WARNING: TrueCrypt is no longer considered a secure product, and has gone out of support in May 2014. See this page for this same concept, but using BitLocker instead.
This article will describe how you can use a cloud drive service, such as SkyDrive, Dropbox, or Google Drive – but have the sync folder on your computer, exist on a virtual, encrypted drive. Why? Well because that virtual drive is only accessible while you are logged in. If someone steals your computer, that “drive” with all of your data on it will not be available to them.
Let me paint you a picture: imagine your laptop or tablet was in your car, and your car was just stolen! Imagine you come home one day and you find your house has been burglarized! Aside from the obvious emotions that go along with things like these, think about your computers and electronic devices.
Your main workstation is gone, your work laptop is gone, your personal laptop is gone, your iPad/Surface/Kindle is gone. What data is on those devices? How much of a barrier does someone have before they get to your data?
Keep in mind that if you simply remove the hard drive from one computer and hook it up to another, you can just overwrite the permissions and see everything on that drive. In other words, unless you use some sort of security mechanism – ALL of the data on ALL of your hard drives can easily be read by the thief. So a bad situation could quickly turn into something much worse!
You likely have something on there with your social security number, address, etc. My point is, unless you are specifically doing something to protect your computers (laptops especially) – this could turn into a massive nightmare!
Now, your immediate thought might be “hard drive encryption, duh”. Well, BitLocker, which comes with Windows only works with higher end/corporate-targeted laptops that specifically have a TPM chip in them. So, your regular home laptop can’t use BitLocker. Your work laptop likely does have a TPM chip and your employer likely uses whole-disk encryption, so that should be the end of that. What about your computers though?
The next best thing, and sort of the fallback option is to use http://www.truecrypt.org for disk encryption. The obvious way to use this is to do whole-disk encryption. My hesitation with this is that you do have to put in a password every time you boot. This means that when your computer reboots after updates for example, it can’t come back up on it’s own. The other much more significant thing is that I’ve had it really mess up the drives on two computers. One was an SSD and it just didn’t play well with the drive – I ultimately need to reformat the drive to recover. So at-best, it’s a pain and at-worst, it could almost brick your hard drive.
There’s got to be a better way, right?
I think I have the solution. This is what I do. It’s not perfect, but I think it works well and gives me a reasonable amount of security. Below is my scheme:
I encourage you to use some sort of “cloud storage”. These all work on the same principle, you have a “hard drive” in the cloud that is secure, always backed up, and will never go down. They also have Windows and Mac apps that you install on your devices that sync the data. So, when you update an Excel spreadsheet and save it locally (in a specific directory), a background process immediately syncs it with your cloud drive. This works well, is free, and is a great alternative to doing dedicated backups. In fact, this is basically a real-time backup.
This concept is great – it consolidates all of your data into one place, and you can easily sync it to any/all devices. The bad side is that it consolidates all of your data into one place – that means that these cloud drives are valuable targets. So first, make sure you use a particularly strong password for whatever service you are using. I happen to like SkyDrive for two reasons: 1) if my password is compromised, I can ‘recover’ my password from several pre-defined ‘secure’ machines (like my phone, laptop, etc) and 2) it lets you specify what gets synced, where. So for example, I keep my music projects in my cloud drive, but I don’t want to sync those to my other devices, because they don’t have my music software installed there so it would literally just be a waste of bandwidth and space. I can choose to not sync those music folders, for example.
OK, so assuming you do this – you now have your valuable files smeared across several devices, unprotected – that’s not great! Well, here’s part II of the plan…
TrueCrypt Mounted Volume:
What you can do with TrueCrypt (www.truecrypt.org) is to create a volume and auto-mount it to a drive letter. What I mean is, I create an encrypted file – like C:SecureMyStuff.tc. Now, TrueCrypt will mount the drive letter T for example and the “contents” of that virtual drive will be stored, encrypted in that MyStuff.tc file.
Put another way, when I save a file to my “T:” drive, TrueCrypt is intercepting it – encrypting it and actually storing it in one big file: C:SecureMyStuff.tc.
As you can see above in a quick example, I have the H: drive mounted against C:DataTest.tc (you can name the file whatever you want). What this means is that whenever I save anything to my H: drive, that data is encrypted and stored somewhere inside of that Test.tc file. The “password” to this file is prompted to me at login, and only exists in memory while I am logged in.
Now, what if you have your SkyDrive/GoogleDrive/DropBox “sync” folder hosted on your T: drive?
Think about that for a second. That would mean that while you were logged in, you would be able to sync to your cloud drive, per normal. However, if another user on that computer – or if anyone ever stole your computer – if they try to read the hard drive, they will only see the operating system and this MyStuff.sec file. That file is ridiculously encrypted and virtually impossible to break into. So, if you’ve chosen a good password for it too, then you can feel pretty secure that your data won’t be compromised.
I’m not sure if this is confusing or clear, so let me try to state this differently. When I log in, I’m prompted by TrueCrypt and it “mounts” the T: drive against this encrypted file. So, I now see my C: drive in Windows Explorer and I now also see a T: drive. My SkyDrive syncs with my T: drive – this “virtual” hard drive that is actually encrypted and it’s contents are stored in 1 file on my regular hard drive. So, from my perspective, I have this T: drive and whatever I put on there will sync with SkyDrive and is secure.
Now, let’s say my computer is stolen. The thief pulls the hard drive and plugs it into another computer. He can see the operating system files and also this 100gb MyStuff.tc file. This file is very-strongly secured. Unless they load TrueCrypt and guess my password, that file is unreadable – that file that is, to me, my T: drive. They will NOT see a T: drive – and if they did try to manually mount it, they would have to know or guess my password.
One Catch – mount TrueCrypt volume first:
As I set this up, I realized that when I rebooted, I was prompted for my Mounted Volume password (after boot, and just after logon) – and immediately after I would see SkyDrive fail. I mean, it would completely disconnect and make me RE-set up my sync again because my T: drive was missing.
So, I needed to turn off the automatic startup of SkyDrive.
When I login, TrueCrypt prompts me for my password – it then mounts the T: drive and it’s available. I then manually start SkyDrive and it is none the wiser. To do this, just go into the SkyDrive settings:
I assume there is something equivalent for the other cloud drive providers.
To paint a complete picture now: I boot my computer, I log into it, TrueCrypt comes up with a prompt, I type in my password, the T: drive becomes available – then I hit WindowsKey, then type “sky” and hit <enter> (to launch SkyDrive) – and that starts the SkyDrive syncing against the T: drive! From that point on, SkyDrive acts like normal and the T: drive just seems like a regular drive to me.
So there you have it – a way that you can leverage these cloud drives without having to compromise the security of your data. In fact, going back to the original scenario that your computer was stolen – with this approach, you can feel much better that your data is likely going to be secure. It’s not fool-proof and you REALLY have to use secure passwords, but it’s a good step in the right direction.
The ideal might be to keep your folders secure so that if your cloud drive is compromised, you’d have another layer of defense – but I haven’t found a good way to do that. You can’t use this TrueCrypt approach because: A) the T: drive for me is like 50GB and SkyDrive doesn’t allow files that big and B) when these cloud drives sync – it’s all or nothing, so you couldn’t actually sync things correctly across machines – even if you could sync a file that big.
If I find a better way to do this, I’ll write something up on it. Meanwhile, if your laptop and home machines don’t have some sort of disk encryption, consider this approach – it works pretty well!