Securing Dropbox files from theft

A lot of us are using Dropbox to synch what we’re writing. In addition to the convenience, I shifted, in part, because the risk of some Dropbox glitch seemed less than than that of losing a tiny flash drive or having it stolen.

But there’s an interesting idea posted on the Dropbox forum that offers an addition reason for using Dropbox storage. If you’re using a Mac laptop or (later this year) an iPad or iPhone to store your manuscript, the workaround allows you to remotely wipe your Scrivener files from the stolen or lost device. That’s not something you could do if you’re just using the laptop’s regular storage.

The full details and a discussion is here:

But here is the technique:

[b]It’s a clever idea, but note that this security feature is something that you have to set up in advance. If you’ve not set this up, you can go to your Dropbox website and unlink that computer. Your documents are secure, but you lose the ability to use Dropbox to track the IP address of the thief.

Once setup, it allows to to protect your manuscript by simply getting to your online Dropbox via any Internet-enabled computer (or smartphone), and moving the files you want to protect from their normal folder to one that’s not synched (his evacuate folder). And to do that, you’ll need to keep your Dropbox login information with you.[/b]

Note too from remarks in the discussion that the trick isn’t perfect. A clever thief could still get around what you’ve done. If you go to this webpage, you can vote to have Dropbox add a more robust Remote Purge feature. … -is-stolen

–Michael W. Perry, Seattle

Why not use Truecrypt with a hidden partition inside a truecrypt partition? Can’t think of anything more secure than that. Of course it’s a little more work, but that’s life…

Because you can not sync small changes. And you would need to have crypt/decrypt available on the remote devices.

So, store the Dropbox folder on an encrypted drive image? Hmm. That might work.

One thing that occurred to me while reading the hint is that even if you don’t set that up, the solution to getting that data off the stolen computer is to go to another computer, and move all of your files to a non-dropbox folder. The sync will then erase everything on all the machines that sync to it, and if you go to the website, you can see if the laptop has synced since you did that. Then you deauthorize that computer, change your dropbox password, and drag everything back.

Not quite as elegant as being able to do all that from the website, but it’s at least doable without the beta and the setup.

I do like the idea of encrypting the folder though. May have to look into that.

No it wouldn’t. DB would see the files as unencrypted and would store them in “clear” mode in the cloud. You would need to put the encrypted drive image in the DB folder for this to work. DB would only see the full image as a binary file so each save would require the entire image to be synced on all servers.

If stuff is so important that you need to encrypt it, you need to find a different solution. There are sync services that provide encryption in transmit and cloud but do not require encryption on the remote end. Those services also provide “remote wipe”. I am not poking DB in the eye, but if you’re stuff is that important, you need to spend the $$ for the mature, commercial services that already provide these solutions.

Well, it would keep the thief out of your stuff. DB couldn’t sync unless you decrypted the drive image first, I would think, so he’d have to have your encryption password to see the DB folder. That assumes that you have to enter a password periodically to get access to the encrypted drive image, or that you habitually unmount your dropbox drive image.

I agree, now that I think about it, that you’re right in that it’s a bad solution, because access to your dropbox webstore is just a cached password away. And in general, it’s a terrible, clunky way of protecting data. Other solutions built around encryption at the client side, and having remote wipe capabilities is far more useful. I think Mac OS Lion has both full-disk encryption and the remote wipe feature, doesn’t it?


But my point is that “service side” solutions that address all this are already available. You install a dropbox like tool. Data is unencrypted locally (use full disk encryption). Data is encrypted before it goes on the network, is stored encrypted on the server.

Yes it costs $$. But if your stuff is that important …

No it doesn’t … SpiderOak does just that and you get 2GB of space for free. You just have to accept a Linux-like front-end — my previous post may have sounded as if it’s Mac only and badly designed … it’s not, it’s cross-platform, including iOS and Android (I believe), so unless you use Linux you have to work a slightly different way to set it up and administer — and the fact that you need to go into the cloud repository to purge unwanted, or old backups that are eating up your space. Other advantages … you can designate which folders on your HD are automatically backed up on SpiderOak, not like the current DropBox system, and you can create folder access for other people on folders in your account on the server.


Sorry Mr X. I wasn’t trying to imply your solution was wrong or bad. I have several services in mind that do cost $$ that I think address the UI concerns and ease of use concerns. I don’t know what the price per GB is, I’m just a user with a corporate account (one of the few advantages to working for the man these days!).

Anyway, there are options.

I didn’t think you were … I was merely hoping to correct an impression I might have given in an earlier post on a different thread, and to say to those who are concerned, that in fact there is a free solution available that does what they seem to want, but with those caveats.

And I fully understand that, being one with a corporate account, you will be aware of corporate level solutions but perhaps less likely to have explored free solutions.


True. True. Although I do know that the products we use are available to the consumer as well. My experience with services that have a high expectation is that you get what you pay for. Not an insult at any free packages, but the level of expectation that has been expressed …

BTW, comments on the other thread for you in 15.

You can also switch to Wuala, a secure online storage solution.


The truecrypt solution isn’t at all bad or clumsy.

The process is very easy.

  1. You create a file with two partitions and a fixed size. One accessed through a normal password you can give away when forced with a gun and one hidden with an extra strong password or a file or an image etc…

  2. Before you work you have to mount this file and you get a new drive name.

  3. You work on this new drive and when finished you dismount again.

  4. Once dismounted dropbox syncs this one file.

  5. It’s impossible to know that you have a hidden partition, no clues at all. Nada.

Dropbox only has this one file, nothing else, so this is mega-safe. Only problem, it’s not for working in teams simultaneously.

Takes only a minute or two to get on working. Oh, and truecrypt is portable and multi-platform.

Anything else you would need? I’m happy with this solution… but then I only use it for my passwords stored inside of Keepass. My ‘literature’ doesn’t need any special treatment :wink:

What happens when you have two gigabytes of images and webarchives on your truecrypt image when it syncs to Dropbox? I’d assume that the entire encrypted image changes when you make even small changes to an individual file within, so every single change you make results in a 2G sync with however many computers are keeping up with it.

Dropbox only syncs the binary difference. So, yes the initial 2GB could take some time, depending on your bandwidth, but then only the difference is transferred.

Why not simply give it a try and test for yourself?

hi, again
protection is probably important, growingly needed in the future, hopefully wide spread and integrated sooner or later, and not remaining a subject of discussion, whether or not.
It is a good feeling to enjoy privacy and safety while writing, not having to worry on those issues, just concentrate on writing, whatsoever…
What are the best experiences around with existing encryption solutions, and especially how to get this down to iPad level, for instance with -a nearly perfect solution (IMO) like Writeroom, or next iPad-Scrivener both on a free and subscription basis ?
cheers and thanks for your input (not english native, apologies)

There’s another variation that I use, and which avoids any syncing of a large TrueCrypt volume.

Don’t put your TrueCrypt volume into DropBox. Put your DropBox folder into your TrueCrypt volume then tell DropBox not to start automatically.

Now when you start your system you mount your TrueCrypt volume then click your DropBox icon.


DropBox has actual usable files not just a single large TrueCrypt one.
Anyone steals your machine and they are faced with a locked TrueCrypt volume.

You can still use the ‘evacuate’ suggestion if you choose, and the locked TrueCrypt volume will give you all the time you need to move your files, as only a determined, seasoned hacker is ever going to get into it.

Not bad, not bad at all. I think I’ll try your solution on a separate machine first.
Only problem is the syncing from the iPad. And this may be important for some (it is for me :wink:)

Sorry, being a techie i suggested using this method alongside ‘evacuate’ (which i don’t use) as i could probably do it myself using a startup shell script that prompts to mount the TrueCrypt volume then when it is ready kicks off DropBox.

If you’re not technically minded however you may not be able to use both methods together as a hacker getting into your TrueCrypt volume is unlikely to then start DropBox so the evacuate process would never run. So, one method or the other.

For those still looking for securing your files and projects within Dropbox, there is a program called Boxcryptor that is made specifically to encrypt DropBox folders & files. I’ve been using it for about a year and it works seamlessly with Dropbox.

It doesn’t create a whole crypted volume like TrueCrypt, instead it encrypts the files themselves. Thus you only need to sync the files that are changed, instead of a single volume.

I just switched to Scrivener early this week, and so far it has worked well syncing between my desktop and laptop. No project corruption yet :slight_smile: (I’m still on the trial).