• Welcome to Peterborough Linux User Group (Canada) Forum.
 

Are self-hosted open-source alternatives to Dropbox really more secure?

Started by fox, June 18, 2018, 12:41:14 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

fox

The question was prompted by this article. Two of the recommended alternatives to closed-source Dropbox are ownCloud and NextCloud. I use Dropbox to access files from different devices in and outside of my home and what I like about it is that it keeps them in sync. It costs me nothing as I have enough free Dropbox storage (~10 GB) to store all of the data files that I regularly use from different sources. It has also been 100% reliable. I seem to remember Bob Foley saying that internally hosted solutions are the best, as long as you aren't allowing access to files outside the home. Having 10-20 GB of dedicated space on a home computer would be no problem for me, but is that really a better, more secure solution than Dropbox?
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

Jason

Quote from: fox on June 18, 2018, 12:41:14 PM
I seem to remember Bob Foley saying that internally hosted solutions are the best, as long as you aren't allowing access to files outside the home.

Best in what way? If he meant more secure, which is probably where he was going with that, then yes, but if you're not accessing files outside the home then you won't have the same features that Dropbox offers so it doesn't really matter unless you're willing to give that up.




QuoteHaving 10-20 GB of dedicated space on a home computer would be no problem for me, but is that really a better, more secure solution than Dropbox?


I think it's more about how well you trust Dropbox. We already know that Dropbox employees have access to viewing user files although you can use encryption to deal with that like Bill does. So in that way, a self-hosted solution is definitely more secure in that you're the only person who can ever view your data. But if you're not concerned about that, it probably doesn't matter. Note that if you host yourself you will responsible entirely for the security of your data which really just means you need to be quick about installing updates for the hosting software and have an excellent password.

And that's the crux of it, I think. Dropbox makes it more convenient than setting up a self-hosting service. Self-hosting means keeping the software and OS (if it's separate) updated and configuring your router to access. While using dropbox, the data relies on the company to keep it safe, not just from hackers but their own employees. That's why I suggest, unless the files you share aren't really private, that you encrypt that data and decrypt it on each machine you use it on.

So I think what you use probably depends on your level of trust (i.e. paranoia) of Dropbox and how much work you're willing to put into it. Personally, I think using Dropbox is fine, especially with encryption for sensitive documents.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

fox

Glad I posted this question because I have not encrypted any of my files and some of them are ones I wouldn't want read. Would you use gnupg or some other form of encryption?
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

ssfc72

This is a dated article (2011) but it covers some concerns about how secure Dropbox is.
https://www.techrepublic.com/blog/it-security/dropbox-convenient-absolutely-but-is-it-secure/

Since Dropbox is based in the US, I would not consider Dropbox to be secure from the pryng eyes of the US government.

If I was wanting to store any sensitive files on Dropbox, I would perhaps look at using Truecrypt to store a Truecrypt drive/Folder in my Dropbox Folder.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

fox

Is Google Drive any more secure? I ask because I have free storage in both Dropbox and Google Drive.
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

ssfc72

My guess would be, that Google Drive would be the same as Dropbox, for the security of your stored files.

I suspect that certain employees of the Cloud services and the US government, could gain access to your stored files, which are encrypted with the Cloud services, security.

Depending on what level of security you need for your files, I think the files are probably secure enough from any casual prying, by the employees of the Cloud services.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Quote from: ssfc72 on June 19, 2018, 02:59:22 AM
This is a dated article (2011) but it covers some concerns about how secure Dropbox is.
https://www.techrepublic.com/blog/it-security/dropbox-convenient-absolutely-but-is-it-secure/

Since Dropbox is based in the US, I would not consider Dropbox to be secure from the pryng eyes of the US government.

If I was wanting to store any sensitive files on Dropbox, I would perhaps look at using Truecrypt to store a Truecrypt drive/Folder in my Dropbox Folder.

I concur except I'd suggest using Veracrypt now. As far as I know, Truecrypt is no longer being updated and even the creator of the software recommended people not use it because of some major security flaws he discovered. But the code was open and programmers worked on it and found and addressed security flaws and forked a new project called Veracrypt.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

Wow, thanks for the info on Trucrypt, Jason.
Time flies, Trucrypt was discontiued back in 2014, according to Wikipedia.
I will have to try out Veracrypt.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

fox

Well I downloaded it and tried to make an encrypted volume, but I can't figure out how this works. What I was hoping for is that I could created a folder, put files in it I want encrypted, encrypt the folder, and then store it on Dropbox. I don't think Veracrypt even makes encrypted folders.

I also tried encrypting the files in a folder with openPGP, using a password instead of a key. This creates .pgp files in a folder, but clicking on it just recreates the file in the same folder, leaving the PGP file. And when that happens, I'm not asked for a password, for what good is this?
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

ssfc72

This Youtube video may help you to understand, how to create a Veracrypt file/Volume.
https://www.youtube.com/watch?v=fSRGWfmnNzI

When  you create a file, at the very beginning, just create that file in your Dropbox Folder, on your computer.

This tutorial is also helpful,
https://www.veracrypt.fr/en/Beginner%27s%20Tutorial.html

Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

As Bill's links show, it works on the principle of an encrypted volume. When you create an encrypted volume it looks like just a file to the OS until you mount it. Mounting it basically decrypts it and you see it as a if you plugged in an external drive. Then when you unmount it, it's re-encrypted and becomes just a file again. So just keep that file in your dropbox folder.

I did a presentation on Veracrypt once at a meeting but not sure if you were there.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

fox

Jason walked me through the installation and operation of Veracrypt last night at PLUG MUG. Normally I can follow the kind of instructions posted, but there was some terminology that threw me through a loop. At any rate, I was able to set up a folder (called a volume in Veracrypt) and put files in it that I wanted encrypted. The next thing I tested was the effect of not properly unmounting the encrypted "volume"; i.e. ejecting it from the desktop and not unmounting it from a Veracrypt application window. This didn't hurt anything. I then tested it more severely by improper shutdown of my laptop while a "volume" was mounted. (To simulate an electrical power loss.) Again, no negative effect, but note that in both tests I didn't have any encrypted files open. I should try this with a file open next time.

Since I might have to access files in the encrypted folder from different platforms, that formed the basis of my next tests. I installed Veracrypt on a Mac OS partition on my iMac and on a Windows partition on my laptop. I had access to the files from both OSes and the operation was virtually the same on Linux, Mac or Windows.

My encrypted folder is stored in Dropbox so that I can access it from different devices. One of those devices I wanted to access it from is my Android tablet, and here is where I ran into a small problem. There is no version of Veracrypt for Android, but there is an Android program called EDS that allows access to Veracrypt "volumes". The free version, EDS lite, looks to work OK, but not on "volumes" stored on Dropbox. For this you need the paid version ($9.95). I stopped here because I'm not sure I actually need access to these files on my tablet and if I do, I can buy the app on the spot. The other way to access the files would be to store a hard copy on my tablet, but if I changed any file that way it wouldn't sync to my Dropbox versions.
Ubuntu 23.10 on 2019 5k iMac
Ubuntu 22.04 on Dell XPS 13

ssfc72

Regarding the possibility of corrupting or losing the encrypted volume.

Follow the golden rule - image your drive. :-)


Quote from: fox on June 28, 2018, 08:30:58 AM
The next thing I tested was the effect of not properly unmounting the encrypted "volume"; i.e. ejecting it from the desktop and not unmounting it from a Veracrypt application window. This didn't hurt anything. I then tested it more severely by improper shutdown of my laptop while a "volume" was mounted. (To simulate an electrical power loss.) Again, no negative effect, but note that in both tests I didn't have any encrypted files open. I should try this with a file open next time.


Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service