Local data encryption for cloud storage
Cloud Master
Synchronizing your data in the cloud is practical, but it's risky if you don't encrypt your data. Desktop encryption utilities offer various levels of security and ease.
Backing up data in the cloud sounds easy and useful; little wonder then that many individuals and companies take advantage of this opportunity. Companies that offer these services take your locally stored data and sync it with a storage service on the Internet – often automatically. In this way, you keep your directories synchronized without having to worry about backups. Of course, such services offer not only benefits but also risks. The burning issue to consider is: Who has access to you data?
Sometimes cloud providers automatically scan the uploaded files to check them for unacceptable content (e.g., child pornography or copyright infringement) [1]. In the first case, suspicious data is sent to investigating authorities, and in the second, the algorithm locks the sharing feature. If you opt for a free version of a service, you might start receiving advertisements based on the content of your evaluated files.
As the Snowden documents reveal, the NSA is also interested in data of any kind. From the beginning, administrators of cloud services also have had access to user data. Additionally, many companies in Europe are increasingly unsure about what happens when they offload their personal data onto servers elsewhere in the world.
Key Services
One solution is end-to-end encryption, wherein the user encrypts all the data on the local machine (with exclusive possession of the key) and then uploads to the cloud server. Some applications promise to handle the encrypted data in an easy and user-friendly way, but Linux also has on-board resources to help you achieve your goal. Here, I present a range of programs and discuss their advantages and disadvantages (see also the "Boxcryptor" box).
Boxcryptor
One of the more popular encryption programs is Boxcryptor [2]. Although the classic version [3] still supports Linux, the current versions do not. As the manufacturer states on its website: "It will not be supported on upcoming versions of these operating systems. Therefore, we can't guarantee that the Classic version will work on them." In this article, I only mention the software for the sake of completeness, because you have many other alternatives.
PanBox
One candidate goes by the name of PanBox [4]. The software was released in early 2015 and was funded by Germany's Federal Department of Justice and Consumer Protection. The developers of the program, the Fraunhofer Institute for Secure Information Technology and Sirrix AG, emphasize that privacy by design was an important precondition. In other words, the software model is not privacy by policy, which would have to rely on the existence of benevolent operators or laws. Instead, its strength is its verifiability and design. The sources are available from a public archive on GitHub [5], so the code is open to examination for bugs and verification of safeguards with regard to the security of the software.
PanBox is available under GPLv3. In addition to the open source variant, an Enterprise version of PanBox specially targets public authorities and companies [6], offering access to a directory service (LDAP) and a public key infrastructure (PKI).
A ZIP file for Linux and other operating systems, which you just download and unpack into a subdirectory, is available for download from the Sirrix AG site [7]. After installing and launching for the first time (see the box "Installing PanBox"), the software checks to see whether an identity already exists on the computer. If not, it wants to know the first name, last name, and email address of the user. In the next dialog, PanBox asks you to enter a device name. This name lets you map to devices easily. The hostname is preset.
Installing PanBox
Because PanBox 1.1.0 is a Java application, you need a current version of Java. The developers recommend the Java version by Oracle. Because the software uses strong encryption, you also need the Java Cryptography Extension (JCE), which is available in the download section of Java SE [8].
You still have to satisfy other dependencies. In the ZIP file, a README lists the libraries required in Ubuntu, Arch Linux, Fedora, and Gentoo. I used Ubuntu 15.10 for the article and thus installed the following additional software:
sudo apt-get install dbus-java-bin python-appindicator python-nautilus libbluetooth-dev python-notify python-gtk2 python-dbus
To launch the software, you run the start.sh
script.
Finally, you need to enter a password. According to the manual [9], the password must be at least eight characters in length and "include a random combination of upper/lower case letters, digits, and special characters." In the test, eight characters was the only discernible limit; passwords comprising only numbers or letters were accepted by PanBox without comment. After entering the password, the software displays the previously entered data and generates the identity in the next step. Finally, it opens the application window (Figure 1).
At first launch, PanBox will detect a Dropbox installation, at which time it looks for your existing Dropbox folder and launches a second setup wizard that proceeds to integrate your Dropbox share. The wizard requires an access token, which is a kind of password that tells the Dropbox service that PanBox is allowed to access your Dropbox account. Clicking on Refresh launches a browser, and a Dropbox website asks whether PanBox is allowed to access the service. If you allow this, the page displays the access token which you need to copy and enter in PanBox at the end of the configuration.
Although the press releases for PanBox promise a simple and user-friendly approach, I had some irreconcilable differences with the application. I began with a fresh installation of Ubuntu 15.10 as the basis. After starting the application, a white window without any menus and the tray icon appeared. The application window did not respond to my attempts to close it; even clicking on Exit in the tray icon resulted in no discernible response. Working on Ubuntu 15.10 was therefore impossible.
Under Debian the software launched and opened a functional application window. During use, it crashed repeatedly when I tried to change the language (Figure 2). Apparently, the interface still needs some work. Under the vastly simplified Directory share, the application shares a folder of your choice set up in the Shares) tab. The program distinguishes between a Dropbox share, which works only with Dropbox integration, and a Directory share, which is for users with any other cloud provider. Unfortunately, I was unable to test the implementation because of the problems already described.
Cryptomator
Cryptomator [10] offers another solution to encrypting data for the cloud. Developer Sebastian Stenzel mainly works on the software, which is available under the MIT license. The source code is on GitHub [11]. If you look at the project homepage, you will note that the authors go to great lengths to explain the cryptographic contexts. That and the fact that it is free software ensure confidence and allow third parties to develop programs that interact with Cryptomator.
Apparently the developers have put much thought into how they want to protect the software. To begin, Cryptomator generates a key from your password and a random value (salt). For this, it uses the scrypt
key derivation algorithm [12], making it difficult to brute-force the key. Usually, a hash function (MD5, SHA-1, SHA-256) picks up the password together with the salt. The output from the hash function is the key.
With the use of special hardware and algorithms, attackers can try several million values per second and very quickly guess a password under certain circumstances. The Scrypt algorithm therefore performs the hash function multiple times and also uses a large amount of RAM. As a result, its slows down attempts to guess the password.
If the operator selects the correct parameters for Scrypt, even special hardware will not achieve more than a few hundred attempted guesses per second. The system later uses the key encryption key (KEK) calculated in this way to decrypt the master key.
For other cryptographic actions, Cryptomator uses the AES algorithm relying on cypher block chaining (CBC) or counter (CTR) mode. The SHA-256 hash algorithm is used as the basis for further operations and is a good choice, because it rules out many attack vectors.
A window with the mascot of the software (Figure 3) appears after installation (see the box "On Disk"). Adding a vault begins in the lower left corner. A vault is a folder in which the encrypted content is stored as well as the key. Although the key cannot be used easily for decryption because of the key generation process already mentioned, it would appear to be safer to store it outside of the directory. The vault then lies withn a folder hosted by the cloud provider.
On Disk
Two possibilities exist for installing of Cryptomator on Linux: The developers offer a ready-made package for Debian-based systems that can be installed with:
dpkg -i <filename>
The package stores the software in the /opt/Cryptomator
directory. For other systems, you can launch the software's jar
file by calling:
java -jar <filename>
Alternatively, you can run the file /opt/Cryptomator/Cryptomator
.
To create the vault, you need to specify a directory. In the second step, you create a password. The software has no restrictions in terms of the length or the characters used. Minimum requirements would be desirable: After all, despite a good derivation function such as Scrypt, simple passwords can be guessed pretty quickly.
Before Cryptomator opens the vault, it prompts you again for the password you just composed. At the same time, it activates a local WebDAV server on a random port in the background. Nautilus and Gnome Files (file manager) support WebDAV and automatically display the new directory.
For the command line, you need a program like Cadaver [13] to your manage files. When you move files from your hard disk to the WebDAV directory, Cryptomator encrypts them automatically and places them in the vault (Figure 4). After a short learning curve, Cryptomator was easy to use, with no appreciable defects, such as crashes, in the lab test. Another positive aspect is that the developers are still actively working on the software.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.