Cloud storage is easy to come by. Dozens of services shovel tons of free space to you just for signing up. But which of those services are looking at the files you upload, and most importantly, which services encrypt your personal data so no one can look at it? Let’s take a look.
You already know why you should care about your privacy, even if you think you have nothing to hide. Privacy is even more important when it comes to cloud storage. You trust the service you sign up for to keep your files safe and secure and away from prying eyes. Whether you use your cloud storage for music, tax returns, or backups, it’s still important to know that your provider isn’t rifling through your files to make sure the music isn’t pirated. If their servers ever get hacked, you want to know your tax returns and financial documents are safe.
Cloud Storage Services with Encryption Rolled In
Encryption works. Whether you want to protect your documents from potential identity thieves, want your files locked down in case your laptop or phone is lost or stolen, or you’re concerned about the whole NSA spying scandal, encrypting them is the only way to make sure you’re the only one with access to them. That is, without a ton of effort, anyway. Here are some of the services that have encryption built into their technology.
SpiderOak starts you off with 2GB for free, with more storage available at $10/mo for each additional 100GByou need. All of your files are encrypted locally on your computer, and then uploaded to SpiderOak’s servers, and any changes you make to your files and folders are synced with the local decrypted versions before being secured and uploaded.
In the past, SpiderOak limited its remote access and syncing options, but SpiderOak Hive, their new syncing service, along with their iOS and Android apps let you take your encrypted files on the go. The encryption and decryption process still takes place locally, but the only thing that’s stored on SpiderOak’s servers are your password, so they can authenticate you and direct you to the right files. When your remote session is over, they destroy your password, so you can be comfortable that you’re the only person who can access your files. If you’re looking for a secure option that stores your files in an encrypted form but doesn’t sacrifice usability, SpiderOak is definitely worth a look.
SpiderOak uses a combination of 2048 bit RSA and 256 bit AES to encrypt your files. According to SpiderOak:
Most importantly, however, the outer level keys are never stored plaintext on the SpiderOak server. They are encrypted with 256 bit AES, using a key created by the key derivation/strengthening algorithm PBKDF2 (using sha256), with 16384 rounds, and 32 bytes of random data (“salt”). This approach prevents brute force and pre-computation or database attacks against the key. This means that a user who knows her password, can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is quite unreadable.
Wuala encrypts your files locally, and then uploads them to the cloud for safe keeping. You start with 5GB for free, and after that it’s $4/mo for 20GB, $7/mo for 50GB, or $12/mo for 100GB. Like SpiderOak, Wuala handles encryption and decryption locally using a password you set, so no one can access your files.
Furthermore, Wuala uploads different segments of your files to different servers, so they can’t even identify what data belongs to which users. Your password is never transmitted anywhere, and again, this means that if you forget it and don’t have unencrypted versions of your files locally, you’re out of luck. You don’t sacrifice features to get this level of security though. Wuala offers file versioning, cross-computer syncing, and mobile apps to help you keep working when you’re on multiple computers or away from your desk.
In order to give you access to your files on the go (and in order to share files with others) Wuala does have to make some compromises in the security department. They’re not much deeper than
SpiderOak’s, but they’re similar—when you share a file with someone, the file is unencrypted so they can access it without your password. If you put files in your public folder, they’re definitely unencrypted. When you sync and access your files on mobile devices, your password is required in order to encrypt and decrypt your files, and Wuala uses it to make sure you are who you say you are. The decryption process still takes place locally, but Wuala does—temporarily—have your password.
Wuala uses AES- 256 for encryption, RSA 2048 for signatures and for key exchange when sharing folders, and SHA-256 for integrity checks. You can read more about their approach to security here and here.
Tresorit is new to the encrypted storage game, but they’re worth checking out if you find the other services a little too cumbersome. Signing up with Tresorit nets you 5GB for free. They’re experimenting with plans that offer an additional 100GB, but you can sign up to be notified when those plans are available.
Like other encrypted cloud storage services, all encryption takes place locally on your computer. This means that no one can decrypt those files without your password—including Tresorit employees. Tresorit only supports Windows at the moment, and offers no mobile apps, but their Windows utility is very user friendly and a bit easier to get your arms around than some of the other tools that are bit more complicated to use (but offer more features). One place Tresorit shines (and has a lot of potential) is in sharing encrypted files. You can share files and grant specific permissions to users you specify, but those files are still encrypted until they download and open them.
As for their encryption technologies, Tresorit encrypts all files with AES-256 before they’re uploaded. Beyond that, they note:
Additional security is provided before upload by HMAC message authentication codes applied on SHA-512 hashes. Encrypted files are uploaded to the cloud using TLS-protected channels.
Mega is the brainchild of former Megaupload mogul Kim Dotcom. Signing up for a free account gets you 50GB of space. Pro accounts come in different sizes, including 9.99 € (~$13)/mo or 99.99 € (~$130)/yr for 500GB and go all the way up to 4TB. Unlike the other services, there are no desktop apps, no syncing, and no mobile apps. Everything happens in your web browser.
When you sign up, you choose a password and Mega generates the keys used to encrypt and decrypt your data. Files are encrypted before they’re uploaded and decrypted after download by your web browser. Those encrypted files are then transferred via SSL. However, Mega’s encryption is user controlled (UCE), meaning that your password is king. Accounts with no files or folders can reset their password, but once you upload data, losing your password means you lose access to your files. Not everything with Mega is encrypted however. Your files and folders are, but unlike other services, your folder structure and file ownership details aren’t, and Mega can access them (although they can’t see or access the files inside). You can read more about those limitations here. From an encryption standpoint, Mega says:
For bulk transfers, AES-128 (we believe that the higher CPU utilization of AES-192 and AES-256 outweighs the theoretical security benefit, at least until the advent of quantum computers). Post-download integrity checking is done through a chunked variation of CCM, which is less efficient than OCB, but not encumbered by patents.
An important thing to remember about Mega is that while they offer a lot of storage and make some big privacy promises (and they say mobile apps and desktop tools are on the way soon), their encryption is actually weaker and less robust than many of the other cloud storage options available. They draw a line between security, speed, and massive storage.
If you’re the type who believes a little “security through obscurity” frosting is good on top of your encryption cake, note that Mega is under heavy scrutiny just by virtue of the fact that Kim Dotcom is the man behind it. Also, Ars Technica reported Mega’s encryption methodolgy leaves much to be desired shortly after it launched. Mega offered a bounty to anyone who could crack them, and multiple vulnerabilities were found. There’s even an app specifically for cracking Mega passwords. However, the service promises improvements are on the way. For the time being though, if you want speed and flexibility and tons of storage, take a look. If you want real, solid encryption and security, hang tight until those updates come.
The Cloud Storage Services that Don’t Value Your Privacy
You may have noticed that some of the big names in cloud storage aren’t listed above. That’s not because they’re insecure, or because they don’t care about your privacy, it’s just because they don’t offer the same tools or privacy promises that the above do. In the worst case, it’s because they actually say outright that they scan your files for content they deem “inappropriate.”
On the other end of the spectrum, Microsoft’s SkyDrive has regularly come under scrutiny by privacy advocates. Microsoft is known to scan its users’ files, sometimes with disastrous results. In 2011, a German photographer had his Microsoft accounts restricted because Microsoft deemed some of his professional work “questionable.” Another user had his accounts closed even though the content he had stored was in a private folder, accessible only to him. SkyDrive isn’t alone here. Apple reserves the right to scan your files stored in iCloud for illegal or malicious content as well.
The services we’ve highlighted have similar privacy policies (which you should read before signing up). They’ll respond to subpoenas and court orders, but because of the way your data is stored and encrypted, most of them don’t even know where your data is on their servers, much less how to decrypt it, so they physically can’t give it to someone who comes asking for it.
Remember, You Can Always Do It Yourself
When we highlighted the five best cloud storage services, many of your choices were based on how much storage you could get (usually more than the free plans above) and how tightly those services integrated with other services you use. With some of the above options, syncing can be slow because your files have to be encrypted before uploading, decrypted after downloading, and secure connections have to be established. If you want speed and tons of storage along with security and encryption, you can have it by using a third party tool to encrypt your data locally.
For example, we’ve shown you how to encrypt your Dropbox files with encrypted ZIP archives, or by usingTrueCrypt, Boxcryptor, or Viivo (formerly SecretSync). Since then, even more tools to keep your cloud data safe have emerged, like CryptSync, which is compatible with Dropbox, Google Drive, SkyDrive, and others.
Finally, don’t forget that the most secure cloud storage solution is the one that you have complete control over. Like we said above, Mega sounded great until researchers highlighted its vulnerabilities. The other services could have vulnerabilities too, but they’re not under the same scrutiny. Using cloud storage inherently means giving your files—encrypted or otherwise—to someone else. If you want to keep them close but still access them everywhere, you can always use a large hard drive or a NAS and roll your own syncing cloud service with OwnCloud. You could even power it with a Raspberry Pi and keep the overhead low.
Whatever you do, make sure to take your security and privacy into consideration before you upload to the cloud. You don’t have to give up convenient access to your files anywhere you go to protect your privacy. You just have to choose the right cloud storage provider—or take matters into your own hands.