As I’ve noted in the past, I store a lot of stuff in Evernote. I am, however, reticent to use it for financial records, medical records, and other sensitive documents due to security concerns.
Honestly, the same goes for storing files in the clear in DropBox or similar services. They just don’t provide enough in the way of server-side file security for my tastes.
The good news is that, when using a file sync service, it’s pretty easy to secure your files yourself. In my case, I’ve defaulted to storing sensitive documents inside an encrypted TrueCrypt container that lives inside my DropBox.
While the TrueCrypt solution is certainly workable, however, it’s not very user-friendly. As a result, I don’t use it as regularly as I should, and I tend to fall behind on getting things digitized and stored away. I was thus quite interested when I ran across a piece of software called BoxCryptor this past week.
Note: The following focuses on “BoxCryptor Classic.” They’re working on a newer 2.0 version and have decided to re-brand the 1.0 version as “Classic” and keep it around even after 2.0 is released.
What is BoxCryptor?
BoxCryptor is an application that hangs out in the background and can be used to encrypt data (AES-256) in concert with a variety of cloud storage services. There are versions for Windows, Mac, Linux, iOS, and Android, as well as a Chrome plugin.
In short, BoxCryptor offers client-side encryption in a special folder that can be put just about anywhere. Mine is in my DropBox, but you could store and use it locally (or in a different cloud service) if you preferred.
As for other cloud services, it currently works with DropBox, Google Drive, SkyDrive, Box.com, SugarSync, as well as any provider that supports the WebDAV standard.
To view and interact with your data, BoxCryptor mounts the special folder (where things are stored as individual, encrypted files) and decrypts everything locally in a virtual drive that shows up on your desktop.
Protip: When you first set it up, you can set the name of your BoxCrytpor folder, but the virtual drive name defaults to “BoxCryptor Classic.” To change this, enable the “Advanced” settings in the preferences, right-click on the volume in the list, and edit it. I changed mine to match the folder name (“Archives”).
The above probably sounds somewhat familiar to TrueCrypt users, and there are some similarities. But it’s far more polished, streamlined, and easy to interact with, even if my description didn’t make it sound that way.
I can’t speak to the details on Windows since I use a Mac, but… On my Mac, the special BoxCryptor “folder” looks like a regular folder, but is actually a “package.” When you double-click it, you’re prompted for your password before it mounts.
You can right-click on the package to see the contents, which are your encrypted files, but there’s really no reason to go in there — and you could mess things up by doing so. Instead, all file access should be done through the virtual drive.
To add files, you just drag them into the virtual drive. Once there, you can organize them using whatever folder structure you want and everything will be mirrored to the BoxCryptor package, auto-encrypted, and sync’d to your preferred cloud service.
When you’re done, you simply “eject” the virtual drive and it disappears. Your files, which are stored individually (but encrypted) inside the folder/archive thingy, are never decrypted outside that virtual drive on your desktop (or anywhere else).
On the iPhone (I assume Android is similar) you can link the app to your DropBox, after which you can launch the app, enter your password, and view any of your encrypted files. Pretty handy if you need file access on the go.
If your primary concern is cloud security, you can set BoxCryptor to remember your password, in which case you can decrypt your files locally without re-entering the password. I haven’t done this, mainly because it gives anyone with access to your computer access to your files, but it’s worth noting that it’s possible.
How much does it cost?
I know what you’re wondering… How much does BoxCryptor cost? Well… They actually use a freemium model, with the basic functionality being free. If you want more, you can upgrade for $48/year. The good news is that the free version will probably serve the needs of most of you, so you can probably avoid upgrading.
With the free version, you’re limited to a single archive on a single cloud service, which is fine by me. I just need a single on DropBox. You’re also limited to a pair of devices (e.g., desktop and phone). This is probably okay, too, though I guess I’ll have to choose between phone and tablet access.
Oh, and you can’t encrypt filenames with the free version, so if someone looked inside your special folder/package, the files would be encrypted and unreadable but they’d be able to see the filenames. This may or may not be a problem. I don’t really care, but some of you might.
Note: There are actually technical reasons that you might not want encrypted filenames — e.g., if you use the versioned-backups functionality on DropBox.
If you upgrade, these restrictions are all lifted. There’s also a business option that offers group functionality, but I didn’t really explore that.
BoxCryptor vs. TrueCrypt
So now for the big question… BoxCryptor or TrueCrypt?
One of the big strengths of TrueCrypt is that it’s open source. Thus, the inner workings have been scrutinized in great detail. In contrast, BoxCryptor is not open source, so you’re trusting the abilities (and intentions, I guess) of the developers.
TrueCrypt also gives you more control over the encryption methodology and the ability to do things like create hidden volumes. While I can see the utility of these things, they’re not particularly important to me.
The primary downside of TrueCrypt relates to usability. In short, BoxCryptor is far more user-friendly. And that, to me, is incredibly important. If something’s clunky enough that I don’t like using it, then it’s not nearly as useful.
Another difference is that BoxCryptor stores your encrypted files individually (inside the BoxCryptor folder/package), whereas TrueCrypt stores everything in a single, encrypted container. Thus, although TrueCrypt takes steps to ensure data integrity, there is (arguably, at least) a greater risk of data loss with TrueCrypt.
This file-based vs. all-in-one storage has another potentially important effect. With BoxCryptor, your changes occur incrementally. Add a file and it gets encrypted and uploaded in real time. With TrueCrypt, your changes are only committed when you finish your work and close the container.
Oh, and with TrueCrypt, you have to decide on the size of your container in advance. This means that you have to anticipate your future needs and make it large enough to accommodate any files you might want to add down the line. This isn’t a concern with BoxCryptor, as the folder grows/shrinks with its contents.
Finally, mobile access… Yes, there are iOS and Android apps that let you access TrueCrypt containers on the go, but they’re a bit clunky. Also, data transfer could (?) become an issue since you’re dealing with the entire container at once.
All things considered, I’m switching to BoxCryptor Classic. As I alluded to above, I will likely be sticking with the free version, at least until there’s a compelling reason to pay. Once the new (2.0) version is available, I’ll re-evaluate my needs and decide whether or not to upgrade or stick with Classic.
While files encrypted with BoxCryptor Classic won’t be compatible with the 2.0 version, they’ve promised an easy upgrade path to convert Classic files for 2.0 compatibility. And they will continue to operate based on a freemium model.
That’s it. Any questions?