Cloud file synchronization is extremely convenient and today it’s nearly ubiquitous. You might not even be aware that you’re using it right now. These services allow you to synchronize the contents of a special file folder across multiple devices through the internet. When you add a file to this folder, or make a change to an existing file in this folder, the file is almost instantly added or changed on every other device where you’ve enabled this service. You can also use these services to share files and folders with others.
The first big name in this space was DropBox. But over the years, Apple, Google and Microsoft have all created their own cloud-based file storage services, built right into their respective devices. You would know these as iCloud, Google Drive and OneDrive, respectively. All three vendors push you strongly to use these services, often requiring you to go through steps to avoid using them. But they’re undeniably convenient and adequately secure, so why not use them?
Secure vs Private
It’s important to draw a distinction here between “secure” and “private”. All the services mentioned here claim to use strong encryption when transmitting and storing your data. This will keep your data safe from prying eyes, right? When you store things in a public locker, you lock it up and take the key with you. But you also realize that the owner of that locker also has a key. Similarly, all of these services hold the encryption keys for your data. There are people who work at Apple, Microsoft, Google and DropBox who could access your files if they wanted to or were required to by law. The services may be secure, but they’re not necessarily private.
That said, there’s nothing to prevent you from encrypting the files yourself before storing them in one of these special cloud-synced file folders. You can encrypt a file as many times as you want. It would like a locked set of Matryoshka dolls. This would make the files completely unreadable by your sync service. But even if you knew how to do this and had the tools to do so, it would be tedious to do file by file.
If you want to sync your files and folders through the cloud privately, you could just choose to use a service that allows you to control the encryption keys such as Sync.com or SyncThing. (I’m really hoping that Apple, Google and Microsoft will eventually offer this option, too, but I’m not holding my breath.) But I’m going to tell you about another great option: Cryptomator. Not only will this tool will allow you to easily encrypt your files inside your cloud-synced folder, it will also allow you to encrypt files in any folder.
The Key to True Privacy
The process is very simple. First download the app (which is free and open source) and install it. It will ask you to either create a new vault or open an existing vault. A vault is just a folder that is encrypted with Cryptomator. It’s a folder like any other folder on your device’s drive, except that the contents are only visible if you unlock it and view it through Cryptomator. (That means that you must give your vault a name that is a valid folder name – it probably can’t contain certain special characters like slash.) Note that Cryptomator is smart enough to determine if you’re already using a service like DropBox, iCloud, OneDrive or GoogleDrive. It may offer to put your vault in one of those folders. But you can put the folder anywhere you like, and you can have multiple vault folders. It’s your choice.
Then Cryptomator will ask you to provide a password or passphrase. Make this unique and strong – and don’t lose it! If you forget this password, your data will be lost forever. I would store it in a password manager as a secret note (and not in a file on your computer). Cryptomator will also give you the option of generating a “recovery key”. This is basically a backup password. You could print this off and put in your safety deposit box or somewhere outside your house. (Think fire, flood, or other disaster.)
That’s it! To access this vault folder, launch the Cryptomator app, select your vault folder and enter the vault password/passphrase. You can now work with the files in this folder (including other subfolders) until you close and lock the vault folder. Note that even though you can view the files, no one else can – even while you have it unlocked with Cryptomator. You can test this pretty easily yourself, if you’re using a vault that’s within a cloud-synced folder. Open it locally with Cryptomator, then try to view that same folder on one of your other cloud-synced devices. And remember that you can use this to privately share files with others – you just need to share the password or passphrase with them. (Hint: don’t send it in an email or text message.)
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!