I configure backups to be stored on a cloud account - but this is more-or-less in cleartext - making my work susceptible to theft. I could encrypt the scriv files myself, and then backup those, but I’d prefer it to happen on save. That is, I would like for even my local copy of scriv to be encrypted. At least PGP/GPG should be supported.
This has been requested a few times.
The short answer is that there are abundant third-party encryption tools, and we do not have any particular expertise in encryption.
The longer answer is that because of the structure of a Scrivener project, encrypting/decrypting the project on demand is a potentially significant performance issue.
3 Likes
I use Cryptomator for precisely this purpose: I was unable to find a tool that provided block-level encryption for cloud storage (so that I could just use the cloud as a “vault”) but this app encrypts files individually.
I’ve been using it for a while without significant issues. My (Windows) workflow is to use Cryptomator to mount cloud storage as a (decrypted) new drive and then I use Sync Toy (there are plenty of other alternatives) to copy changes to the mounted drive, which Cryptomator automatically encrypts.
The file names are also encrypted so nothing is given away at all if the cloud storage is viewed outside Cryptomator.
HTH
1 Like
Don’t forget to encrypt whatever folder you’ve set up for automatic back ups too!
2 Likes
On both Windows and macOS you can create encrypted folders. While I have not experimented with this on my Mac’s, I suspect you can create an encrypted folder and direct your Scrivener backups to that folder. No need for 3rd party tools or changes to Scrivener.
Lots of articles findable via internet search for how to do it.
Edit: For those with macOS like me … My entire hard disk is encrypted using macOS “FileVault”. So I kinda feel I don’t need additional encryption on that disk. Maybe being naive, but so be it. I suspect Microsoft Windows has something familiar but I am many years behind keeping up with Windows skills.
There are some good points in there, and also some things to be aware of as limitations.
The problem with local file system encryption like FileVault is that what you do with the data is your responsibility to keep secure if it is removed from the system (for example if you use unencrypted backups, then only the physical computer itself is protected, not your data).
For that to be more secure, the original data that gets sent needs to be encrypted on top of any other protection, such as at the file system level. File system level encryption only protects you from hardware theft level issues, or hardware retirement, and even then it often only provides weak protection unless you fully power down.
To remain protected you have to upload the random noise itself, not the unlocked noise that is so unlocked your computer can successfully boot from it. And file system level encryption does not make it easy (even possible I would say) to “export” the original noise.
Thus to come back to the feature request, such a measure wouldn’t have this problem because then the .zip files would be encrypted somehow so that they are that original noise and can be stored in insecure locations with more confidence.
That all said, I don’t know why one wouldn’t be using a service that provides end-to-end zero-knowledge encryption if they are at all concerned about what they are putting online in their “personal” storage bucket. There are plenty of good options these days for that, it is no longer a niche service.
I suspect Microsoft Windows has something familiar but I am many years behind keeping up with Windows skills.
Yes, Windows has had file system encryption since Win 2k, but it is not available to the simple Home versions. Both that and FileVault have the same weakness though: they are only as strong as the weakest user account password on the system.
Again, good points. Just shows “encryption” not a silver bullet, and one must understand the threats (real or imagined) from which one is attempting to protect against when it’s decided to go down the encryption route. Not a panacea and requires full understanding to achieve the assumed protection levels suggested by encrypting.
Edit: on macOS, if one really wants to encrypt a backup file that might be moved elsewhere, there is what I believe is “built-in” the “zip” command. I think built in as I have no recollection of adding it. I’ve used it to encrypt files (not Scrivener backups as I’m not particularly worried about risks to those files) that I send in email. Something like that may be on Windows, I don’t know.