1

If I encrypt some files in a folder using EFS, and then I upload such files to a cloud service, will they be encrypted on the cloud?

While the logical answer seems to be yes, I think in reality the answer must be no: because when I upload I am logged-in in the system, where these files are manipulated in a decrypted form...

Here's what I know: when you use EFS, which is what I'd like to do since I only use Windows, the encryption is "transparent" to the user. Files always appear decrypted because I am logged in in the system. My question is: if I use, for example, the Dropbox or the Mega cloud services and upload such files (with their app or through the browser), wouldn't the file be uploaded in a decrypted form, since I am logged in the system? Doesn't EFS only protect files locally?

I think this would work only if I uploaded such files from a different system or account where they appear as encrypted. Am I correct? Or totally misunderstanding how this works?

Yet if I use something like VeraCrypt I am back to square one because such files are encrypted only when inside their container. Once they are copied elsewhere, be it the temp working folder of my cloud sync app or just in the ram, they are decrypted and thus uploaded in such form. Is this also correct?

See, my purpose is to encrypt my local mail folder and then upload it to a backup service. It's a big archive and it's not feasible nor good practice to compress it in an encrypted archive because such archive takes days to upload on my normal second-world home connection, and my could sync service cannot just upload the little chunks of it that need to be updated.

nico
  • 341
  • 1
  • 2
  • 9
  • 2
    I think you need to clarify what you mean by 'cloud service' and 'system'. If I encrypt a file on my computer, and then send it *anywhere*, the file never decrypts. Your 2nd paragraph needs a lot of explanation. – schroeder Feb 09 '17 at 11:28
  • 1
    Encrypting a disk\directory\volume is different. If you open the volume, then the files are no longer encrypted. I think all you need to do is to be clear about the boundaries of the files, the local encrypted volume, and the 'cloud service'. – schroeder Feb 09 '17 at 11:30
  • I'll try to clarify: when you use EFS, which is what I'd like to do since I only use Windows, the encryption is "transparent" to the user. Files always appear dencrypted because I am logged in in the system. My question is: if I use, for example, the Dropbox or the Mega cloud services and upload such files (with their app or through the browser), wouldn't the file be uploaded in a decrypted form, since I am logged in the system? Doesn't EFS only protect files locally? – nico Feb 09 '17 at 11:35
  • As I say, once you open the volume, the files are no longer encrypted. An encrypted drive protects the data at rest. – schroeder Feb 09 '17 at 11:36
  • So then what would be a good solution to upload some files making sure they are encrypted before I do? – nico Feb 09 '17 at 11:41
  • Answer re: EFS (first paragraph) https://technet.microsoft.com/en-gb/library/cc700811.aspx#XSLTsection123121120120 – schroeder Feb 09 '17 at 11:43
  • To ensure encryption, specifically encrypt the files before upload. It's as basic as that. – schroeder Feb 09 '17 at 11:44
  • Well as I said, 1) I'd like to use EFS because I'm on Windows and 2) I want to do this for my local mail folder which is several GBs of data in folders and files. So you are saying I shouldn't use EFS, is that correct? Can you please suggest an alternative, since VeraCrypt equally cannot be used to upload such encrypted files? – nico Feb 09 '17 at 11:48
  • EFS is not the solution you need, Windows or no. Veracrypt can work fine if all you do is put the email store in it. – schroeder Feb 09 '17 at 11:50
  • 1
    Hey Nico, welcome. I think your question can benefit from some rephrasing, because what you are asking is not `Will encrypted files on a volume still be encrypted when uploaded to a cloud service?` but something else. I think maybe your real question is `How can I set up an automated encrypted cloud synch volume where the files are encrypted individually before uploading to cloud?` – Mindwin Feb 09 '17 at 12:02
  • Hello Midwin, I guess the title can be rephrased, though you can hardly expect a total newbie to express themselves in such a way. Still I didn't the want the focus to be on the email syncing since it is interesting to think about this problem in a more general sense as well: _How to encrypt files in order to make sure they stay encrypted on the cloud, without ending up with a single encrypted volume which needs to be re-uploaded in its entirety each time?_ So there, I'll repost my question in that form... – nico Feb 09 '17 at 12:14
  • As an aside but possibly useful. VeraCrypt uses a delta-processing friendly format so you can happily store large VC volumes if you are synchronising to the cloud using a client that does delta-checks at a block level (I suspect all do these days). You keep the files within the encrypted volume and the sync client takes care of the rest. – Julian Knight Feb 10 '17 at 12:46

2 Answers2

1

In most of the EFS solutions, the file is unencrypted before going to the memory, meaning that if you upload a file to a cloud platform, it will be decrypted in your computer's memory before being uploaded on the website.

What you may do is create an folder in your computer mapped to the DropBox folder you want to use. Then you use a solution such Veracrypt to create an encrypted volume inside the dropbox folder (which is mapped in your computer). In this way, the dropbox will see only a large encrypted file, while you will be able to decrypt it from your computer.

Ricardo Reimao
  • 687
  • 4
  • 9
  • Wait a minute: the Veracrypt documentation says clearly: "You can copy files (or folders) to and from the VeraCrypt volume just as you would copy them to any normal disk (for example, by simple drag-and-drop operations). _Files that are being read or copied from the encrypted VeraCrypt volume are automatically decrypted on the fly in RAM (memory)_". [link](https://veracrypt.codeplex.com/wikipage?title=Beginner%27s%20Tutorial). Doesn't this mean that the syncing Dropbox app would handle **decrypted** files, regardless whether they are sitting in the encrypted volume/container? – nico Feb 09 '17 at 11:59
  • He means that you upload the Veracrypt volume using a shared drive in Dropbox. All Dropbox sees in the encrypted volume. You decrypt locally. It's the same as my answer except with a specific syncing method. – schroeder Feb 09 '17 at 12:03
  • My idea is: You create a folder in your dropbox. You map this dropbox folder into any folder on your computer. You create a Veracrypt volume inside of the folder on your computer... having that done, the dropbox will only see a large encrypted file, while you will be able to decrypt it in real time from your computer. – Ricardo Reimao Feb 09 '17 at 12:03
  • @nico: There is a difference between the container that holds the volume (the encrypted file) and the volume itself. Veracrypt needs you to mount a volume at a specific mount point, say drive F:. When you access F:, files on there are transparently encrypted and decrypted inside the container. Dropbox wouldn't see F:\, only the container file. – Out of Band Feb 09 '17 at 12:24
  • As I said elsewhere on this page, uploading the container file is not a useful solution because I would have to upload a 2GB file every time a 10kb file in it changes. I wonder how this doesn't jump to everyone's eyes as a blatant obstacle. – nico Feb 09 '17 at 12:31
  • @nico: Probably because Dropbox has a sync algorithm that detects changes in files. It doesn't upload the whole file every time you change it. I like this answer, but I do wonder whether Dropbox's sync algorithm is clever enough to deal with filesystem change patterns (if you create a new file in your container, that will probably change the container at multiple, possibly widely dispersed locations). If you get unlucky, Dropbox will sync a large part of your container because it can't accurately detect which parts changed. There's probably no way to know except test it. – Out of Band Feb 09 '17 at 12:31
  • I didn't know about this algorithm by dropbox... I don't actually use dropbox though, but Mega which I don't want to mention because then everyone will say: "files on Mega are already encrypted!" In my experience, Mega overwrites the entire file each time. – nico Feb 09 '17 at 12:37
0

You could use the 'encrypted volume' effect to your advantage. Encrypt the email store and use an email client that decrypts the store when it uses it.

Veracrypt can be used in the same way with an extra step. Create an encrypted volume, put your email store in it, then decrypt the volume before launching your email client.

Then, all you have to do is to backup the already encrypted mail volume.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • As I clearly stated in my last paragraph, this isn't convenient at all because the data is very large and it would take days to upload such archive or encrypted volume. My only option is to upload individual files. This way the syncing app would upload only the ones that have actually changed. – nico Feb 09 '17 at 11:52
  • Then you need to overhaul your question. Your question was about how a file remains encrypted. If you want a way to encrypt *individual files* to update an email store, then that's a totally different question. It can be done, but you're likely looking at a script to encrypt/decrypt files individually. – schroeder Feb 09 '17 at 12:01
  • How is the question totally different? ==I want to upload files. They are encrypted. Will they be encrypted once I upload them?== The question is still the same and is still unanswered. Maybe you should have read my post thoroughly the first time, instead of skipping though it making assumptions on what you are reading. – nico Feb 09 '17 at 12:05
  • @nico *The files* aren't encrypted when using EFS. *The data on disk* is encrypted. Any process that is able to read the files will see decrypted data, so that's what anything that copies the data elsewhere (such as by uploading to a remote server) will see. Keep in mind the distinction between what's physically on the disk and what's visible in the file. – user Feb 09 '17 at 12:21
  • @nico what I'm saying is that you have an X/Y problem. You have a problem, you are imagining a solution, and asking about the solution thinking that the question is about the problem. I'm saying, ask about the problem, not about the details in your imagined solution. – schroeder Feb 09 '17 at 12:27