Author Topic: Are self-hosted open-source alternatives to Dropbox really more secure?  (Read 287 times)

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 803
  • Karma: +1/-0
    • View Profile
The question was prompted by this article. Two of the recommended alternatives to closed-source Dropbox are ownCloud and NextCloud. I use Dropbox to access files from different devices in and outside of my home and what I like about it is that it keeps them in sync. It costs me nothing as I have enough free Dropbox storage (~10 GB) to store all of the data files that I regularly use from different sources. It has also been 100% reliable. I seem to remember Bob Foley saying that internally hosted solutions are the best, as long as you aren't allowing access to files outside the home. Having 10-20 GB of dedicated space on a home computer would be no problem for me, but is that really a better, more secure solution than Dropbox?
Ubuntu 18.10 and openSUSE Leap on 2011 iMac
Linux Mint Cinnamon 19 on "late 2015" 5k iMac
Ubuntu 18.10 and Arch on Dell XPS 13

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1405
  • Karma: +4/-0
    • View Profile
I seem to remember Bob Foley saying that internally hosted solutions are the best, as long as you aren't allowing access to files outside the home.

Best in what way? If he meant more secure, which is probably where he was going with that, then yes, but if you're not accessing files outside the home then you won't have the same features that Dropbox offers so it doesn't really matter unless you're willing to give that up.




Quote
Having 10-20 GB of dedicated space on a home computer would be no problem for me, but is that really a better, more secure solution than Dropbox?


I think it's more about how well you trust Dropbox. We already know that Dropbox employees have access to viewing user files although you can use encryption to deal with that like Bill does. So in that way, a self-hosted solution is definitely more secure in that you're the only person who can ever view your data. But if you're not concerned about that, it probably doesn't matter. Note that if you host yourself you will responsible entirely for the security of your data which really just means you need to be quick about installing updates for the hosting software and have an excellent password.

And that's the crux of it, I think. Dropbox makes it more convenient than setting up a self-hosting service. Self-hosting means keeping the software and OS (if it's separate) updated and configuring your router to access. While using dropbox, the data relies on the company to keep it safe, not just from hackers but their own employees. That's why I suggest, unless the files you share aren't really private, that you encrypt that data and decrypt it on each machine you use it on.

So I think what you use probably depends on your level of trust (i.e. paranoia) of Dropbox and how much work you're willing to put into it. Personally, I think using Dropbox is fine, especially with encryption for sensitive documents.
Primary: Desktop Tower with Kubuntu 18.10 on i5-3470 3.2 GHz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID-10 array for programs/data

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Linux Du Jour, (i3-2367M 1.4 GHz, 4GB RAM, 128GB SDD)

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 803
  • Karma: +1/-0
    • View Profile
Glad I posted this question because I have not encrypted any of my files and some of them are ones I wouldn't want read. Would you use gnupg or some other form of encryption?
Ubuntu 18.10 and openSUSE Leap on 2011 iMac
Linux Mint Cinnamon 19 on "late 2015" 5k iMac
Ubuntu 18.10 and Arch on Dell XPS 13

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 726
  • Karma: +0/-0
    • View Profile
This is a dated article (2011) but it covers some concerns about how secure Dropbox is.
https://www.techrepublic.com/blog/it-security/dropbox-convenient-absolutely-but-is-it-secure/

Since Dropbox is based in the US, I would not consider Dropbox to be secure from the pryng eyes of the US government.

If I was wanting to store any sensitive files on Dropbox, I would perhaps look at using Truecrypt to store a Truecrypt drive/Folder in my Dropbox Folder.
« Last Edit: June 19, 2018, 08:32:23 am by ssfc72 »
Mint 18.3 on an HP Pavilion X360, 11" k120ca notebook
Tried Mint 19, but too many bugs. Went back to Mint 18.3
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 803
  • Karma: +1/-0
    • View Profile
Is Google Drive any more secure? I ask because I have free storage in both Dropbox and Google Drive.
« Last Edit: June 19, 2018, 07:09:23 am by fox »
Ubuntu 18.10 and openSUSE Leap on 2011 iMac
Linux Mint Cinnamon 19 on "late 2015" 5k iMac
Ubuntu 18.10 and Arch on Dell XPS 13

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 726
  • Karma: +0/-0
    • View Profile
My guess would be, that Google Drive would be the same as Dropbox, for the security of your stored files.

I suspect that certain employees of the Cloud services and the US government, could gain access to your stored files, which are encrypted with the Cloud services, security.

Depending on what level of security you need for your files, I think the files are probably secure enough from any casual prying, by the employees of the Cloud services.
Mint 18.3 on an HP Pavilion X360, 11" k120ca notebook
Tried Mint 19, but too many bugs. Went back to Mint 18.3
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1405
  • Karma: +4/-0
    • View Profile
This is a dated article (2011) but it covers some concerns about how secure Dropbox is.
https://www.techrepublic.com/blog/it-security/dropbox-convenient-absolutely-but-is-it-secure/

Since Dropbox is based in the US, I would not consider Dropbox to be secure from the pryng eyes of the US government.

If I was wanting to store any sensitive files on Dropbox, I would perhaps look at using Truecrypt to store a Truecrypt drive/Folder in my Dropbox Folder.

I concur except I'd suggest using Veracrypt now. As far as I know, Truecrypt is no longer being updated and even the creator of the software recommended people not use it because of some major security flaws he discovered. But the code was open and programmers worked on it and found and addressed security flaws and forked a new project called Veracrypt.
Primary: Desktop Tower with Kubuntu 18.10 on i5-3470 3.2 GHz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID-10 array for programs/data

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Linux Du Jour, (i3-2367M 1.4 GHz, 4GB RAM, 128GB SDD)

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 726
  • Karma: +0/-0
    • View Profile
Wow, thanks for the info on Trucrypt, Jason.
Time flies, Trucrypt was discontiued back in 2014, according to Wikipedia.
I will have to try out Veracrypt.
Mint 18.3 on an HP Pavilion X360, 11" k120ca notebook
Tried Mint 19, but too many bugs. Went back to Mint 18.3
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 803
  • Karma: +1/-0
    • View Profile
Well I downloaded it and tried to make an encrypted volume, but I can't figure out how this works. What I was hoping for is that I could created a folder, put files in it I want encrypted, encrypt the folder, and then store it on Dropbox. I don't think Veracrypt even makes encrypted folders.

I also tried encrypting the files in a folder with openPGP, using a password instead of a key. This creates .pgp files in a folder, but clicking on it just recreates the file in the same folder, leaving the PGP file. And when that happens, I'm not asked for a password, for what good is this?
« Last Edit: June 19, 2018, 02:12:44 pm by fox »
Ubuntu 18.10 and openSUSE Leap on 2011 iMac
Linux Mint Cinnamon 19 on "late 2015" 5k iMac
Ubuntu 18.10 and Arch on Dell XPS 13

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 726
  • Karma: +0/-0
    • View Profile
This Youtube video may help you to understand, how to create a Veracrypt file/Volume.
https://www.youtube.com/watch?v=fSRGWfmnNzI

When  you create a file, at the very beginning, just create that file in your Dropbox Folder, on your computer.

This tutorial is also helpful,
https://www.veracrypt.fr/en/Beginner%27s%20Tutorial.html

 
« Last Edit: June 19, 2018, 05:55:44 pm by ssfc72 »
Mint 18.3 on an HP Pavilion X360, 11" k120ca notebook
Tried Mint 19, but too many bugs. Went back to Mint 18.3
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline Jason Wallwork

  • Administrator
  • Hero Member
  • *****
  • Posts: 1405
  • Karma: +4/-0
    • View Profile
As Bill's links show, it works on the principle of an encrypted volume. When you create an encrypted volume it looks like just a file to the OS until you mount it. Mounting it basically decrypts it and you see it as a if you plugged in an external drive. Then when you unmount it, it's re-encrypted and becomes just a file again. So just keep that file in your dropbox folder.

I did a presentation on Veracrypt once at a meeting but not sure if you were there.
Primary: Desktop Tower with Kubuntu 18.10 on i5-3470 3.2 GHz with 12 GB RAM, 64 GB SSD for OSes, 4 TB RAID-10 array for programs/data

Secondary/Test: Toshiba Satellite Ultrabook Z830-00K w/ Linux Du Jour, (i3-2367M 1.4 GHz, 4GB RAM, 128GB SDD)

Offline fox

  • Posting Member
  • Hero Member
  • *
  • Posts: 803
  • Karma: +1/-0
    • View Profile
Jason walked me through the installation and operation of Veracrypt last night at PLUG MUG. Normally I can follow the kind of instructions posted, but there was some terminology that threw me through a loop. At any rate, I was able to set up a folder (called a volume in Veracrypt) and put files in it that I wanted encrypted. The next thing I tested was the effect of not properly unmounting the encrypted "volume"; i.e. ejecting it from the desktop and not unmounting it from a Veracrypt application window. This didn't hurt anything. I then tested it more severely by improper shutdown of my laptop while a "volume" was mounted. (To simulate an electrical power loss.) Again, no negative effect, but note that in both tests I didn't have any encrypted files open. I should try this with a file open next time.

Since I might have to access files in the encrypted folder from different platforms, that formed the basis of my next tests. I installed Veracrypt on a Mac OS partition on my iMac and on a Windows partition on my laptop. I had access to the files from both OSes and the operation was virtually the same on Linux, Mac or Windows.

My encrypted folder is stored in Dropbox so that I can access it from different devices. One of those devices I wanted to access it from is my Android tablet, and here is where I ran into a small problem. There is no version of Veracrypt for Android, but there is an Android program called EDS that allows access to Veracrypt "volumes". The free version, EDS lite, looks to work OK, but not on "volumes" stored on Dropbox. For this you need the paid version ($9.95). I stopped here because I'm not sure I actually need access to these files on my tablet and if I do, I can buy the app on the spot. The other way to access the files would be to store a hard copy on my tablet, but if I changed any file that way it wouldn't sync to my Dropbox versions.
« Last Edit: June 28, 2018, 08:32:41 am by fox »
Ubuntu 18.10 and openSUSE Leap on 2011 iMac
Linux Mint Cinnamon 19 on "late 2015" 5k iMac
Ubuntu 18.10 and Arch on Dell XPS 13

Offline ssfc72

  • Posting Member
  • Hero Member
  • *
  • Posts: 726
  • Karma: +0/-0
    • View Profile
Regarding the possibility of corrupting or losing the encrypted volume.

Follow the golden rule - image your drive. :-)


The next thing I tested was the effect of not properly unmounting the encrypted "volume"; i.e. ejecting it from the desktop and not unmounting it from a Veracrypt application window. This didn't hurt anything. I then tested it more severely by improper shutdown of my laptop while a "volume" was mounted. (To simulate an electrical power loss.) Again, no negative effect, but note that in both tests I didn't have any encrypted files open. I should try this with a file open next time.


Mint 18.3 on an HP Pavilion X360, 11" k120ca notebook
Tried Mint 19, but too many bugs. Went back to Mint 18.3
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go