

Ask HN: Secure Dropbox alternatives? - nuttendorfer

What secure synchronozing services with roughly the same features as Dropbox are there?
======
epper
Wuala: <http://www.wuala.com>

Data is encrypted with your password on the client side, your password never
leaves your PC. They published a paper on their security implemenation:
[http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4032...](http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4032481)

It allows to synchronize multiple folders and it gives access to a certain
number of previous versions. You can also share folders with friends, publicly
or via a secret link.

It's cross-platform: Win, Mac, Linux.

I'm a happy customer since more than a year (it's free up to 2GB though) and I
wonder why so few people know about it.

~~~
mvrekic
Problem with this approach is sharing and key management.

If you want to send something to someone, that means you need to securely
communicate the key to them first or take the SpiderOak approach of "We
guarantee security locally but if you share a file = file is shared
unencrypted".

~~~
epper
True, but if you both are friends on Wuala you can do it easily.

Provided that no man in the middle attacks take place during the "friendship"
operation :)

------
jpsirois
On OSX, you just have to put all your files in a 256-bit AES encrypted
sparsebundle disk image in your dropbox folder.

------
cpt1138
tarsnap is the only one that stands out in terms of security.

<http://www.tarsnap.com/>

~~~
nuttendorfer
But thats backup only and theres no real Windows client.

------
rdl
There are other services which advertise security, but nothing where you
actually are likely to audit the code. Even if their security model is better
than what Dropbox is now using, you have to factor in availability issues
(Dropbox seems more solid as a business than a lot of the others),
functionality, etc. You also need to trust the entire development process,
release engineering, and knowing your binaries correspond to the source code.
It's not easy.

There is a slight benefit to "must ship trojaned software to recover
passphase, then decrypt" vs. "just access data server-side", but in practice,
if your threat is the government, there's not a huge difference. If your
threat is a server break-in by a third party, then there's some difference.

Overall, probably the best bet, if you don't run your own servers, is Dropbox
plus your choice of well tested encryption on top. As for your best well-
tested encryption, that's a hard problem too -- Truecrypt has a pretty wide
following and some versions have been audited, and source is published. For
general purpose use on Macs, I just use Apple's encryption -- it's probably
ok, but as far as I know, hasn't really been analyzed by third parties (I'd be
happy to NDA and look at it). I rationalize it as if Apple is subverted, and I
use OSX, I'm fucked even if third party disk encryption software itself is
safe.

~~~
nuttendorfer
Is it possible to use Truecrypt in Dropbox without issues?

~~~
michaelcampbell
Sure. But you remove the benefit of syncing small diffs; you pretty much have
to sync the entire truecrypt volume.

~~~
joev
My (former) home network backup solution had a truecrypt volume created
locally, and rsync'ed to my offsite backup provider (rsync.net). It did not
have to send the entire volume for small diffs; in my experience, Truecrypt
keeps local changes local in the volume.

~~~
michaelcampbell
That's a good point; thanks. I'm not sure if Dropbox diffs at sub-file level -
perhaps it does.

The short story is that Dropbox + Truecrypt work fine, but may not (or may!)
be optimal.

------
gglanzani
I personally use SpiderOak[^1], which gives 2GB for free and 100GB/month for
10$ (5$ for edu accounts), and encrypts your data locally, before sending it
to the cloud.

Moreover they don't even store your password in the server (sign in is locally
handled), and they claim to have a zero-knowledge policy. As other said, you
have to ultimately trust them; however the want to release under an open
source license their client software, so one should be able, eventually, to
check their claims.

[^1]:
[https://spideroak.com/download/referral/b26d996944aeed4254f6...](https://spideroak.com/download/referral/b26d996944aeed4254f695cbe7501fea)
(careful, it's a referral)

Edit: removed the link inline.

------
iso8859-1
lsyncd, unison

See reddit threads:

* [http://www.reddit.com/r/linux/comments/iad3q/7_good_dropbox_...](http://www.reddit.com/r/linux/comments/iad3q/7_good_dropbox_alternatives_for_linux/)

* [http://www.reddit.com/r/sysadmin/comments/nzdco/i_like_dropb...](http://www.reddit.com/r/sysadmin/comments/nzdco/i_like_dropbox_is_there_an_open_source_alternative/)

* [http://www.reddit.com/r/linux/comments/im8fc/vbox_open_sourc...](http://www.reddit.com/r/linux/comments/im8fc/vbox_open_source_dropbox_alternative/)

------
mkuhn
Wuala - <http://wuala.com/>

All files get encrypted and are stored redundantly. No one unauthorized - not
even Wuala as the provider - can access the files.

~~~
brador
Does wuala have physical ownership and exclusive, secure physical access to
their own servers or is it up on the cloud? If it's cloud, access prevention
from snoopy authority cannot be guaranteed, since a single loose warrant could
tap every box.

If someone wants to encrypt their data, then they'd probably want to know the
physical security around the box holding their data too. Stallman's probably
mentioned this at some point.

~~~
mkuhn
I don't know all details but what I know:

\- Wuala runs on dedicated machines in (i think three) different data centers.
It isn't their own data center though.

\- Data is encrypted on the client side.

\- Wuala is hosted outside of the US or US jurisdiction

~~~
epper
Yep, servers are in europe.

They say in their FAQ that their servers are in secure server farm in
Switzerland, Germany and France.

------
ehh
I really like JungleDisk (<https://www.jungledisk.com/>). They have a Mac,
Linux and Windows client and encrypt all files locally before uploading to
cloud storage providers. You can choose between S3 or Rackspace for your
storage.

------
csh
Dropbox + encfs. Works fine for me on all platforms (Windows/OS X/Linux). It
has some rough edges though: File update notifications will refer to the
encrypted file, and the browser interface will only show you encrypted file
names as well.

------
twodayslate
I use SugarSync. They just had (or maybe still have) a 50% off deal. If you
want I can give you a referral. Free to try and can easily get more space by
referring others.

------
jhi247
<http://www.boxcryptor.com/> does client-side encryption for DropBox.

Runs on Win, Mac, Linux, iOS, Android.

~~~
nuttendorfer
I've looked at this previously but

* It seems to be closed source

* The German government is involved (Close friends with the US)

~~~
jhi247
Yes, it is closed source.

The German gov is involved?! Ha ha, the North Koreans as well?

------
jmacd
TitanFile is great! They also sent an email out to customers this week with a
preview of their new version and it looked like it had a much nicer UI as
well.

~~~
mvrekic
TitanFile solves the problem of secure file sharing and tracking
(accountability) as the data is secured end-to-end, there is notification of
receipt/download (who accessed the files, where from, at what time etc) and
ability to set files as read-only (access only from the browser window over
SSL connection) as well as verify identity of recipient before giving them
access to the files (2 factor authentication) without requiring recipient to
have a TitanFile account.

Dropbox kicks ass as "file system of the internet" but sharing files with
people in a secure and private way with dropbox is a big pain.

With next release we will integrate with dropbox and Google Docs as well.

Disclaimer: I am from TitanFile

------
ksankar
Egnyte : www.egnyte.com

Hybrid Storage with multiple access methods : Web, Desktop (Win/Mac), Mobile &
FTP.

Flexible subfolder sync with versioning

------
JosephRedfern
You could roll your own with something like:
<https://github.com/bazaarlabs/gitdocs>

------
jtemplin
Bitcasa is using local encryption:

<http://www.bitcasa.com>

------
kingrwac
we use Egnyte (<http://www.egnyte.com>) at our office, it does file sync like
Dropbox, except more secure and scalable.

------
ljy
After dropbox, I use sugarsync and I'm really happy with it

------
dkoller82
TrustDEX for enterprise usage

