Warning: TrueCrypt is not secure. See this post for details and information on migrating to Bitlocker or FileVault.

When it comes to storing files in the cloud, there is a lot of fear, uncertainty, and doubt going around. Some of it is even spread by cloud-based software companies who are trying to get a leg up on their competition.

I try to balance security with utility to make sure I protect my client files while enabling me to access those files whenever and wherever I need them. Here’s the gist: Encrypt everything, use Dropbox wisely, use local backup, and backup to the cloud using CrashPlan.

(Learn how to do all these things yourself, by the way. This constitutes basic computer literacy.)

Using TrueCrypt, Dropbox, local backup, and CrashPlan

There are four parts to my client file storage system.

1 First, and most importantly, I use TrueCrypt to encrypt my file system (Bitlocker works fine if you have an Ultimate version of Windows; FileVault works fine if you have a Mac). This secures the contents of my hard drive, which is otherwise nearly as easy to access as a USB drive (those little “thumb drives” everyone carries around).

2 For files I am currently working or that I need regular access to, I use Dropbox so that I can access those files no matter where I am and no matter what computer (or device) I am using. For me, that includes open client files, forms, data files like my QuickBooks file, website files, and a few other items.

Besides being good for security, keeping your Dropbox small will minimize the time it takes Dropbox to index your files on boot. If you have a lot of files, this can bog down your system for quite a while.

If you only ever use one computer and never need to access your files from a gadget or browser, Dropbox is unnecessary. If, like me, you use multiple computers and gadgets, or you like to travel without dragging along an extra bag of tech gear, Dropbox is essential.

3 Everything I don’t need to access regularly is stored in the regular Documents/My Documents folder on my computer. Business archives are on my desktop at the office, and personal archives are on my laptop at home. My archives include closed client files, finances from past years, and anything else I am just storing, rather than using.

4 I use two methods to backup everything, whether it is in my Dropbox folder or not. First, I backup everything nightly to a second hard drive using the regular Windows backup utility. My second hard drive is a second internal hard drive, but you could get an external hard drive, too. Second, I backup everything to CrashPlan. (I use the CrashPlan+ Family Unlimited Plan, which lets me backup unlimited data from up to 10 computers.) This way, I always have a recent backup of all my critical files in at least two separate locations. It would take a lot of disastrous coincidences for me to lose my files.

Don’t use free versions

As a general rule, you should pay for the software and services you use to store client files. That’s because free versions often have different terms, privacy policies, and security levels.

This is definitely true for my cloud backup service of choice, CrashPlan. With the free version, you get only 128-bit encryption. That’s fine — it’s what your bank probably uses — but the paid versions come with a hardcore 448-bit encryption.

With Dropbox, the agreement and services don’t change significantly if you pay for the service (except that Dropbox won’t automatically delete your account if it is inactive for 90 days), but the base plan’s 2 GB of storage won’t last long if you are actually storing files there.

TrueCrypt is an exception. There is no premium version, although you can — and should — contribute to the project to help support it. TrueCrypt is free and open-source software (FOSS), which means the source code is available to anyone. That is a huge advantage when it comes to security software; it doesn’t mean the software is any less secure.

Why Dropbox is (a teeny bit) risky

It’s not that risky, first of all. Dropbox transmits your files over a secure, encrypted connection (although the files themselves are not encrypted before transmission) and stores them encrypted on Dropbox’s servers. Much ado has been made over the fact that some Dropbox employees have the codes necessary to decrypt files. I am not concerned about this, because I am satisfied by Dropbox’s statements on access:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

That’s more assurance than I expect most firms get from their cleaning staff — or their secretaries, for that matter.

However, I no longer recommend just tossing all your files in your Dropbox folder. It’s not really Dropbox’s security I am worried about as much as the size of Dropbox as a “target.” Dropbox stores an enormous amount of information. You’ve got to think it’s a pretty tempting target for malicious hackers.

A couple of years ago, I wasn’t too concerned about “hackers,” which were a threatening idea, but not much of an actual threat. The explosion of malicious hacking and other incidents over the last year or so have  changed that.

Now, I think it is a good idea to minimize the data you store in large, tempting buckets like Dropbox. But I’m not willing to stop using services that are (1) actually quite secure and (2) really useful.

Why CrashPlan is secure

CrashPlan is cloud backup with impressive security. As I mentioned above, the paid versions of CrashPlan use 448-bit encryption, which is pretty hardcore. 128-bit encryption is effectively unbreakable using current technology. 448-bit encryption is unbreakable using any any technology we can imagine for the next couple of decades, at least.

Most importantly, CrashPlan encrypts your files before transmitting them to CrashPlan’s servers, meaning that even if you are backing up from an insecure wireless access point in a coffee shop, your files should be safe from snoopers.

CrashPlan also let’s you set a private password, so that nobody can restore your backups without the password — not even the most-privileged administrator at CrashPlan. That’s about as secure as the cloud (or anything else) gets.

Putting the pieces together

This is a quick blueprint for a sensible approach to securing your files, syncing them across your computers (or sharing them with your co-workers), and backing them up locally and to the cloud. It is a sensible approach to security, but not the most secure.

If you have specific reasons for needing elevated security (you handle IP in highly competitive industries or defend accused terrorists), there are more secure ways to store, sync, and backup your files. Most require some advanced skills. Frequent commenter and LAB member William Chuang is a security hawk who doesn’t like my recommending Dropbox, and if you aren’t intimidated by things like setting up your own file server and VPN, check out his comments on Lawyerist, his posts in the LAB, and his blog. His criticisms are valid; I just don’t think they mean you shouldn’t use Dropbox.

For everyone else (read: pretty much everyone), encrypting your files, keeping “current” files in Dropbox, and backing everything up locally and to CrashPlan will provide very good security, both from malicious hackers, accidents, and disasters.

(photo: http://www.flickr.com/photos/lockergnome/6219181728/)

24 responses to “A Sensible Approach to Storing Client Files in the Cloud”

  1. Matt Levy says:

    Good points, but there’s one difference between TrueCrypt and FileVault that’s worth highlighting. FileVault does encrypt your hard drive, but when you’re logged in, the decryption is done transparently so that any program accessing the hard drive sees only the unencrypted version when it accesses the file system. TrueCrypt stores files in encrypted volumes – you have to expressly decrypt and mount the volume to access it.

    This matters for Dropbox storage.

    When you use Dropbox with FileVault, the files sent to Dropbox are actually sent in unencrypted form. (Dropbox encrypts the communication channel, but it receives the unencrypted file.) The advantage to FileVault is that if your laptop falls into the wrong hands, no one (in theory) can get your data off the hard drive. So it’s well worth using. But it’s not the equivalent of something like TrueCrypt.

    When you store a TrueCrypt volume on Dropbox, the encrypted file is what’s stored on the Dropbox servers. Dropbox never sees the unencrypted versions. The disadvantage is that sharing these files becomes more difficult. Dropbox only sees the one big encrypted file that TrueCrypt stores. So if you have multiple files in a TrueCrypt volume, you can’t sync them individually. And they won’t sync until you unmount the TrueCrypt volume. You could create individual volumes, but that does require more work. And sharing with coworkers is a challenge as well. But this is a fairly secure way to store files in the cloud.


    • Sam Glover says:

      You can also use TrueCrypt to encrypt an entire partition or drive, which is how I use it. Encrypting volumes and then storing them in Dropbox is too clunky.

      • Michael says:

        Sam, I believe this post by security/privacy researcher Steve Gibson regarding TrueCrypt is worth your time reading. The TLDR version: TrueCrypt is still safe to use.

  2. William Chuang says:

    For a true solo attorney, DropBox is fine. DropBox scares the heck out of me because it has bizarre security bugs. For a few hours last year, every file stored by every user was accessible by everyone. Even now, if someone takes a specific file from your computer, they can access your DropBox files even if they don’t have the password, and there’s no way to stop them or even to audit their access. As a workaround, stick a TrueCrypt volume in your DropBox. TC uses block-level encryption so a small change in a file within the volume will not require the entire volume to be reuploaded, and the password changes on volumes is relatively fast.

    If you have multiple users such as a partner and/or legal assistants, set up a NAS or your own server. Synology NAS devices in particular are very simple to set up, and the files can be accessed by any computer on your network (with the proper logins) as well as online. If you’re really bored, you can get a HP Proliant N40L Microserver for $200 (on sale), and install Windows Home Server 2011 on it. You not only get a file server, but you also get automated backups of every computer on your network. Then you can upload those files onto CrashPlan so you can get an entire snapshot of your law firm backed up in a central location.

    • Sam Glover says:

      The vulnerability you mention, however, depends on someone having physical access to your computer as well as administrator-level access to your operating system. If someone has that kind of access, they can do a lot worse things than infiltrate my Dropbox files.

      When it comes to multiple users, the decision is whether you want everyone to have your files on their computers or now. I think it’s a better idea for security reasons to host all the files on a file server as you suggest, but if you are paperless, that means nobody will be able to access files from the courthouse — at least not the courthouses I go to, which block wireless signals and don’t have internet access available.

      • William Chuang says:

        For most things, you can stop them after they leave. You can just wipe the system and start from scratch with new passwords. With the Dropbox, there’s nothing you can do. NOTHING. You have to assume that everyone who has access to your box can access Dropbox forever. And there’s no way to find out unless they delete all your files (which is a dumb thing to do because Dropbox will keep it anyway). You can’t audit their use, you can’t stop them. It’ll just always be a possibility.

        I put everything on my file server but when I need files for a particular case, I just pull them onto my laptop before I leave. I use Windows Small Business Server 2011 Essentials, and it syncs my folders with the file server, so I always have access to the files on my laptop. It’s pretty nifty, but I don’t know if it’s available on WHS2011.

  3. William Chuang says:

    Not sure if I’m allowed to link, but NewEgg Business has the Proliant N40L on sale for $200 until April 24. Pick up the RAM for $70, WHS 2011 for $52, and a few hard drives for RAID storage. It’s a pain to configure, I’ll freely admit, but once it’s all set up, you’ll have your own SSL-secured website to access your files. I use CrashPlan to backup my files, and all my client system backups. Set them up as separate tasks so it’ll keep your files up to date with high priority, and the client backups once a week with low priority.


    • Laurie says:

      What about just getting a seagate external hard drive- how is that different from what you are suggesting here?

      • Sam Glover says:

        What if your office burns down with your computer and your Seagate external hard drive in it? Or a thief breaks in to your office — and makes off with your hardware?

        Backing up to CrashPlan means you have a copy safely stored away in a completely different location. If both my office and my home were flattened in the same earthquake, my client files would still be safe and sound.

      • William Chuang says:

        A file server is useful only when you have multiple computers on your network. If you only have a single person, then there’s really no need for a file server. With multiple users, the file server will centralize storage and backups. The secretary can proofread your documents for typos and tell you it’s okay. The backup will save versions of files so if there’s a change, you can always go back and undo it.

  4. Jonathan Jackel says:

    You ought to take a look at substituting SpiderOak for Dropbox for confidential files. It can be set up to work just like Dropbox syncing and sharing, but everything is encrypted on your machine before being uploaded. They take a lot of pride in their “zero knowledge” about your files. Setup is more complicated than Dropbox, but a small price to pay, and they offer advanced security options like two-factor authentication. Works across all my platforms (Windows, Mac, iOS). Free for 2GB, and $10/100GB/month or $100/100GB/year after that.

    • Sam Glover says:

      I’ve seen it, although I haven’t tried it. It looks promising, but last time I checked, it lacked many of the features that I like having with Dropbox.

    • I like the 100% zero knowledge policy, though I am not sure how strong their encryption can be if it is based only on a simple password. But, what bothered me was their comment that shared documents can be crawled by a search engine:

      See: https://spideroak.com/faq/questions/43/are_spideroak_share_rooms_indexable_or_crawlable_by_search_engines/

      This seems preposterous. The sharing also seems to be missing a log of file access. This is an important feature so that we can dispute access and even withdraw inadvertently disclosed privileged docs. I have not found a perfect solution yet. I’m still looking. Some combination of Crashplan security and Dropbox ease of use would be great.

      • Jonathan Jackel says:

        Bryan, encryption strength is determined by whether the algorithm is sound and whether the password is guessable or easily determined by trying a bunch of passwords or perhaps examining the encrypted data. SpiderOak says it uses 2048-bit RSA and 256-bit AES encryption, which are both believed to be strong algorithms. Use a good, long, unguessable password! In addition, you can use multi-factor authentication if you think passwords are not good enough.

        I think you are being unduly harsh on the crawling point. In order for crawling to happen, (1) you have to share your data and (2) the person you share with has to put the link in a public space like Twitter or Facebook or another web page. Ye gods, that would be irresponsible! Once you share a document — through SpiderOak or any other means — there is no way to prevent the recipient from doing something crazy with it. The only solution is to share only with trustworthy people.

        The SpiderOak app does include a log, but I have not tested to see whether it logs shared file access.

  5. Nancy says:

    How does Crash Plan compare to Mozy (paid-for Mozy)?

  6. Blair Matsumoto says:

    Is Crashplan superior to Carbonite?

  7. shg says:

    These are very funny names for clouds. I call mine “muffy” and “sunshine cloudy-pants.” I do not watch My Little Pony, however. Not that there’s anything wrong with that.

  8. Sam Glover says:

    Of course, the day after I post this, Google Drive is released!

    I just moved all Lawyerist and Bitter Lawyer files to Google Drive, where they are shared with Aaron and Greg. The only thing I can really say about it so far is that it was a completely painless experience. The sync utility functions essentially the same as Dropbox, and you can replace all instances of Dropbox in this post with Google Drive, if you would rather go with Google.

    For us, it just makes sense, since we already used Google Docs for a fair amount of stuff. Putting everything into Google Drive just unifies our files.

    I’m still using Dropbox for my personal and active firm (including client) files, and I’ll stick with that until I make up my mind about Google’s privacy policy and terms of service.

Leave a Reply

Your email address will not be published. Required fields are marked *