I was wondering how folks felt about storing data in Dropbox that might contain information such as bank account numbers, social security numbers, or any other form of sensitive information. (BTW: Yes, I actually store that kind of stuff in 1Password. However, I have a lot of files syncing between computers that contains information that should not be spread “wild” on the internet.)
I have tried using services like Sync.com that provide a Dropbox-like experience but with zero-knowledge encryption, eg they do NOT have the keys to decrypt your files and so cannot supply them to any third party, and more importantly in the event of a data breach, they files cannot be decrypted by anyone else. However, these services do not sync all of the MacOS metadata, and I need things like Finder tag syncing for my workflows.
Dropbox has the best, as far as I can tell, overall functionality. It is my understanding that files are encrypted both in transit and at rest on Dropbox’s servers (correct me if I am wrong), BUT the encryption is with Dropbox’s keys which means that they can be subject to data breaches.
My question is how realistic is that concern at this point (I know they had issues at one point in the past, but perhaps that is all behind us if they have fixed said issues).
Do you feel comfortable with Dropbox’s data security?
As long as you use a great password and 2FA (1 Password you are fine.
If you can’t trust that because of listing to to many conspiracy theories or have data that is very very sensitive like the nuclear codes or Mr’ T’s tax returns…
I agree with @MacExpert.
If you have things you’re still concerned about uploading to a cloud service, you can create an encrypted disk image in your Dropbox folder. The whole image will sync when anything changes, one of the trade offs.
N.B. check to be sure disk images aren’t excluded from syncing.
Dropbox, Apple, and Google all state their data is encrypted at rest. Dropbox finished moving the majority of their data from AWS to their own datacenter early in 2018. Apple currently stores iCloud data in its own datacenters and on AWS and Google. At one time they were also using Microsoft Azure, some report that is no longer the case
All three offer excellent security, IMO, but I will never store data like SSN, tax records, birth certificates, passports, drivers license, etc. in the cloud unencrypted. I keep records like this only in 1Password and on my local drives.
Nothing is totally secure, so weigh the possibility of a breach against the convenience of storing the data online.
Yes for storing the important documents and data in 1Password!!!
However if you sync it trough their or any other cloud service one still has to have faith in the provider.
“The could is someone else computer” …
There is the option to sync 1password locally dough
I would not store information like password data or important personal / financial data in dropbox unless it is stored in an encrypted container that I control. Statements of companies that data is “encrypted at rest” are useless if they control the keys used to encrypt/decrypt the data, or control the communication between client and server.
Encryption at rest doesn’t mean much if Dropbox manages the keys. They had a privacy snafu a couple of years ago. Of all of the major cloud storage providers Dropbox is the one I trust least…
Thanks for all the responses. You are reflecting exactly what I have been concerned about. If you don’t own the keys your data cannot be considered totally secure.
I do keep all things like passwords, SS#'s, etc, in 1Password. I happen to use their sync service, but would not have problem putting their data on Dropbox as it is encrypted with my key.
I don’t want to go the encrypted sparse bundle route because that kills the convenience of the cloud sync.
Right now I am using ResilioSync, which works well, but it would be ideal to have a cloud location as well.
It’s just for this reason that I signed up for Sync.com, but unfortunately they don’t sync Finder tags. They say it’s because of the encryption which prevents them from doing that, although I don’t know why that is the case, but it doesn’t matter as they are not doing it.
Dropbox is almost a necessity since so many apps use it for syncing configuration across machines (Alfred, BBEdit, Keyboard Maestro) and I would like to consolidate into just one folder and sync system.
Agreed. I was speaking primarily about the fact that Apple apparently trusts all the major cloud providers technology.
I use Google Drive for the bulk of my online storage. I’ve been a Gmail user since the beginning and understand their their technology. And I like how they have stood up to the US government in the past.
I would prefer to use iCloud more than I do, but it’s performance is consistently inferior to both Google & Dropbox. Google syncs immediately, iCloud does when it gets around to it. This is true if the Mac is new or old, or if the upload speed available is 5mb or 1gb.
In any event, I expect our illusion of privacy won’t last much longer.
Just so you know, if you make a sparsebundle image, Dropbox will not resync the whole image, just the part that changed, even if it’s encrypted. I just tried it to make sure with a sparsebundle of 22GB and put a little file in it to see what would happen and it synced in seconds. So no need to worry about having to resync everything from scratch. To my knowledge, Dropbox is the ONLY major cloud provider that does this. One Drive, Google drive do resync everything every time. I’m not sure about iCloud though but I think it behaves like One Drive and Google Drive.
If you unpack the sparse bundle while on dropbox the data is decrypted.
Also if this file is downloaded from the account by someone else they nan brute force the password.
The unencrypted data should never be written to any storage system: it’s decrypted as it’s read and encrypted as its written.
A brute force attack on a sparse bundle (or sparse image) is (barring a serious implementation flaw) a brute force attack on AES-256 (assuming that’s the cypher chosen; I think that’s the default). A key generated from a well chosen passphrase should resist brute force attacks well past the heat death of the universe pretty much regardless of how much computing power is thrown at the problem
I thought partial uploads was common when using sparsebundles. We used several large encrypted sparsebundles hosted on local servers at my last job. Updates synced very quickly, but then again that was using gigabit ethernet.
I just ran a test on Google Drive using Google’s Backup and Sync software. This allowed me to watch the bands, info.plist, etc. as they sync. I opened the sparsebundle (which caused 3 files to upload), added an epub file, and upon closing the sparsebundle, only five files were uploaded.
Resilio Sync has the option to encrypt a remote folder, so you could put that remote folder on Dropbox to get the cloud feature and still have it be encrypted.
Resilio Sync is a great sync tool, although I loathe the name (I can never spell it correctly). I have no idea why they changed it from BitTorrent Sync, but I assume it was because people associate BitTorrent with nefarious uses and they wanted to seem respectable.
I do use it to sync my git repos to Dropbox without the .git folder (RS has a nice feature where you can tell it to ignore certain files/folders), so I don’t have to worry about the git part getting mucked up by Dropbox sync.
I had Resilio Sync and Dropbox sync the same folder at one time and it REALLY is a BAD idea! I almost lost data due to the fact RS deleted some files it shouldn’t. Thank god I saw it before the versions expired on my Dropbox. I rely on Dropbox still, but uninstalled Resilio which was hit or miss too often.
you are fine.
