17

It's my understanding files kept on Google Drive are not protected. I would like to have them encrypted so that to be able to view or modify them one must enter a password. I foresee a potential dilemma: the computer must have the encryption/decryption tool to do this, thus defeating the portability of Google Drive. A scenario is I'm working on a library computer where I do not have permission to install software.

Are there any online solutions to encrypting Google Drive that are open source? Is anything online (I'm avoiding the word "cloud") ever open source? To me it seems absurd to arbitrarily trust another company online to encrypt/decrypt files more than one would trust Google in the first place.

I noticed new versions of Microsoft Office have the option to save to online storage services, such as Google Drive and Skydrive. If this is going to be my default choice to save files to, I would like to have them encrypted.

Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • 5
    Do you trust that library computer more than Google's servers? I feel the argument you might not have the tools to decrypt is redundant because you should only be using trusted computers to read the content if you're genuinely worried about their contents. – deed02392 Mar 12 '14 at 10:28
  • 4
    @deed02392: Question is which is worse, some kid in the library installing malware and reading your private love letters, holiday photos _and bomb plans_, or Google sending a copy of everything to the NSA as a standard process. But yeah, I agree... it's kind of pointless to worry who might be reading your stuff when you use a totally compromised computer :) – Damon Mar 12 '14 at 10:48
  • You guys seem to be missing the point. I don't want to have to trust google or the library computers. @deed02392 you say I shouldn't have an untrusted school computer read sensitive data, that's different. I know when I upload a file to google drive it's being stored on their servers. When I use a USB device with my files on it, likely no data gets copied to the schools servers (it's not like the library computers keep copies of all data on all removable media inserted in them; I mean it is possibly but unlikely, you *know* google drive is keeping your files). – Celeritas May 15 '14 at 08:39
  • 5
    @Celeritas You are wanting something illogical. You are saying you **don't want to trust a computer that you want to use sensitive files on.** Yes it's annoying when you can't have both convenience *and* confidentiality, but that is the way security works - it's a constant trade-off of these two elements. To be blunt, you simply have to get over it. – deed02392 May 15 '14 at 08:45
  • 1
    "It's my understanding that files kept on Google Drive are not protected?" is misleading. Google does protect files on Google drive using a variety of organizational, network, and cryptographic methods to protect against rogue employees and third-party hackers. They do not protect against government actors with subpoena power. They also only encrypt stuff stored on their servers, not stuff on your local machine that is synced to drive. – Mike Samuel Jul 29 '14 at 12:38
  • iMessage works like that. It's real end to end encryption, but it works seamlessly on multiple devices. I don't know of an encryption service that provides this but it's definitely doable. Basically every device you add as trusted shares its public key, and data is encrypted with all the public keys - one for each device - so each device can dencrypt the data. – n13 Oct 15 '15 at 01:38

8 Answers8

22

In general: You need to trust the machine on which you are decrypting the files. This trust is usually only warranted if you have full control over this machine which also means that you can install software on it. So if you are really concerned about the contents of your files then use an offline encryption/decryption tool on a trusted machine and upload the encrypted data to Google Drive or any other cloud file sharing service.

Then how do you access encrypted data on the library computer? Well, you don't. That machine might have malware on it that sends copies of your data and/or your key to somebody who is not supposed to have them. Once this happens your entire encryption is useless.

This also explains why there are no "online solutions to encrypting Google Drive". I'm not really sure what you mean by "online" here but I am assuming you mean "transparent" i.e. the data is encrypted but you don't really have to care about how it is done and don't need to worry about installing software. Here's why this is so hard to do:

Encryption of data always requires two main ingredients:

  • The algorithm used to encrypt the data and
  • the key used to encrypt the data.

The key must never be known by an untrustworthy entity. But you need to supply the key to the algorithm and an untrustworthy algorithm might just send the key to an untrustworthy entity. So you want the algorithm to be trustworthy. This, however, means that you should not use an algorithm provided by an untrustworthy source.

Applying this to your Google Drive situation

Since you want to store data so that Google can't read it we are going to define Google as untrustworthy.

Transparent encryption without additional software on the client side would have to be done either on the Google servers or in your browser.

  • When it is done on the Google servers it is obvious that you need to supply Google with your encryption key so they can decrypt your data on their servers. So now they have your key which means they can decrypt which means you might as well have stored your data in plain text all along.
  • The other option would be decryption in your browser. This, however, would have to be implemented by Google so they can serve it to you on their page. Again, you would have to hand the key to an algorithm that is from Google and that algorithm might send the key back to Google.

A trusted third party

After all that talk about how it is impossible to do transparent Google Drive encryption here comes a way how it might be possible. However, this requires that you trust some other party to see your sensitive data.

Google Drive has an API that allows viewing and uploading of files. In theory it would be possible to build a website that accesses your Google Drive using that API and encrypts and decrypts data before it is written or read. This means that Google would never see your plain data and you would still be able to access it without installing additional software.

However, now you have a different website owner who provides the decryption algorithm and might therefore have your key. And you have also handed him your Google Drive login so now he is the one who will be able to download and decrypt everything in your Google Drive.

Addendum 2015-02-28: From having a quick look at the InstantCryptor website it seems that they have implemented exactly this scenario. From what I can tell, they provide a JavaScript-powered web-based interface to your Google Drive and Dropbox storage. This interface can encrypt and decrypt your files before saving them on your cloud storage.

The sad conclusion

If you really want to make sure that nobody sees unencrypted data, then you can't show your unencrypted data to anyone. This, however, means that you need to do the encryption on a trusted machine and that usually mandates that you install additional software. Also you can't decrypt data on untrustworthy machines such as library computers.

Chris
  • 652
  • 6
  • 12
  • Basically means you need to have some specific trustworthy 3rd party non-google app that can encrypt/decrypt. 7-zip can do it but it makes an archive and you'd have to delete the original I guess or just send google drive a 7-zip copy. – Dexter Jun 09 '14 at 03:19
  • What if I trust Google enough to perform client-side encryption, but I don't trust them enough to perform server-side encryption. In other words, I don't trust that Google can protect my private data from hackers. I would be ok with Google encrypting and decrypting locally through their Drive app. do you know if Google does that? – Didier A. Apr 07 '15 at 23:51
  • Also, I could trust Google to protect my keys and their serer side encryption function, but not trust them with my word documents. Maybe I trust that more care will be taken in protecting my keys, while I worry less care is taken for my docs. So if they encrypted my docs on their servers before storing them, I would feel safer. – Didier A. Apr 07 '15 at 23:53
  • 1
    @didibus I assume that they employ Transport Layer Security, i.e. when transferring documents only Google and you can read them and not somebody eavesdropping on the conversation. I highly doubt that they would store anything in an encrypted format that they themselves can't read. Google's business model is knowing what you store on their server and analyzing it for advertisement purposes, so storing unreadable data just doesn't make any sense for them. I don't know if they encrypt it, but it seems that it would be a lot of work with no benefit to them. – Chris Apr 10 '15 at 06:25
  • Very good info. Does InstantCryptor leave the private key on your computer? IMO all the encryption / decryption could be done locally in your browser, in JavaScript, without having to go to their servers. And then it would be secure (if your browser is trustworthy) – n13 Oct 15 '15 at 01:41
  • 1
    @n13 They claim they do all the encryption in JS. http://cloudrail.com/instantcryptor/ I haven't verified it for myself, though. – Chris Oct 15 '15 at 09:17
5

In Microsoft Office Word, Excel and PowerPoint it is possible to encrypt files with AES-128 encryption by setting a password. Note that encryption in Microsoft Office < 2003 is not secure, and in 2003 only if you manually pick a stronger encryption algorithm, because it defaults to the insecure Office 97/2000 Compatible encryption.

As others have suggested, you can use 7-Zip (Portable) for other files.

user2428118
  • 2,768
  • 16
  • 23
4

Just use 7-zip's password-protect feature.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 1
    1)computer may not have 7-zip – Celeritas Mar 12 '14 at 07:58
  • 2
    Like the other person answered, use portable 7-zip – atdre Mar 12 '14 at 09:59
  • Using portable 7-zip requires the ability to access the portable executable from local attached storage (thumb drive, floppy, cd, etc.) or from network sources (download from portableapps.com, Google Drive, dropbox, etc.). It also requires the ability to execute a non-native, non-standard installed, or non-approved executable. We get that you are trying to give a to-the-point answer to a problem, but it doesn't really answer the concept of the question @Celeritas is asking. – 0xSheepdog May 15 '14 at 05:43
  • 1
    This requires trusting the machine on which 7-zip is being used to not have keyloggers, etc. installed. – Andrew Ferrier Mar 12 '15 at 16:17
  • 7-zip portable isn't available for OS X – Celeritas Dec 13 '15 at 23:47
  • Also, not a good encryption algorithm unless it is using aes – Kellen Stuart Jan 03 '17 at 02:47
2

One open source solution which I found should solve your problem is the Cryptsync. Website is - http://stefanstools.sourceforge.net/CryptSync.html

Also,

Another method which I can suggest is, how about you convert your files to an SFX (Self Extracting) Archive and set a password with a nice encryption on it? I guess for this method you do not need any Installed Software on the remote desktop or even on an Android phone (No idea, about iOS) to decrypt the files.

As far as encryption is considered without using any software, you can use the Iexpress utility built inside every copy of Windows since Windows XP to create an SFX archive and use the above open source tool for encryption. I did some googling and it seems that IExpress cannot encrypt the files with a password.

More about the usage of Iexpress can be read here - http://lifehacker.com/384658/use-a-built-in-windows-utility-to-create-self-extracting-archives

So, I would suggest is use 7Zip on a computer where there are no restrictions or use a portable version of the 7Zip to encrypt the SFX archive. Once the SFX archive is created you can directly upload to Google Drive and can access the files from anywhere.

Pranav Jituri
  • 228
  • 2
  • 11
1

There is a problem here: you are using a library computer which of all the computers in the world, is probably the type of system you can least trust. You should first be more worried about the library computer then about google.

But that's not your question, so let me answer your question:

I use Axcrypt on Dropbox. According to the Axcrypt website, it's a perfect tool for Google drive as well. The problem is you can't install it on your library computer. So you need a way to access it remotely. The way to do this is to install it on a thumb drive, take the thumb drive with you to the library and run it off of that:

http://www.axantum.com/axcrypt/

user41888
  • 11
  • 1
1

You can encrypt by using the open source Truecrypt software to create an encrypted container. An encrypted container is a file that Truecrypt uses and sort of pretends is a disk drive. It is formatted like a drive, and everything that is written to it is totally encrypted. When you mount it in Truecrypt, you get a drive letter on your computer and everything written to it is stored inside the container totally encrypted.

On the plus side, since everything written to the container is encrypted, this means that all the data going over the Internet to Google Drive is totally encrypted. Also, Truecrypt is available in portable versions that fit on a USB stick.

On the down side, Google drive doesn't support synchronizing portions of a file. This means every time you make a change to files in your container and dismount it, your computer has to send the whole container file to Google Drive, even if only a tiny part changed. For large containers, this can take quite a long time. For ease of use it's best to:

  1. Use multiple smaller containers
  2. Keep a container mounted, make all the changes you are going to make to the files in it, then unmount it. You can even keep it mounted all the time, only dismounting it once a day for it to synchronize.

It's unfortunate that Google Drive does such primitive synchronization, but it may be in an effort to combat people doing just as I suggest. Tools like rdiff have synchronized portions of a file over a network for 20 years now. Incidentally, Dropbox does partial file synchronization - only synchronizing the part of a file that changes. The technique of using an encrypted container on Dropbox works very well, and after the initial one, synchronization occurs very quickly and takes time in proportion to how many files are changed while the container is mounted.

Kurt Fitzner
  • 121
  • 3
0

To me it seems absurd to arbitrarily trust another company online to encrypt/decrypt files more than one would trust Google in the first place.

Not sure I agree: Google simply does not encrypt, so performing an encryption with third party software provides very real, tangible security which Google does not offer out of the box.

There are many options to encrypt uploaded files such as Boxcrypt and Armor for Google Drive or even using classic 7zip encrypted files.

You could also try alternative services that provide encrypted cloud storage such as Wuala.

user3244085
  • 1,173
  • 6
  • 13
  • But it stores the files on it's servers using very high grade encryption, right? – Pranav Jituri Mar 12 '14 at 07:45
  • There was some mention of Google starting to store all data encrypted in the coming months somewhere after Snowden in 2013 (coincidental timing I'm sure) but I'm not sure what protection it offers: Google maintains the keys and as soon as you are logged into Google Drive decryption happens on the fly. In most scenarions a file on Google drive needs to be encrypted while have an "open" google drive itself. Not to mention possible governments access to Google Drive regardless of the encryption Google uses itself. – user3244085 Mar 12 '14 at 07:49
  • Good discussion. If you were to use one of those mentioned services such as Boxcrypt then your unencrypted files will be passing right through there servers. I see no reason to trust Boxcrypt anymore than Google? – Celeritas Mar 12 '14 at 08:01
  • @Celeritas :- I first included the Boxcrypt only but then changed it because I read later that Data will be passing through their servers. – Pranav Jituri Mar 12 '14 at 08:05
  • I agree and would personally never use those services for truly confidential data, but for the scenario in the question it should suffice: files are encrypted on your Google Drive. – user3244085 Mar 12 '14 at 08:05
  • Didn't realize you were also the question asker so obviously I am wrong: your scenario does need better trust than Boxcrypt would give. Which leaves Google drive alternatives such as Wuala or encrypted zip files imo, no open source solutions available that would keep the auto save r similar Google Drive functions or not require specific encryption tools to be installed – user3244085 Mar 12 '14 at 08:38
  • 1
    @PranavJituri Boxcryptor does not transfer the files trough their servers. That would be absurdly high bandwidth costs for them. But if you want to be sure, use OpenSource Software like [EncFS MP](http://encfsmp.sourceforge.net/) or [Safe](http://www.getsafe.org/) – Josef Oct 13 '15 at 07:19
  • @Josef - Source? – Pranav Jituri Oct 13 '15 at 17:21
  • 1
    @PranavJituri common sense and https://www.boxcryptor.com/en/technical-overview – Josef Oct 13 '15 at 17:25
  • @Josef - +1 .You might be right that BoxCryptor does not transfer the data. How about this? https://www.boxcryptor.com/en/technical-overview#anc05 Although, there is a possibility that they might maintain a master key for everyone... – Pranav Jituri Oct 13 '15 at 18:15
  • @PranavJituri every Closed-Source program can do that. If you don't trust them, use Open-Source software where you checked the source code yourself for backdoors! – Josef Oct 14 '15 at 06:10
  • This discussion is not necessary: It's either zero-knowledge, or it's not secure. It's not how trusted a company is - companies can be hacked. The only way to secure your data is if no third party can actually access your data. That's the concept of zero knowledge. Your data is encrypted on the servers and the private key to unlock it lives on your personal computer and never goes out into the internet. – n13 Oct 15 '15 at 01:35
  • @n13 even if a company tells you it's zero-knowledge and you trust them and it is even true: If the software is closed, it could contain a function to mail all your data in plaintext to the mossad after the 20th of november 2015. – Josef Oct 15 '15 at 06:33
0

SpiderOak.com does what you want. It uses your login password to strongly encrypt all data before it's uploaded. So you get client side encryption and portability. As any client can access the data so as long as you enter the password.

Google Drive now provides encryption but it seems the keys lie with Google. So this is Google taking control of your data. Personally, I'd rather take control of my own data.

n13
  • 101
  • 2
  • 1
    But if you use your browser to decrypt files, they get your key and it is not more secure than google drive (they warn you every time you try to access your files in the browser). And if you install the client on a library computer (if you even can), you just hand out your key to anyone who uses that library computer too. – Josef Oct 13 '15 at 07:21
  • Fair point. Don't log in with your browser. Logging in with the browser sends your password over the internet, destroying the zero knowledge promise. – n13 Oct 15 '15 at 01:32