:: Privacy, State of tech

How to safely and securely store (all) your files online

Storing data online comes with great advantages. It’s easy if you want to synchronise files between computers or work remote, without needing to set up and maintain a storage appliance. And if your laptop breaks down, all your data is safely stored in a datacenter somewhere else on the planet.

But it’s not all rainbows and unicorns. How do you take complete control over who has access to your data, while maintaining the advantages of storing everything online? Whether you’ve just went paperless like us, or you’ve been an avid user of online storage for years already, you’re likely to learn something new from this article. Let’s go over some of the options, and why you may want to take an action.

Meanwhile, in a data centre far, far away

Storing files online means trusting a third party with your precious data. You trust the company you signed up with to keep our data safe and private. But privacy and security are complicated. There are many situations in which you want to have as many layers of security around your data as possible, such as:

  • The password securing your online files is leaked after a breach in the security of the online storage service.
  • An employee (or worse: a former employee) of the company keeping your data accesses your files, either by mistake or on purpose.
  • An experienced programmer accidentally introduces a security problem that exposes one or more of your private files to the public. Programmers are human after all ;-)
  • You make a mistake in setting the sharing settings for a file or directory and end up sharing with more people then you intended.

Above examples are not theoretical. In 2011, a bug in Dropbox authentication caused all accounts to be accessible without a password for several hours. Five years later, the email addresses and (hashed) passwords for almost 70 million Dropbox accounts were published.

It is sure that other services will be subject to incidents like these in the future. And therefore, right now is an excellent time to increase security.

I’m using a paid storage service which uses encryption. Surely their security will be excellent?

Whether it’s free or you paid for the online storage, there is no guarantee your files are completely private. The Terms of Service or the Privacy Statement usually allow for scanning or accessing your files in some way or the other.

For example, Dropbox states:

“Like most major online services, we do have a small number of employees who must be able to access user data when legally required to do so”.

This statement is important for two reasons:

  1. Together with the Terms of Service, this confirms your data can be read by anyone at the company with what Dropbox believes is proper clearance.
  2. Your data is by default not encrypted in such a way that only you can access it: otherwise, employees wouldn’t be able to access it when legally required.

The term encryption is often used to frame a product as secure: “we use encryption so it’s all good!” – What you really should be checking is what exactly is encrypted, and who holds the encryption key. Most of the time, the encryption is only applied in such a way that nobody can eavesdrop on the data while you’re sending it to the online service. As soon as the data has reached its destination, the encryption will be removed to store your files on the services’ hard disk drives. In those cases, the connection is encrypted, but your files are not.

Okay, you’ve convinced me. Now what?

That’s enough scaremongering (for now), let’s go over what you can do to take control and wrap your files in cosy layers of security!

1. Set a proper password or passphrase

Both boring and very effective, setting a strong password will protect you in case the hash (encrypted string of characters) of your password is leaked.

Although the details of password strength and management are beyond the scope of this article, I recommend setting a strong password for accessing your data. And by strong, I mean: so strong you need a password manager to remember it for you.

Because while you’re at it, I also highly recommend you install a password manager such as 1Password. Then, use it to generate a secure password and store it for you. Make sure you have a strong master password and don’t forget to include the password managers’ vault in your backup.

Whatever you do, do not use a password you’ve already used somewhere else.

2. Set up 2FA, two-factor authentication

This option is also known as two-step authentication. When you enable this, your password alone will no longer be enough to access your data. In addition to the password, an extra code is needed. This extra code is the second factor you need for authentication, hence the term two-factor authentication.

This will protect you when someone has already managed to obtain (only) your password and uses it to log in to access your data. Since the extra code is needed to successfully complete the login, the attacker won’t gain access. You can set up 2FA for other services too, like Gmail or GitHub.

There are several types of 2FA. The most popular types are:

  • SMS-based: you receive an SMS with an extra login code.
  • TOTP (Time-based One-Time Password): you generate an extra login code using an app on your phone or in your browser.

I highly recommend the TOTP-variant when available. A popular app to use for this is Google Authenticator for mobile, or Authy on either mobile or desktop.

If only SMS-based 2FA is available, it’s still better than no 2FA at all, but it may cause some trouble if you lose your phone or switch phone numbers and forget you had 2FA active somewhere.

3. Check your sharing settings

Sharing is caring. And something you should particularly care about are your sharing settings. It’s easy to make a mistake when configuring sharing a single file, or a folder full of them.

Accidental sharing can happen in several ways:

  • You mistakenly set up sharing the wrong way, exposing a file that should’ve stayed private. This also applies to files that you wanted to share with someone, but maybe you’ve accidentally entered the wrong person or mail address to share with.
  • You did intend to share a particular folder with others, but you misplaced a file while dragging and dropping to the private folder just above. People with misbehaving mice or tripping trackpads know what I mean.
  • You shared a document with someone and forgot about it, then continue to add content to the document that you did not want to share with them anymore.

Your sharing settings are worth checking every once in a while. Checking once a year is better than not checking at all. If you’re a heavy user and you share with different people, you may want to check quarterly or even monthly. I have a repeating calendar event set to remind me to check.

Some online storage services show you the sharing status of each individual item in the online file manager, so you can quickly see what is going on. If you check regularly, this will help you spot mistakes earlier and minimize the risks of accidental sharing.

4. Encrypt your files before saving them online

Out of all of the recommendations in this article, this one is both the most advanced and the most effective. It will protect your files, even if almost every safeguard fails.

As we discovered earlier, online storage services won’t actually store your files encrypted in such a way that only you can read them. But luckily, you can still choose to add your own layer of encryption before you upload or synchronise with the online file storage.

Software such as Boxcryptor ([Encryption software to secure cloud files Boxcryptor](https://www.boxcryptor.com/)) and AxCrypt (AxCrypt - File Security Made Easy) will help you achieve exactly this. The files you share will be encrypted with a key you choose before storing your data online. Since the company storing your data doesn’t know your key, they won’t be able to open any of the files you uploaded. The same is true if an attacker manages to get all the way into your account.

The free version of Boxcryptor allows you to use one online storage service of your choosing (most popular services are supported by their software), and synchronise between two of your devices. Their client software supports both Windows and macOS, and mobile operating systems as well. Additional features are available at a small price.

Boxcryptor and AxCrypt are not the only online products offering these possibilities. If they don’t offer the features you’re looking for, search Google for “encrypt before uploading to the cloud” and you may find other product that better match your wishes.

Whatever product you choose, make sure you carefully follow their instructions and securely store the encryption keys in your password manager.

5. Consider what to store online, and what to just backup

Online storage and (online) backup: you might think they are the same, but their purpose is completely different. Online storage is meant to make you more productive and to share and collaborate, while backups are made to save you when disaster strikes.

Basically, each and every file that is dear to you should be in your backup. This includes the data that is extremely important to never lose but is also best kept private. Examples of such data are medical records and the vault of your password manager. You probably do not need all of those to be available online for you to be more productive.

If your backup is properly set up, this makes safe use of online storage much easier: you can now choose in detail what to have online for better productivity, without having to fear losing data you consider too private to hand over to the company offering online storage services.

Of course, the recommendations from this article also apply to online backup services: encrypt data before backing up, set a proper password and use 2FA if available. If you make backups to your own storage solution such as a portable hard drive, consider it’s physical location: your backup should survive if your house or apartment building burns down to the ground.

I’m currently using CrashPlan for Small Business for my backups, and I couldn’t be happier.

Am I totally safe now?

With these recommendations, I’ve covered some of the most effective ways to improve your online storage security and safety. If you apply all of the tips your data will be able to withstand a lot of nasty attacks and leaks.

Reality is that we have no idea what security risks are coming, and it’s always possible someone finds holes in all of the layers we’ve set up to secure our data. However, I’m confident my tips will make it nearly impossible to do that.

There’s still a lot of people who have not considered upping the security of their online storage. If you found this article interesting then please share it with as many people as possible. Together we raise the bar for attackers and make everyone more security aware.



Regularly breaking stuff before our customers do, together with my amazing co-workers ;-)

Read More