Sunday, March 17, 2013

Cloud Security Encryption

I've started using Google Drive under Linux with the automatic sync being provided by InSync.  One of my concerns, like most people is security.  Like with any security system, the more security it is the less convenient it is.  You gain more security by sacrificing more conveniences.

ie.  The most secure storage, is a turned off computer put in a safe.  (it's secure and utterly useless).

My first approach is a bit less secure, but fairly convenient.

1.  InSync basically lets me sync files to supposedly multiple Google Drive accounts, though I still have to figure out the exact procedure for that.  For now, I drop a file in $HOME/Insync/account_name/ and it magically appears in my google drive.  Some files, say bills, and tax records I might not want to put on my google drive.

Approach A


I decided to keep all my files as pdfs.  So, all I need to do is figure out a way to encrypt them.  I decided to use pdftk which is pretty much the best tool kit I've found for manipulating PDFs.

Here my steps:
1.  Scan / place file into a non-cloud enabled location.  Let's call this $HOME/tmp/ and call the file open.pdf
2.  Encrypt the file.

     pdftk $HOME/tmp/open.pdf output encrypted.pdf owner_pw s3cr3t
     naturally, replace s3c3t with your own password.
3.  move file to your synchronized 'folder' where it will be kept.

Advantages:
  • Qausi secure.  128bit encryption on pdf files.
  • Google understands encrypted files, and will prompt you for your password when trying to open your pdfs.  Which means, you can open and view your secure files via any web browser.
Disadvantages:
  • 128Bit encryption is inconvenient to break, but not impossible.  If you're storing important information.. like say your tax records with your SSN, you probably want something more secure.

Approach B

This approach was intended to take advantage of boxcryptor.  I was following an old guide for this service to allow for linux support, though right now, I really can't see a reason to use them, since as far as I can tell, a native Dropbox/ Google Plus client + encfs will provided essentially the same benefits.

Directions:

1.  We'll be relying on encfs.  I think cryptkeeper is supposed to be a nicer more user friendly way of doing this, but I could figure out how to use it, or cared enough to look into it, so we'll be doing this the CLI way.

sudo apt-get install encfs
sudo apt-get install cryptkeeper #optionally 

2.  we'll call your sync folder "cloud", replace this with ~/Dropbox, ~/insync/username/ or whatever is appropriate in your case.

cd ~/cloud
mkdir ~/temp_cloud
mv ~/cloud/* ~/temp_cloud  # moving all files out of cloud storage

3.  This will probably delete all your 'cloud' storage, but that's okay.  We just moved the files out into a local folder.  If you're doing this with gigs and gigs of data...this might take a while.

4.  Mount your ~/cloud as an encrypted folder

encfs ~/cloud ~/secure_storage  #I just used p for default settings and entered a nice long password.
mv ~/temp_cloud/* ~/secure_storage/

5.  Enabling automatic mounting of ~/cloud 

sudo apt-get install  libpam-mount
sudo gpasswd -a USERNAME fuse
sudo vim /etc/security/pam_mount.conf.xml
insert a line resembeling this one right below:

<!-- Volume definitions -->
        <volume user="user" fstype="fuse" path="encfs#/home/user/secure_storage" mountpoint="/home/user/cloud" />

6.  Reboot, and your drive should be automatically mounted.  Now IF you want to ensure that the file is encrypted then you should only be working in the folder ~/secure_storage.  Any files you create in ~/cloud directly will be plaintext and in-secure.

Advantages:
  • Much higher lever of security then anything a PDF crypto will provide.
  • Pretty much transparent.  You could also configure your cloud app to look at ~/crypto and mount ~/Dropbox (for example).  essentially switching the order.  
Disadvantages:
  • All the files are utter garbage via a web browser.
  • Main big issue I have right now, is there seem to be a file name limit.  You can't have a file name longer then 36 characters.  


References

  1. http://pragmattica.wordpress.com/2009/05/10/encrypting-your-dropbox-seamlessly-and-automatically/   (Prettier version of Approach B I found while looking up stuff as I was writing this document)