Open in app

Sign in

Write

Sign in

Secure documents in the cloud with GPG

Nik Vaklev
5 min readFeb 7, 2020

In this post I focus on why and how I created a very simple desktop app called Encrypt-Sync, which can encrypt and sync files with a cloud-storage provider while you are working on them.

I was one of the early adopters of Google Drive. It is really good at backing up large quantities of data and giving you access wherever you are, but there is a catch… All the data are up in the cloud, the cloud vendor has access to them and they make the most of it. Google Drive now offers the ability to search inside your documents for more relevant results: a cool idea unless we are talking about your business records. Do we really want these companies to access all our information to allegedly improve their service at the cost of sensitive information?

Strictly speaking any cloud storage provider stores the data in an encrypted format on the physical hard drives, a.k.a. encryption at rest. Also any communication between the client, i.e. mobile apps, web browsers, etc., and the server is also encrypted with TLS (HTTPS). As an example, see Dropbox security documentation here. The main reason for this is that even if someone was to hack a particular cloud they would not be able to read any file from any user. But still, you and the storage provider have full access to everything.

There are many apps which can “secure” your data in the cloud and guarantee that you are the only person who read the files. A few notable examples:

  • Box.com: starts at €4.27 per user/month with a minimum of 3 users;
  • Tresorit: starts at $25 for two users per month;
  • Sync: starts at $10 per user per month;
  • Storj: an distributed network of nodes for encrypted file storage (if you can set it up);
  • even more suggestions: Boxcryptor, Cryptomator, pCloud, Spideroak, etc.

But, you have to pay for them because “freemium” is not really a viable option for secure-storage vendors. There are many reasons for that, but I would say that implementing security layers and encryption is an expensive business, in terms of people and technologies. Doing it on the cheap is the same as not bothering at all. Furthermore, it requires more computational resources because encrypting and decrypting data quickly is computationally expensive and the server time for it costs money.

Where does that leave us? Paying for these services is an option but frankly not worth it unless you are a business with multiple users who must collaborate securely and handle sensitive information. For individuals, they need to be handling sensitive information regularly to justify the costs.

I had a breakthrough a few years ago when I realised that I had to protect just a small fraction of my documents. I was never going to encrypt all my photos for instance or the articles I have downloaded from the Internet. The truth is most direct users and small businesses need to protect a handful of documents.

I knew of GNU Privacy Guard which is a free and rather well-regarded tool for encrypting information with public-private keys, also called asymmetric encryption. The only problem with using it directly is that you must never forget to encrypt any changed files and upload them on Dropbox for instance. OK, so the encryption side is actually solved and free if you do it by yourself.

If only there were tools that can sync two folders… Well this problem has a solution as well. It is pretty common for web developers to use tools that monitor all the files they work on for changes. The tools would re-compile the website or app after every change and let the developer see the updated web pages. The point is that we have pretty good tools for monitoring folders and files for changes. Can we marry the two?

Enter Encrypt-Sync!

I have worked on it for the last two years on and (mostly) off. It is a Node.js app which:

  • watches a particular folder for changes;
  • encrypts any modified file with GNU Privacy Guard (GPG) in memory;
  • and saves the scrambled version in a Dropbox or Google Drive folder (or anywhere else you like really).

The app makes the most of GPG, cloud storage and a Node.js package called chokidar!

The app was designed to use a minimal number of 3rd party packages and basically be as lightweight as possible. Normally simplicity affords good maintainability over time and decent performance.

Hence, the actual work in the early days focused on experimenting with different packages and finding one that:

  • could detect changes to both folders and files;
  • is well-established;
  • and properly maintained.

Chokidar ticked all the boxes: has more than 16 million downloads per week from NPM, is actively maintained and forms a core part of Webpack, which is itself used nowadays for any web app development out there.

Limitations

The metadata are still not protected, i.e. file names, modification dates, folder structure, etc. A lot can be worked out from this information but this is a problem for many secure systems, including apps like Whatsapp because Facebook cannot read the actual content of the messages but they know who you are talking to.

It protects your info only in the cloud. If someone was to hack your computer they can easily find the unencrypted version of the files on your hard drive. On the other hand, if someone hacked your computer that’s probably your least problem.

Encrypt-Sync can only encrypt files and cannot be used to reverse the process. The good news is that technically there is no problem to do it; I am just looking for the most elegant and user-friendly way to implement it. Interim solution: create a simple bash function to decrypt individual files, e.g.

function decrypt() {
 doc=$1 
# assumes doc has this format `/path/to/file/filename.extention.gpg
 gpg --output ${doc:0:-4} --decrypt $doc
}

This app does require technical knowledge of sorts, e.g. how to generate GPG keys for the encryption step and therefore cannot be used easily by non-technical users. It cannot protect the whole world unfortunately.

Conclusion

One probably wonders why I am advertising it at all if it cannot eradicate poverty, make all you communications private and defeat cancer. Well, I actually found it very useful. I use it almost every day to back-up changes to a handful of files related to my business knowing that “nobody” can just hack my cloud account and read my business plans or pension plan or … In short, if I find it so useful, maybe other people will as well.

Regarding vendors of encrypted cloud file-storage I think they have a problem. There are probably not that many people and organisations willing to pay them top bucks for their services. Also creating something simple to suite your needs is actually not a problem these days and it is free. The entire code for the app is ca. 200 lines long. Almost anyone can maintain it. My company website is more complex than that!

Acknowledgements

The “simplicity” of Encrypt-Sync is illusory in a way because it is standing on the shoulders of giants like GPG and Node.js. Fortunately for me, I did not have to (re-)invent the wheel this time!

My name is Nik Vaklev and I am the founder of Techccino Ltd | Data Visualisation Consulting and Software.

--

--

Nik Vaklev

Written by Nik Vaklev

40 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams