Explaining Encryption for the Cloud

Encryption is the foundation of online privacy. It keeps our data and online activities safe from prying eyes. In this article we’ll give a brief overview of how encryption is used in the cloud, and what you can do on your own to make it more secure.

By far, the most common use for encryption is to secure connections between computers, such as between your web browser and the site you’re visiting. The computers on either end of the connection perform a “handshake” to agree on a secret “key” which is used to scramble the data as it passes over the network, preventing anyone else from intercepting and decoding it. Both participants in the connection can decipher the other’s encrypted messages because they each know the key. However, this form of encryption only protects against eavesdropping. Whoever controls the website you’re browsing can see the decrypted data that arrives on their end and then do whatever they want with it (which usually means storing it in an un-encrypted database). This is usually OK, because we want the web site to see what we’re sending it. Our status updates on social media would be of little use if nobody could read them.

But what about storing private files in the cloud? It may be convenient to allow a company like Apple or Dropbox to store our private photos, but do we want their employees to be able to peek at them? What about the government? Hackers? This is where it becomes important to not only encrypt online traffic, but also the files themselves. There are two main approaches to storing encrypted files in the cloud: server-side, and client-side.

Server-side encryption is pretty much what it sounds like. You send your file to the server, it encrypts it and then stores it in a data center in encrypted form. When you ask for the file, the server decrypts it and sends it back to you. In order for the server to do this, it needs to know the encryption key to use. This protects your files from being downloaded by hackers, but since the cloud provider knows the key, they can theoretically decrypt your data at will; if their database is hacked, so can the attackers. This is the current state of encrypted storage in Nextcloud, on which Gibberfish is based. Our platform adds an extra layer of encryption underneath it all, so if the disks are stolen or seized, even the keys in the database will be encrypted using a master key which isn’t stored on the server and that only your administrator knows. However if the system is breached while the server is still online, this offers little meaningful protection.

Client-side encryption consists of the files being encrypted on your computer before they’re uploaded to the server, and the encryption key is likewise stored on your computer, not on the server. That means nobody can decrypt the files except you. They’re as unreadable to your cloud provider as they are to hackers. It also means if you lose your key then you can kiss your data goodbye (you made a backup, right?). Client-side encryption is usually dependent on special software installed on your computer, as most operating systems don’t have this ability by default.

Nextcloud is working on incorporating client-side (what they call end-to-end) encryption into their desktop and mobile clients in the next major version (Nextcloud 14), but as of this writing it’s not yet considered stable. However, there are third-party apps you can use in conjunction with Gibberfish/Nextcloud (or iCloud, or Dropbox, etc) that will handle the encryption for you. One such solution which recently appeared on the scene is Cryptomator¹. It’s free, open source, and couldn’t be easier to use. It lets you set up a “vault” on your hard drive that looks and acts like a normal folder, except anything you copy into it is automatically encrypted. If you sync this folder to your cloud storage, then even though it looks like normal files on your desktop, on your cloud drive it will just appear to be random noise. As an added benefit, the files are encrypted locally on your own device too, so if your laptop or phone is stolen, they’ll still be safe.

There are other apps which will give you similar results, but the way Cryptomator stores files is optimized for use with cloud storage, while many of the others are not. One downside is that since the files in your cloud drive are encrypted, you can’t share them. Nextcloud’s approach takes advantage of tight integration with the server to allow sharing to work while Cryptomator is designed to be cloud agnostic. Once Nextcloud’s end-to-end solution is finalized, we’ll do a full review and compare how it works. If you know of another potential contender, please drop us a line and let us know about it too.

Cryptomator is pay-what-you-want software, meaning you decide what it’s worth to you, even if that amount is zero. However, when you use open source software we encourage you to support it, so please consider sending them a few bucks so they can keep making the product better. While you have your wallet out, we’d also like to remind you that we too are supported by donations and during the month of July all donors will be entered in a drawing to win a laptop computer (US residents only), so please consider sending us a few bucks as well! Thanks!

¹  Gibberfish, Inc is not affiliated in any way with Skymatic UG, the makers of Cryptomator, nor were we asked to review or endorse their product