Encryption and Dropbox

Will the file transfers using Dropbox use any kind of encryption? The thought of Condoleezza Rice having access to my notes puts me at unease.

No, there’s no encryption.

I wouldn’t worry unless you were writing something like Olympus Has Fallen :wink:

Olympus Has Fallen aside, as a lawyer encryption is vital. It also seems to becoming more available in other apps as I see Devonthink To Go added it in version 2.0 for their Dropbox sync.

Or anything I don’t put my name on. Rice doesn’t need to know my pseudonyms.

I’m not sure I see Condoleezza Rice being too interested in what I write… Anyway, I’m no encryption expect, and to encrypt on Dropbox we would need to encrypt every file separately and decrypt them on opening them. The macOS and Windows versions would also need this all building in. So there are currently no plans for this. So far, hasn’t iCloud had a worse track record for having data stolen? Most apps don’t encrypt data there, either.

You can index your Scrivener folder in DEVONthink, download the files into DEVONthink To Go and then open them in Scrivener. The only way back seems to be Compile and then Clip to DEVONthink. If Scrivener had a “Compile as Scrivener file” option, this might be workable.

If I was that concerned or I belonged to a profession (like yours) where security was paramount, I wouldn’t use any proprietary software or service at all. Nothing where the source code wasn’t publicly available for peer review would satisfy me - that goes for the BIOS all the way to the application layer. If lives depend on privacy, this is the only acceptable way to do computing.

Hardly practical… and fortunately not a problem I have to deal with.

If you don’t like Dropbox (and I don’t blame you, they are scum) then at least we have the option to manage projects the old fashioned way with iTunes.

According to https://scrivener.tenderapp.com/help/kb/macos/password-protecting-your-work there are several ways to password protect Scrivener Projects for a Mac. I can turn on FileVault (On my work Mac), I already have a password on my local account, and I have played around with encrypted disk images and storing documents inside of them. There is also whole drive encryption available for PC. Unfortunately, none of these are acceptable solutions for my workflow. My setup is as follows:

Scrivener Desktop installed on my home Macintosh.
Scrivener installed on my iPad.
Dropbox syncing setup on both my home Mac and the iPad.
I also have Dropbox installed on my work computer.

On the home desktop, I can create an encrypted disk image and store my Scrivener projects inside of the disk image, but when I go to the iPad Scrivener doesn’t know how to access the disk image. Much less any other application being able to access the contents of the disk image. So I am left with saving the Scrivener projects directly to the Dropbox folder. This means that any Scrivener projects will show up on all the devices, and the web, unprotected.

My feature request is to include built-in encryption or/and password protection for Scrivener projects. This would be on a per project item, much the same way that Pages or Numbers handles protection.

As far as Dropbox security goes; I do trust Dropbox with my data and have a strong password for it. But on occasion, there are breaches that do occur, (not just with Dropbox but other cloud based services as well.) These are few and far between. When a breach does occur, I do immediately change my password for Dropbox, but having an extra layer of encryption on the Scrivener Projects would be nice. Also if the projects are encrypted, then I wound’t need to worry about the contents of personal files being on work computers. The Scrivener Projects would remain encrypted on the work desktop Mac. Having personal files on work computers isn’t against the rules, I just don’t want snooping eyes and keeping the Scrivener Projects encrypted would mean that anyone looking at the hard drive, (for example backup purposes if the hard drive gets corrupted and has to be reloaded) would only be able to see a blob of data and not the actual contents of the files.

For people forgetting their password, that’s what a password manager is for. I use 1Password myself, not just for web passwords but for anything that requires a password. There are other ones out there as well, including the free KeePass.

Side Note: I have gone in and changed my Dropbox Selective Sync settings to not include the Scrivener Projects folder on my work computer. I would still like to see encryption added as a feature in a later version.

It’s not accurate to say that Dropbox has no encryption. It both encrypts data stored on its servers and uses an encrypted link to transfer data to/from your system:
dropbox.com/security#protection
They also support two-factor authentication for account access.

Now, they do hold the encryption keys, so your data is still theoretically vulnerable in the event of a breach. (This is also why the encryption is transparent to the user.) Whether that’s a concern for you probably depends on exactly what your data is. Unless someone like the NSA is interested in what you’re doing, though, physical security of your own device is probably a much bigger risk. (And if the NSA does care about you, it’s probably a good idea to stay off the net entirely.)

Katherine

Sorry, I misspoke here. What I meant to say, and should have expanded on this, is:
If a Scrivener project is saved on the local Dropbox folder on the local hard drive, the files are not encrypted, while the files are stored on Dropbox’s servers are encrypted. But if a breach does occur and the breacher does get access to the files on Dropbox’s servers and the breacher does get past the Dropbox encryption, then the Scrivener projects are left unprotected.

For anyone else wondering how this could be done, take a look at 1Password. It saves its password vault in a opvault package. Each file in the package is encrypted including any attachments. This is a loose example of an encrypted package, but taking the above, if the breacher does get past the Dropbox encryption, then the breacher still only has a blob of data and no human readable content. Sure, they could still see the individual files but unless they start doing a brute force attach their not going to get anywhere.

I don’t expect anyone to drop what they are doing and begin working on this. It is only a feature request and to get encryption done right takes time and effort to think things through.

Agreed. My point, though, was that getting past Dropbox’s own security is not the trivial task that some commenters have implied.

Katherine