IMPORTANT NOTE: TrueCypt has shutdown under mysterious circumstances, please visit this link for more information.
Dropbox (2 GB for 0 $/year) is arguably the world’s best known cloud storage provider. But it isn’t perfect. In the wake of revelations about the PRISM programme, Dropbox has been criticised for its encryption practices.
TrueCrypt has been cited as the solution for shortcomings in Dropbox’s encryption policy. We wanted to find out whether the software was a realistic, usable way to add a layer of added security to our cloud storage account.
TrueCrypt is a free, open source application. It is available for Mac, Windows up to Windows 7 and Linux. There is no version for Windows 8. In this article, we’re using the Mac version of TrueCrypt and Dropbox, but the features available in the other versions are broadly similar.
To use this guide, you will need to install the Dropbox application from and download and install TrueCrypt from http://www.truecrypt.org/downloads. Once you have installed both applications, pause and read through the rest of our guide.
Getting Used to the Terminology
To understand the TrueCrypt interface, you may need a quick primer on the technical terms it uses.
- A volume is a virtual container where data is stored. Think of it as a kind of storage bucket. Volumes are saved as files on your computer and, when mounted, behave like disk drives. You cannot use TrueCrypt without creating a volume first.
- TrueCrypt assigns volumes to drive letters. These are referred to as slots.
- To use the terminology used in TrueCrypt, volumes can be mounted and dismounted. If you use Mac or Linux, you might be familiar with these terms already. Without going into unnecessary detail, a volume must be mounted before it can be used.
When using TrueCrypt, you first create and volume, decide what you want to store in that volume and then save the volume as a file. Because we’re working with Dropbox, we will focus on the storage of Dropbox content in an encrypted TrueCrypt volume.
We’ll then mount the volume and check that it’s working.
Using TrueCrypt to Encrypt a Dropbox Folder
Let’s look at the encryption process with TrueCrypt and Dropbox. For simplicity, we’ll encrypt a single file within the Dropbox folder, but you could use the same procedure to encrypt the entire folder.
1. Create a Volume
Initially, you’ll need to create a volume in TrueCrypt. This is a virtual storage container for your encrypted file(s).
Click the Create Volume button.
The Volume Creation Wizard opens.
2. Create the Container
On the first screen, choose the first option: Create an encrypted file container.
Continue with the Wizard.
3. Select the Volume Type
Select Standard TrueCrypt Volume. For most Dropbox users, this provides an adequate level of security. A non-hidden volume is also easier for us to work with.
4. Choose the Save Location
Now, we have to decide where to save our new volume. There are a few important points to note here.
- Although this button says Select File, we actually want to create a new file here.
- If we select an existing file, it will be permanently overwritten.
- Selecting an existing file does not encrypt it.
- The file must be located within the Dropbox folder.
In my example, I have created a brand new folder, OnlineBackupReviews, within the Dropbox folder. My TrueCrypt volume will be saved as a new file called TrueCrypt Example.
5. Choose the Encryption Method
In this dialog box, we can change the encryption type and hash algorithm for the volume we are creating.
Let’s look at this dialog in more detail.
About the Encryption Algorithm
The dialog box lists the following options for encryption:
Looking at the list, we can see that there are three encryption algorithms: AES, Serpent and Twofish. TrueCrypt allows any one of these to be used on its own, or in conjunction with others. Note the order of the options, too: AES-Twofish-Serpent is different to Serpent-Twofish-AES.
How important is this encryption method?
Well, AES-256 would reportedly take one billion billion years to crack – far longer than the universe has existed. But some people assert that the USA’s National Security Agency has already done it.
The truth is that nobody knows how safe AES-256 is; all we can do is guess. For best security, you should use a combination of encryption methods.
About the Hash Algorithm
The hash algorithm is used in conjunction with the TrueCrypt random number generator to create pseudorandom strings of letters and numbers for the encryption key. (‘Pseudorandom’ simply means that the string is not truly random, but is ‘as random’ as possible given the limitations of the system.)
Options here are:
The hash algorithm simply disguises the original pseudorandom string. For most users, the default, RIPEMD-160, is sufficient.
6. Enter a Volume Size
TrueCrypt now asks how big the volume should be. Consider the size of your Dropbox storage account, and the size of the files you want to store, when setting the size of the volume here. Dropbox will always ‘see’ a file of this size, regardless of the contents of the volume.
7. Choose a Password
A weak password will render your encryption completely ineffective, so this is an important part of the setup procedure. There’s no point in security files with military-grade encryption technology if you secure them with a simple password like password1.
Ideally you should use a password generator to create a random 20-character string; longer if possible. If that’s not plausible, here’s a useful article on password creation that should give you some alternative ideas.
TrueCrypt also allows the use of a keyfile. This is a very clever function that allows you to use any file to generate your password; without this file, the user cannot gain access. You might choose an mp3 of your favourite song, a JPG photo of your kids or file full of random characters (generated by TrueCrypt or by another application).
If you choose this keyfile method, make sure you never modify the keyfile in any way. Cropping the keyfile JPG, or changing the tags in the mp3, will render your TrueCrypt volume unusable.
8. Choose the Format Options
Don’t worry: TrueCrypt is not going to format your hard drive. The Format Options simply allow you to choose the most suitable file system for your new volume. Remember: it’s effectively a self-contained virtual disk.
In most cases, you will want to create a FAT volume on Windows and a Mac OS Extended volume on a Mac. Advanced users may use the opposite, or choose None.
9. Select Cross-Platform Support
Most users almost certainly use Dropbox with different operating systems and devices, now or in the future. We highly recommend choosing the first option here to avoid any incompatibility issues.
10. Create Random Data and Format
TrueCrypt now generates a random pool of data by recording a string of characters based on the movement of your mouse. Move your mouse pointer in a random pattern to generate the string. When you are satisfied, click Format.
Using Your New Volume
Now that your volume has created, Dropbox will begin to upload it. You must mount it within TrueCrypt to add and remove files.
First, locate the volume by clicking the Select File button and navigating to the file containing the volume. Then, click Mount.
TrueCrypt will prompt you for the password. Cache the password in memory to make it easier to work with the file.
Once the file has been mounted, it is shown in Slot 1. If I double click this line, I can open my volume and drag files in and out as though it were a regular disk.
Remember: to Dropbox, the file is always going to be roughly the same size as the volume size we set in step 6, above – even if it’s empty.
From the TrueCrypt menu, I can also:
- Check Volume Properties to remind myself of the options I chose when creating the volume.
- Wipe the cache (which removes passwords from RAM).
- Back up, restore or reconfigure the selected volume using Volume Tools.
- Dismount the selected volume, or select Dismount All to clear the list.
TrueCrypt Pros and Cons
TrueCrypt is clearly a very capable application, but it does introduce some challenges for the average Dropbox user.
- If you’re dead set on using Dropbox as your cloud storage provider, TrueCrypt will provide the additional layer of encryption needed to keep your files safe from prying eyes.
- It’s free, so there’s nothing to lose.
- Once the file is encrypted, you will lose some of the best Dropbox features: file versioning, sharing and so on.
- If you’re not technically minded, TrueCrypt’s user interface might be confusing.
- It’s still a workaround to Dropbox’s shortcomings, and it’s not a perfect workaround either.
There are other cloud storage services that offer better encryption than Dropbox right off the shelf:
- SpiderOak () is a cloud storage service that offers sync and backup (therefore giving you more flexibility than Dropbox). It is gaining traction because of its commitment to robust cloud security. SpiderOak offers similar features to Dropbox and you won’t lose them when your data is encrypted. Read more in my SpiderOak vs Dropbox article.
- Mega () is the cloud storage service founded by Kim Dotcom, one of the most high profile figures in the industry. Mega was arguably the first service that placed encryption centre stage in discussions about the cloud. It may not be perfect, but it’s easier to use than TrueCrypt.
I am impressed with the power of TrueCrypt, and if you’ve paid for a Dropbox account already, it’s certainly worth using. It initially looks a little baffling, but the Wizard takes most of the pain out of creating volumes.
Likewise, if you’ve committed to using Dropbox in the office, it’s easier to add TrueCrypt to the mix rather than trying to force a culture change and switch to an entirely new cloud storage provider. Admittedly, it depends how you use Dropbox.
The biggest issue is the loss of Dropbox features. The fact that you lose things like versioning makes TrueCrypt a definite compromise, and if you’re truly concerned about cloud security, there are better ways to achieve the same result.
I still prefer SpiderOak as a secure solution; users get the same benefits of Dropbox in terms of features, but with the added security of TrueCrypt. SpiderOak certainly knows its stuff when it comes to encryption and best practice.
It comes down to a balance between security and convenience, like most online services. TrueCrypt makes a poorly encrypted service much more secure, so we’d recommend it for any hardcore Dropbox user.