David.dev 🐍

about ~ apps

13. Februar 2020 21:36 security

Protecting your files in the cloud

Protecting your Remote Files

Cloud services are now no longer the exception by the norm. Your emails (unless you use your own mail server), your phone data, your chats. Pretty much everything is on "the cloud".

Just a few years ago sensitive files like passport, degree copy, birth certificates etc. were solely stored in your computer. You would (hopefully) have a backup and so your sensitive data would never leave your computer. Today we are all "pushed" to store all our files in a cloud service. iCloud, OneDrive, Dropbox and many other services make it very easy to share files across multiple devices that are now the norm.

Users no longer want to restrict their access to their file to a device: accessing files just on your computer is not good enough. What if you want and need to access it from your phone or tablet device? Convenience is important but comes with a few security tradeoff.

There is another scenario that explains why -- in some cases -- we need to be able to share sensitive documents. At some point you will need to share with someone (e.g. your bank, accountant etc.) sensitive documents. What you should certainly avoid is sending sensitive files via email unless they are encrypted and the password is not in the body of the email!

Encryption 101

Why do we even need to encrypt data ? Well in simple terms whenever you upload a sensitive document -- let's say your passport copy and mortgage -- in a cloud service this file is stored mostly unencrypted in the cloud server you use. So in essence if the provider has a data breach (and It happens more often that we think) your personal documents might end up in the wrong ends. Another concern is that at the bare minimum employees of your cloud provider (google, apple, Microsoft, dropbox etc.) will have access to your files. As the saying goes I would say "trust but verify".

Zero Knowledge Cloud Services

To mitigate the issue with the cloud provider having access to your file a number of providers (like Tresorit) offer that is called "Zero Knowledge" Encrypted cloud services. In essence the service provided is similar to dropbox or other file hosting with 2 notable differences:

  1. All files are encrypted (so a data breach in the provider will not lead to the release of your data as encrypted data will be protected unless they guess your key/password)
  2. The cloud provider has no access to your key. The decryption happens in your device (computer, mobile phone etc) so the key used to decrypt and encrypt data doesn't leave your device.

The issue with these providers is that they are often closed source so you have no way to verify if these claims (especially #2) are indeed correct.

Suggestions to protect your files in the cloud

if you have to store sensitive files in the cloud these are some suggestions:

a) Sensitive documents will often be in PDF format. You can use Adobe Acrobat AES encryption functionality (that is different than simply protecting the document from being modified) that encrypt the document. It goes without saying that you should not share the password in the body of the email used to share the documents (send it to the recipient through an alternative channel). In this scenario intercepting the email without the password to decrypt the file will render them unusable.

b) Store the sensitive documents in the cloud in encrypted format only. This adds a layer of security. Note down the passwords you use for each document (perhaps on paper) and use strong passwords to protect them (encrypting file with a weak or dictionary password would defeat the purpose of encryption).

c) Use 7Zip with AES-256 encryption to encrypt your ".zip" archives. With this free tool you can easily create an archive of your sensitive files and compress them with an encryption. The same advice as above about picking a strong password applies.