 192 to 256 bits. After successful mounting, the configuration file ".encfs6.xml" will appear in the source folder, save it.

Now you can start synchronization of the encrypted view of files on the "X:" drive with the cloud. Symbolic links in the source folder seem to be handled correctly.



To decrypt from the cloud on another computer, simply put in any folder the saved ".encfs6.xml" and mount it with the command:

 encfs.exe --reverse E:\some_folder\ X: 

Then any files copied from the cloud to the “X:” drive will be automatically decrypted in E: \ some_folder \



Disadvantages of the approach:

• The incompleteness of the encfs4win port and the lack of a sane GUI.
• it is impossible to unmount the encrypted volume from the console correctly, only by 'Ctrl-Break'.
• in --reverse mode, encfs does not support "per file IV chaining", which weakens encryption. I think it’s not scary for home reservations.

3) Local encryption in password-protected archives by file and their subsequent synchronization with the cloud. For example, the CryptSync utility can help automate this approach.





The main disadvantage of this approach is the need to keep two copies of files on a local disk.

---

The above solutions give us only an encrypted representation of the data. Further synchronization can be performed by your favorite webdav client, or by the official cloud client (with no webdav support). Below are the all-in-one options.

---

4) Duplicati is an open-source, cross-platform backup software. Her killer feature is the possibility of full-value incremental backups directly to the cloud. Google Drive, Skydrive, Amazon S3, Rackspace, Webdav, SFTP, FTP are supported. You can choose to encrypt the built-in library SharpAESCrypt or GnuPG. More information about the internal structure of the program.

Among the many Duplicati buns, the ability to quickly restore a single file from the cloud is also important for us. Backups when created are automatically split into blocks of 10 MB. Therefore, when recovering a single file, you will need to transfer a limited number of blocks.



Among other things, Duplicati is fully configurable via the command line and supports portable mode.



Disadvantages of using Duplicati:

• Specific wizard-style GUI.
• The inability to update a separate file on the cloud, except by creating a new incremental iteration of the entire archive.
• It is inconvenient and long to restore single files from the GUI, especially after several incremental iterations and with a large block size.
• While the master password is not supported, all data on connections to cloud services is stored in the Sqllite database encrypted with the standard password “Duplicati_Key_42”.

5) Great webdav (and not only!) CarotDav client. Written on VB.NET and completely free to use and modify. According to the developer’s website, source code can be provided upon request. The list of implemented standards is impressive. In addition to webdav-clouds, SkyDrive, Dropbox, GoogleDrive, Box, SugarSync and FTP (S) are supported. There is a portable mode, the configuration can be protected by a master password.



To start encryption in the settings of the new connection, enter the password and select the “Escape string”, the signature, on the basis of which CarotDav determines that the file in the cloud is encrypted and needs to be decrypted.



Now all files uploaded through this connection will be automatically encrypted, and decrypted during downloading.











Disadvantages:

• errors are possible when working with some webdav clouds, the solution may be to increase the timeout of the connection.
• Cyrillic problems and very slow work with skydrive were noticed.
• single-panel interface and lack of command line support.

---

Summary:

Unfortunately, I did not find the ideal option. For archiving projects with a large number of small files, I stopped at Duplicati. To back up media files now I use CarotDav in the hope that Encfs4win will be brought to mind sooner or later.