Dropbox: do you trust them with your data?

I don’t really know what category this goes into.

I was wondering how folks felt about storing data in Dropbox that might contain information such as bank account numbers, social security numbers, or any other form of sensitive information. (BTW: Yes, I actually store that kind of stuff in 1Password. However, I have a lot of files syncing between computers that contains information that should not be spread “wild” on the internet.)

I have tried using services like Sync.com that provide a Dropbox-like experience but with zero-knowledge encryption, eg they do NOT have the keys to decrypt your files and so cannot supply them to any third party, and more importantly in the event of a data breach, they files cannot be decrypted by anyone else. However, these services do not sync all of the MacOS metadata, and I need things like Finder tag syncing for my workflows.

Dropbox has the best, as far as I can tell, overall functionality. It is my understanding that files are encrypted both in transit and at rest on Dropbox’s servers (correct me if I am wrong), BUT the encryption is with Dropbox’s keys which means that they can be subject to data breaches.

My question is how realistic is that concern at this point (I know they had issues at one point in the past, but perhaps that is all behind us if they have fixed said issues).

Do you feel comfortable with Dropbox’s data security?

As long as you use a great password and 2FA (1 Password :wink: you are fine.

If you can’t trust that because of listing to to many conspiracy theories or have data that is very very sensitive like the nuclear codes or Mr’ T’s tax returns…

I agree with @MacExpert.
If you have things you’re still concerned about uploading to a cloud service, you can create an encrypted disk image in your Dropbox folder. The whole image will sync when anything changes, one of the trade offs.

N.B. check to be sure disk images aren’t excluded from syncing.

Dropbox, Apple, and Google all state their data is encrypted at rest. Dropbox finished moving the majority of their data from AWS to their own datacenter early in 2018. Apple currently stores iCloud data in its own datacenters and on AWS and Google. At one time they were also using Microsoft Azure, some report that is no longer the case

All three offer excellent security, IMO, but I will never store data like SSN, tax records, birth certificates, passports, drivers license, etc. in the cloud unencrypted. I keep records like this only in 1Password and on my local drives.

Nothing is totally secure, so weigh the possibility of a breach against the convenience of storing the data online.

2 Likes

Yes for storing the important documents and data in 1Password!!!
However if you sync it trough their or any other cloud service one still has to have faith in the provider.

“The could is someone else computer” …

There is the option to sync 1password locally dough :hugs:

1 Like

I would not store information like password data or important personal / financial data in dropbox unless it is stored in an encrypted container that I control. Statements of companies that data is “encrypted at rest” are useless if they control the keys used to encrypt/decrypt the data, or control the communication between client and server.

3 Likes

For this reason I started using Boxcryptor for syncing sensitive folders with Dropbox. Works fine on the Mac and iOS.

2 Likes

Encryption at rest doesn’t mean much if Dropbox manages the keys. They had a privacy snafu a couple of years ago. Of all of the major cloud storage providers Dropbox is the one I trust least…

I’m just gonna suggest, that when someone goes to significant effort to tell you who they are, you should probably pay attention.

It’s not that I don’t think they have a strong business case to keep other actors out of your data, because clearly they do. They don’t have a great track record, but it’s still in their best interests. Any suggestion that they won’t themselves abuse the data you store with them, or give government agencies access without proper scrutiny or process, however, is wilful ignorance.

Box cryptor is a strong solution. However you still have to rely on some one else his computer…

Ifs a lesson fhey learned from. All these services have everything riding on trust. From that point of view Apple is doing a great job.

What are the best ways to encrypt data / files on your computer?

Thanks for all the responses. You are reflecting exactly what I have been concerned about. If you don’t own the keys your data cannot be considered totally secure.

I do keep all things like passwords, SS#'s, etc, in 1Password. I happen to use their sync service, but would not have problem putting their data on Dropbox as it is encrypted with my key.

I don’t want to go the encrypted sparse bundle route because that kills the convenience of the cloud sync.

Right now I am using ResilioSync, which works well, but it would be ideal to have a cloud location as well.

It’s just for this reason that I signed up for Sync.com, but unfortunately they don’t sync Finder tags. They say it’s because of the encryption which prevents them from doing that, although I don’t know why that is the case, but it doesn’t matter as they are not doing it.

Dropbox is almost a necessity since so many apps use it for syncing configuration across machines (Alfred, BBEdit, Keyboard Maestro) and I would like to consolidate into just one folder and sync system.

I am also not that familiar with BoxCrypter, but will take a look.

Agreed. I was speaking primarily about the fact that Apple apparently trusts all the major cloud providers technology.

I use Google Drive for the bulk of my online storage. I’ve been a Gmail user since the beginning and understand their their technology. And I like how they have stood up to the US government in the past.

I would prefer to use iCloud more than I do, but it’s performance is consistently inferior to both Google & Dropbox. Google syncs immediately, iCloud does when it gets around to it. This is true if the Mac is new or old, or if the upload speed available is 5mb or 1gb.

In any event, I expect our illusion of privacy won’t last much longer.

1 Like

Just so you know, if you make a sparsebundle image, Dropbox will not resync the whole image, just the part that changed, even if it’s encrypted. I just tried it to make sure with a sparsebundle of 22GB and put a little file in it to see what would happen and it synced in seconds. So no need to worry about having to resync everything from scratch. To my knowledge, Dropbox is the ONLY major cloud provider that does this. One Drive, Google drive do resync everything every time. I’m not sure about iCloud though but I think it behaves like One Drive and Google Drive.

If you unpack the sparse bundle while on dropbox the data is decrypted.
Also if this file is downloaded from the account by someone else they nan brute force the password.

The unencrypted data should never be written to any storage system: it’s decrypted as it’s read and encrypted as its written.

A brute force attack on a sparse bundle (or sparse image) is (barring a serious implementation flaw) a brute force attack on AES-256 (assuming that’s the cypher chosen; I think that’s the default). A key generated from a well chosen passphrase should resist brute force attacks well past the heat death of the universe pretty much regardless of how much computing power is thrown at the problem :slight_smile:

I thought partial uploads was common when using sparsebundles. We used several large encrypted sparsebundles hosted on local servers at my last job. Updates synced very quickly, but then again that was using gigabit ethernet.

I just ran a test on Google Drive using Google’s Backup and Sync software. This allowed me to watch the bands, info.plist, etc. as they sync. I opened the sparsebundle (which caused 3 files to upload), added an epub file, and upon closing the sparsebundle, only five files were uploaded.

I’m not sure about iCloud either :slight_smile:

Resilio Sync has the option to encrypt a remote folder, so you could put that remote folder on Dropbox to get the cloud feature and still have it be encrypted.

Resilio Sync is a great sync tool, although I loathe the name (I can never spell it correctly). I have no idea why they changed it from BitTorrent Sync, but I assume it was because people associate BitTorrent with nefarious uses and they wanted to seem respectable.

I do use it to sync my git repos to Dropbox without the .git folder (RS has a nice feature where you can tell it to ignore certain files/folders), so I don’t have to worry about the git part getting mucked up by Dropbox sync.