Syncing a cloud drive to an encrypted virtual drive (BitLocker Edition)

Administrative Notes:

As you might know, on May 28, 2014, the open source TrueCrypt project was abandoned. So, it is recommended that people find some other solution for drive encryption. For me, this meant transitioning my approach for securing my cloud drive storage to a new technology.

The Problem:
Imagine your laptop is stolen.

That’s bad! But what’s worse if that you have OneDrive, Google Drive, DropBox, Copy, etc – all syncing ALL of your files to C:UsersPersonDocuments for example. “But you’d have to know my Windows password!”, you exclaim. No, I can pull the hard drive from your laptop, hook it up to a second system and now I can see ALL of your files from ALL of those synced cloud drive locations.

Yikes. That is really, really bad!

A Solution:
What if you had a virtual hard drive which was only mounted while you were logged in, AND you needed a password to unlock it. Now imagine, if THAT is where all of your cloud drives sync their data!

Now, if I pull your actual hard drive, I might run across your encrypted, virtual “drive” on your C: drive somewhere, but if I tried to mount it, I’d need to have the password. This is much better. Not only is your data not immediately available to the thief, even if they do find your virtual hard drive file, they would need to break into – which is difficult/almost-impossible.

How to do it:
I previously wrote about how to do this with TrueCrypt. However, with that product going away, here is how you can achieve nearly the same thing using BitLocker, which is a built-in feature in Windows (Pro and Enterprise editions).

STEP 1: Create a Virtual Hard Drive (VHD)
A VHD is a file that you store on your hard drive, with a .vhd or .vhdx file extension, which can be mounted to a drive letter. For example, you can create C:DataTest.vhd and mount that to your G: drive. When you read and write data to this virtual G: drive, it’s actual reading/writing data to the C:Datatest.vhd file, behind-the-scenes.

So, we want to create a VHD big enough to store all the data that is stored on our cloud drives. To do this, right-click on My Computer and choose Manage:

mx3B716

Within this Computer Management app, navigate to the Storage –> Disk Management node. Right-click on it and choose “Create VHD”:

mx32BBF

You will be presented with some options. The main things are: where do you want to store the virtual drive, and how big should it be:

image

When you click OK, the window goes away and the only indication that something is happening is down in the status bar (I didn’t see this, at first):

mx34E66

Once complete, this drive will now show up as an uninitialized disk – similar to if you added a physical, unformatted disk to your computer:

mx385CB

Right-click on the drive to initialize it:

mx3DB78

image

For our purposes, you can choose either partition-table format – but note that older versions of Windows don’t support GPT. So, if you will ever need to move this VHD to another computer on an older version of Windows, you may want to choose MBR. Either will work in Windows 8.x though.

Once you click OK, right-click on the unallocated disk and create a simple volume:

mx33CE8

and just follow the Wizard:

image

image

image

image

image

when you click Finish, you should see your newly-created VHD, mounted to a drive letter and ready to use:

mx36CC8

STEP 2: Enable BitLocker on this new disk
You can do this a couple of ways. First, you can go into Control Panel and manage BitLocker from there:

mx3B296

mx33C48

Or, perhaps the simpler way is to simply right-click on the new drive letter, T: in my case, and launch BitLocker from there:

mx35190

this brings up a prompt for how you want to secure this drive. At the very least, set a password – or ideally, you have a smart card and you can use that too:

image

WARNING:This is the password that will allow someone access to your drive which has all of your private files. This is not the time to use “password” or “fido1234”. This should be a good, strong password. If you need help figuring out a good one – take a look at this article on creating good passwords.

When you click next, you MUST use one of the following options for establishing a recovery key. If you ever forget your password, this will be the only other way to unlock the drive.

image

Arguably, for the purposes of what we are doing here, it doesn’t matter if we lose access, because it’s simply holding an offline version of what is on our cloud drives. Also, again, this recovery key should be kept extremely secure too – because a thief/attacker can gain access to your virtual drive with it!

After you choose a mechanism for your recovery key, click Next:

image

You now have a secure drive that you need to type a password for, and/or use a SmartCard to gain access.

STEP 3: Move your cloud storage folders to the new drive letter
Now that my T: drive is up and running, I need to move my SkyDrive, DropBox, Google Drive, Copy, etc – so that the sync folder is on my T: drive. There are typically two ways you can do this.

First, if you right-click on the cloud storage folder, you may have a “Location” tab like the following:

image

if you do, you simply click the “Move” button and that will properly move the sync folder location.

Alternatively, in the System Tray, you can right-click on the icon for your cloud storage, then click and choose options/settings/preferences:

mx365BA mx3FA00

and in those screens, there is an option to move the sync folder location:

mx3EC40

The whole idea here being that OneDrive, Copy, Google Drive, Dropbox, etc – will now all have their sync folder on T: (in my case), which is my BitLocker-protected virtual drive.

STEP 4: Turn off the cloud storage clients ability to “Start with Windows”
One important thing to understand is that your virtual hard drive will NOT be mounted automatically when you reboot your computer. When I restart, my T: drive will not be there (yet). So, it’s important to go into the cloud storage client settings/preferences and turn off the “Start with Windows” option.

Why?

When that is left turned-on, most of the clients “freak out” that the T: drive isn’t there – and want you to go through a wizard to point to a new location. Instead, if that option is turned off, you can mount the drive, then launch the clients, and they just work per normal. They have no idea that the T: wasn’t there a minute ago!

So, the purpose here is to reduce the number of errors you’ll get, and buttons you’ll have to click.

STEP 5: Startup/Login procedures going forward
As mentioned in Step 4, the T: drive will not be automatically mounted whenever you reboot the computer. So, how do you mount it? That’s actually easy – you can either right-click in Windows Explorer on the VHD that is on your hard drive and choose Mount:

mx3F55F

Or you can simply double-click the VHD file in Windows Explorer. Either way, you’ll see a toast notification in the top-right of your screen:

mx344A3

click it, and put in your password – or enter the recovery key:

mx35E31

Now that your encrypted, virtual drive is mounted and available – just hit the Windows Key and type: dropbox, one drive, copy, etc – to launch the sync clients for each of the cloud storage providers that your use.

Going forward, you only have to do this one step when you first login, and in exchange for that – you can feel pretty secure that your cloud storage sync folders won’t be compromised if your computer is ever lost or stolen.

16 comments on “Syncing a cloud drive to an encrypted virtual drive (BitLocker Edition)
  1. […] Syncing a cloud drive to an encrypted virtual drive (BitLocker Edition) […]

    Like

  2. […] Syncing a cloud drive to an encrypted virtual drive (BitLocker Edition) […]

    Like

  3. Rich Meyer says:

    Note for users of versions of Windows that lack BitLocker: if you have access to a Windows Pro or Enterprise machine to create a BitLocker encrypted Virtual Hard Drive, you can then mount and use that vhd file on a lower version of Windows indefinitely. You will have no further need to access the first machine after you create and encrypt.

    Like

    • Rich Meyer says:

      Note also that moving your cloud provider’s sync location inside the encrypted VHD only encrypts your local copies of the files. The cloud provider still has access to the unencrypted files just as you see them in your mounted drive view.

      If you want “trust no one” encryption, you can store the .vhd file inside one of your cloud provider’s folders. That way, all the cloud provider has is a binary encrypted blob, to which they do not know the password. However, there are at least 2 problems with this approach. (1) Some/most cloud providers will upload the entire .vhd file if anything inside changed (DropBox, I believe, being an exception, as I read that they implement block level backup). (2) As far as I know, you cannot keep the local drive mounted while cloud backup is active… either the file system or the cloud provider may complain that the file is locked, or barring that then local changes might corrupt the backup integrity.

      Like

      • Robert Seder says:

        Rich,

        Good point. I didn’t mention this because I found that to be exactly the case. First, most providers don’t allow a file larger than 2GB. That means your .vhd couldn’t be bigger than 2GB. Even if that was OK, the cloud storage provider won’t sync while the file is locked, so you would only have a backup if you explicitly unmounted the drive and let the cloud provider sync it.

        There is no great solution. I did a series of blog posts about creating your own cloud storage with OwnCloud, hosted on a Raspberry Pi that you own and have at your house (or potentially your friends house, for live, offsite storage). See here: https://blog.robseder.com/?s=owncloud

        -Rob

        Like

  4. Rich Meyer says:

    Thank you, Rob! I will check out OwnCloud.

    Apparently, DropBox now has a 10Gb file size limit, and Microsoft has announced plans to match that in OneDrive consumer and business. That is sufficient for backing up my development folder.

    I may experiment with DropBox. If a brief VHD dismount is long enough to allow them to sync minor changes within the encrypted virtual drive, then that would confirm they use block-level backup, and it might not be a bad quick-and-dirty approach. As long as one remembers to dismount periodically after making changes, that is.

    – Rich

    Like

    • Robert Seder says:

      When you say development folder – if you mean source code, put it in a version control system! Both http://www.bitbucket.org and http://tfs.visualstudio.com offer free, unlimited PRIVATE repositories (unlike github). So, you can set every project you have up as a separate project, and you know it’s backed-up, offsite. Just a thought!

      Like

      • Rich Meyer says:

        Thanks Rob. Yes, for example, my local laptop clone of my company’s project Git repository. Company proprietary code, which is not allowed to leave the LAN or the building unencrypted.

        Like

  5. Matrix says:

    Robert,
    Great tutorial. I want to store my passport, mortgage papers, etc… in my Google drive as an AES encrypted data. All together these document scans amount to at most 150 Megabytes. Is it possible to create a VHD file with a size of 150MB and then convert this VHD file to an ISO file and then just upload the ISO file to my Google Drive? Then if my house burns down I mount the ISO file using Daemon Tools and use Bitlocker to view the files. Do you think this will work?

    Like

    • Robert Seder says:

      Maybe, but it might be dangerous. You can simply copy the .vhd, no need to make an .iso. You can encrypt the .vhd with BitLocker too.

      As far as why it might be “dangerous”, if you are using the “sync” applications, those apps monitor the local file system looking for changes, and then start syncing. So first, it will keep erroring out while the .vhd is in use. Then, once you dismount the drive, it will hopefully start to sync. If anything goes wrong, especially with a big file doing a low-priority sync, it could potentially corrupt the copy you have up on the file share.

      Then, let’s say you didn’t know that happened, rebooted your computer – it starts up, the sync application starts and copies down the “newer”, corrupted file locally – overwriting your only working copy of the .vhd.

      So, I wouldn’t trust it, for all of the cloud storage providers – those “sync” applications are far from robust. In your scenario, I’d recommend an offsite OwnCloud installation (do a search on this blog for OwnCloud, I cover that in detail). Or, just simply have a script which saves all of your critical data to portable USB or thumb drives. You can protect those too with BitLocker and then take them offsite. I hope that helps

      Like

  6. Matrix says:

    Robert,
    Thanks for your post and merry Xmas. Just to confirm if I understand you correctly. I can create a 100MB VHD and use Microsoft Bitlocker to encrypt my VHD containing scans of important documents and then upload my encrypted VHD to Google Drive a single time as an offisite backup? A say “single time” because I don’t think “syncing” is necessary in my scenario. In addition, does Google Drive allow encrypted VHD file uploads? One would think they do not allow it since they will not be able to peek into such a file for the advertising customizing they perform using your data.

    If your answer is they allow encrypted VHD file uploads it would be awesome. Because I would be able to have an offsite encrypted VHD backup on my Google Drive. I also have two other offsite backups using USB flash drives I partitioned as encrypted VHD’s using Bitlocker. I think with three such offsite backups I can sleep nicely ensured my important documents are secure.

    BTW, I read your OwnCloud tutorials. I think it’s a real worth while project for those wanting their own private cloud. However, in my scenario, it’s more than I’m willing to take on right now. My only real goal is to figure out a way to backup my 100MB encrypted VHD in Google Drive as a secure single time offsite backup.

    Like

  7. […] mantenendo piena compatibilità con la maggior parte dei servizi di cloud in commercio. Altre soluzioni più artigianali potrebbero non funzionare correttamente in quanto un file cifrato localmente e sincronizzato poi in […]

    Like

  8. andrew says:

    Interesting explanations, but I am missing some core understanding on this topic relating to Bitlocker, it’s new to me, so I ask for your clarifications please.

    I assumed that if my whole data drive is encrypted with Bitlocker and within that same data drive reside my local copies of Dropbox and Onedrive folders that all the files on those two folders will also be encrypted by default of them being within the encrypted drive. After having read this, I am not so sure now. How could these folders be exposed to thieves if they are on an encrypted stolen drive?

    If my assumption is correct then the encrypted files in my local Dropbox and Onedrive folders are then syncd with the cloud locations. Initially I assumed that in the same way that if I store zip encypted files on my local Onedrive folder when it then gets synced, it’s simply the encrypted version of the files that will also then reside on the cloud storage. But now I am not sure that’s the way BL works and I suspect that files may get decrapted on the fly as they leave the PC?

    Any help much appreciated, need to urgently find a solution.

    Like

    • Robert Seder says:

      In short, I don’t know. I don’t really get the purpose of using BitLocker WITHOUT a password – which is how most people do it. At that point, your Windows login is the only thing stopping an attacker from getting at your files. With this approach, first – it’s not obvious to a would-be attacker that you have a “secret”, virtual BitLocker drive – so they’d need to figure that out AND break your BitLocker password.

      As far as storing encrypted .zip’s – I went down that path and got burned. EVERY cloud storage provider (Copy, Sync, Dropbox, Google Drive, OneDrive, etc) – eventually corrupted my .zip file if it synced while I had files open from the .zip. So again, this approach is ONE approach to solve all of this, and it is what works for me. There might be better ways to do it, out there. Good luck!

      Like

      • Andrew says:

        Thanks for that, it’s clarified a few things but my quest goes on to find the best encryption solution across my laptop and external drives. It may be simplest with BL conceptually, but I fear getting it wrong in terms of cloud storage, especially the versioning issues you mention. To overcome that I might even dare to upgrade to Onedrive business version which apparently stores encrypted.

        My biggest concern though is doing a windows backup to a drive encrypted with BL then if the main drive fails or is stolen not being able to recover from the BL external drive…perhaps the obvious answer is to do the win bak on a completely seperate and unencrypted drive.

        Oh well, i’ll work it out sooner or later!

        Like

      • Robert Seder says:

        For what it’s worth, it sounds like you have several concerns – which might all be addressed differently. First, you want to protect your data from unauthorized viewers (like: a thief, a vendor who steals and sells your data, governments). Next, you need a way to backup where the backup is equally protected.

        Using Bitlocker on all of your hard drives WITH a very solid password would take of that. I mean, I’m pretty sure the NSA is in bed with Microsoft, so they could probably break that encryption, but it’s supposedly very strong encryption (particularly with an additional password). Next, I would take JUST the files you need to backup and use an end-to-end encryption cloud storage provider. For example: https://www.sync.com/ claims that they have “zero knowledge” of your data because it’s encrypted on the client-side. So, all they do is store encrypted blobs of data. Again, that uses AES-256 – so chances are the NSA could break it – but it would stop of the casual and even professional hacker. Putting that together, you could use password-protected BitLocker for all of your drives and backups, and then use Sync for offline/cloud storage?

        If that isn’t good enough, then you need to not-connect to any networks. Make offline copies of your data (using Windows Backup) to a BitLocker drive with a password – and put that drive in a safe. What I mean is, if you want to be “online”, and be protected, above is about as good as it reasonably gets. You have to take some amount of risk when you have a connected computer. I hope that helps – good luck!

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2 other followers

%d bloggers like this: