Security Considerations when Storing Documents with TrueCrypt in Dropbox

2

I am considering moving my default documents folder to Dropbox. These also contain scanned letters and important information relating to contracts, bills, and so on. I will encrypt those with True Crypt.

Are there any other security implications I need to take into account? If my Dropbox is compromised then how secure will the Documents encrypted be (providing they don't know the password)? Are they safe, is there anything I could do to further increase their security?

I heard that TrueCrypt can have both a password and a 'key file'. Both would be required to unlock the store. I could keep this file on my computer, and on a portable key, and not on Dropbox. Is this possible? I Imagine it would massively increase the security..

Basically: What should I take into account when encrypting my documents, what settings, should I use a eye file, how secure is the encryption should my Dropbox be compromised?

Damien

Posted 2011-06-30T10:09:52.363

Reputation: 742

1

I think this is definitely worth considering if you have documents that are personal etc. Dropbox left the system open a little while back so you did not need a password.

– slotishtype – 2011-06-30T10:25:08.823

2Dropbox is not a secure system - it never was, it never tried to be. You should take exactly the same precautions with dropbox as you would any other method of moving files. Encrypt well, keep your keys safe, and keep your passwords long. Whether your files are compromised through dropbox, a stolen USB drive, or a compromised PC, makes no difference, so treat it all in the same way. – Phoshi – 2011-06-30T10:29:45.483

@Phosi - Indeed. As I mentioned I shall be encrypting the sensitive documents but I am wondering if this is enough - simply encrypting - or if I should take additional precautions such as using a key file. – Damien – 2011-06-30T13:25:57.090

That sounds reasonably secure to me. You could use hidden volumes for slightly more insane 'security'. The thing is, at the end of the day, if you can get the data out, then it's possible for the data to be decrypted by a person with sufficient skill. Though, I think a nice password and a key file are going to be pretty decent, particularly if you pick a good encryption algorithm. Keep in mind you'll want to download the truecrypt volumes before opening them, else you could end up transmitted the decrypted version over the net anyway – James T Snell – 2011-06-30T16:08:51.930

Answers

2

Yes - assume DropBox is an open, insecure system. What would you normally do with your data on an insecure system?

If you have very sensitive data, you will want to use strong encryption. One of the upsides with TrueCrypt or similar is that the passphrase/key/whatever never need to be visible to DropBox which means that an attacker can't do anything useful with your encrypted data unless they also compromise your home machine.

You can use a key file if you want - but to be honest, using a long passphrase can secure the data to a level which requires an unfeasible timespan to break so it should be all you would need.

Once the encryption is above a certain amount, an attacker is forced to use the xkcd approach

(Admittedly the thresholds vary dramatically depending on what data you have, what kind of a target you are, what threat actors want to attack you etc., but if you use TrueCrypt with a currently approved strong encryption algorithm such as AES, with a passphrase of 20 characters, you will be well protected from a brute force attack on your encrypted data on DropBox)

Rory Alsop

Posted 2011-06-30T10:09:52.363

Reputation: 3 168

Cheers. I take it all the methods on TrueCrypt are secure? I am using AES-Twofish. Also, what's magical about the 20 characters? Why not 19 or 21? Thanks! – Damien – 2011-07-06T18:06:20.050

nothing magical - even 15 is considered pretty strong, but I am a security bod, so always add a bit of safety:-) – Rory Alsop – 2011-07-06T18:07:20.127

AES-Twofish is also considered strong, and the TrueCrypt implementation appears to stand up to scrutiny (which is the only way to measure these things in practice) – Rory Alsop – 2011-07-06T18:07:59.533

Many thanks. I thought that at '20' it used a different method as it had enough characters or something. Cheers. – Damien – 2011-07-06T19:42:08.703

Asked: 2011-06-30T10:09:52.363

Viewed: 481 times

Active: 2011-07-06T10:39:03.687