Encryption and Dropbox

Fl
Flexo
Posts: 50
Joined: Sat Oct 16, 2010 7:10 am

Mon Jul 18, 2016 7:03 am Post

Will the file transfers using Dropbox use any kind of encryption? The thought of Condoleezza Rice having access to my notes puts me at unease.

User avatar
KB
Site Admin
Posts: 20762
Joined: Tue Jun 13, 2006 11:23 pm
Platform: Mac
Location: Truro, Cornwall
Contact:

Mon Jul 18, 2016 9:56 am Post

No, there's no encryption.
"You can't waltz in here, use my toaster, and start spouting universal truths without qualification."

User avatar
ChrisRosser
Posts: 242
Joined: Tue Jun 26, 2007 12:11 pm
Platform: Mac + iOS
Location: Melbourne, AU
Contact:

Tue Jul 19, 2016 6:07 am Post

Flexo wrote:Will the file transfers using Dropbox use any kind of encryption? The thought of Condoleezza Rice having access to my notes puts me at unease.



I wouldn't worry unless you were writing something like Olympus Has Fallen :wink:
Mild-mannered Technical Writer by day, closet fantasist by night
I run Scrivener on macOS and iOS :mrgreen:

Website | Scrivener Articles
Amazon | Twitter | Facebook

no
non5099
Posts: 2
Joined: Fri Aug 05, 2016 6:39 am
Platform: Mac + iOS

Fri Aug 05, 2016 7:52 am Post

Olympus Has Fallen aside, as a lawyer encryption is vital. It also seems to becoming more available in other apps as I see Devonthink To Go added it in version 2.0 for their Dropbox sync.

Fl
Flexo
Posts: 50
Joined: Sat Oct 16, 2010 7:10 am

Tue Aug 09, 2016 5:34 am Post

ChrisRosser wrote:I wouldn't worry unless you were writing something like Olympus Has Fallen :wink:

Or anything I don't put my name on. Rice doesn't need to know my pseudonyms.

User avatar
KB
Site Admin
Posts: 20762
Joined: Tue Jun 13, 2006 11:23 pm
Platform: Mac
Location: Truro, Cornwall
Contact:

Tue Aug 09, 2016 4:12 pm Post

I'm not sure I see Condoleezza Rice being too interested in what I write... Anyway, I'm no encryption expect, and to encrypt on Dropbox we would need to encrypt every file separately and decrypt them on opening them. The macOS and Windows versions would also need this all building in. So there are currently no plans for this. So far, hasn't iCloud had a worse track record for having data stolen? Most apps don't encrypt data there, either.
"You can't waltz in here, use my toaster, and start spouting universal truths without qualification."

Fl
Flexo
Posts: 50
Joined: Sat Oct 16, 2010 7:10 am

Fri Aug 12, 2016 5:19 pm Post

non5099 wrote:Olympus Has Fallen aside, as a lawyer encryption is vital. It also seems to becoming more available in other apps as I see Devonthink To Go added it in version 2.0 for their Dropbox sync.

You can index your Scrivener folder in DEVONthink, download the files into DEVONthink To Go and then open them in Scrivener. The only way back seems to be Compile and then Clip to DEVONthink. If Scrivener had a "Compile as Scrivener file" option, this might be workable.

User avatar
ChrisRosser
Posts: 242
Joined: Tue Jun 26, 2007 12:11 pm
Platform: Mac + iOS
Location: Melbourne, AU
Contact:

Wed Sep 14, 2016 3:52 am Post

non5099 wrote:Olympus Has Fallen aside, as a lawyer encryption is vital. It also seems to becoming more available in other apps as I see Devonthink To Go added it in version 2.0 for their Dropbox sync.


If I was that concerned or I belonged to a profession (like yours) where security was paramount, I wouldn't use any proprietary software or service at all. Nothing where the source code wasn't publicly available for peer review would satisfy me - that goes for the BIOS all the way to the application layer. If lives depend on privacy, this is the only acceptable way to do computing.

Hardly practical... and fortunately not a problem I have to deal with.

If you don't like Dropbox (and I don't blame you, they are scum) then at least we have the option to manage projects the old fashioned way with iTunes.
Mild-mannered Technical Writer by day, closet fantasist by night
I run Scrivener on macOS and iOS :mrgreen:

Website | Scrivener Articles
Amazon | Twitter | Facebook

Re
Red Claw
Posts: 8
Joined: Thu Oct 06, 2016 6:14 pm
Platform: Mac + iOS

Thu Oct 06, 2016 6:22 pm Post

According to https://scrivener.tenderapp.com/help/kb/macos/password-protecting-your-work there are several ways to password protect Scrivener Projects for a Mac. I can turn on FileVault (On my work Mac), I already have a password on my local account, and I have played around with encrypted disk images and storing documents inside of them. There is also whole drive encryption available for PC. Unfortunately, none of these are acceptable solutions for my workflow. My setup is as follows:

Scrivener Desktop installed on my home Macintosh.
Scrivener installed on my iPad.
Dropbox syncing setup on both my home Mac and the iPad.
I also have Dropbox installed on my work computer.

On the home desktop, I can create an encrypted disk image and store my Scrivener projects inside of the disk image, but when I go to the iPad Scrivener doesn't know how to access the disk image. Much less any other application being able to access the contents of the disk image. So I am left with saving the Scrivener projects directly to the Dropbox folder. This means that any Scrivener projects will show up on all the devices, and the web, unprotected.

My feature request is to include built-in encryption or/and password protection for Scrivener projects. This would be on a per project item, much the same way that Pages or Numbers handles protection.

As far as Dropbox security goes; I do trust Dropbox with my data and have a strong password for it. But on occasion, there are breaches that do occur, (not just with Dropbox but other cloud based services as well.) These are few and far between. When a breach does occur, I do immediately change my password for Dropbox, but having an extra layer of encryption on the Scrivener Projects would be nice. Also if the projects are encrypted, then I wound't need to worry about the contents of personal files being on work computers. The Scrivener Projects would remain encrypted on the work desktop Mac. Having personal files on work computers isn't against the rules, I just don't want snooping eyes and keeping the Scrivener Projects encrypted would mean that anyone looking at the hard drive, (for example backup purposes if the hard drive gets corrupted and has to be reloaded) would only be able to see a blob of data and not the actual contents of the files.

For people forgetting their password, that's what a password manager is for. I use 1Password myself, not just for web passwords but for anything that requires a password. There are other ones out there as well, including the free KeePass.

Side Note: I have gone in and changed my Dropbox Selective Sync settings to not include the Scrivener Projects folder on my work computer. I would still like to see encryption added as a feature in a later version.

User avatar
kewms
Posts: 6404
Joined: Fri Feb 02, 2007 5:22 pm
Platform: Mac

Fri Oct 07, 2016 4:22 am Post

It's not accurate to say that Dropbox has no encryption. It both encrypts data stored on its servers and uses an encrypted link to transfer data to/from your system:
https://www.dropbox.com/security#protection
They also support two-factor authentication for account access.

Now, they do hold the encryption keys, so your data is still theoretically vulnerable in the event of a breach. (This is also why the encryption is transparent to the user.) Whether that's a concern for you probably depends on exactly what your data is. Unless someone like the NSA is interested in what you're doing, though, physical security of your own device is probably a much bigger risk. (And if the NSA *does* care about you, it's probably a good idea to stay off the net entirely.)

Katherine
Scrivener Support Team

Re
Red Claw
Posts: 8
Joined: Thu Oct 06, 2016 6:14 pm
Platform: Mac + iOS

Fri Oct 07, 2016 11:47 am Post

kewms wrote:It's not accurate to say that Dropbox has no encryption. It both encrypts data stored on its servers and uses an encrypted link to transfer data to/from your system:
https://www.dropbox.com/security#protection
They also support two-factor authentication for account access.

Now, they do hold the encryption keys, so your data is still theoretically vulnerable in the event of a breach. (This is also why the encryption is transparent to the user.) Whether that's a concern for you probably depends on exactly what your data is. Unless someone like the NSA is interested in what you're doing, though, physical security of your own device is probably a much bigger risk. (And if the NSA *does* care about you, it's probably a good idea to stay off the net entirely.)

Katherine


Red Claw wrote:This means that any Scrivener projects will show up on all the devices, and the web, unprotected.


Sorry, I misspoke here. What I meant to say, and should have expanded on this, is:
If a Scrivener project is saved on the local Dropbox folder on the local hard drive, the files are not encrypted, while the files are stored on Dropbox's servers are encrypted. But if a breach does occur and the breacher does get access to the files on Dropbox's servers and the breacher does get past the Dropbox encryption, then the Scrivener projects are left unprotected.

For anyone else wondering how this could be done, take a look at 1Password. It saves its password vault in a opvault package. Each file in the package is encrypted including any attachments. This is a loose example of an encrypted package, but taking the above, if the breacher does get past the Dropbox encryption, then the breacher still only has a blob of data and no human readable content. Sure, they could still see the individual files but unless they start doing a brute force attach their not going to get anywhere.

I don't expect anyone to drop what they are doing and begin working on this. It is only a feature request and to get encryption done right takes time and effort to think things through.

User avatar
kewms
Posts: 6404
Joined: Fri Feb 02, 2007 5:22 pm
Platform: Mac

Fri Oct 07, 2016 4:07 pm Post

Red Claw wrote:Sorry, I misspoke here. What I meant to say, and should have expanded on this, is:
If a Scrivener project is saved on the local Dropbox folder on the local hard drive, the files are not encrypted, while the files are stored on Dropbox's servers are encrypted. But if a breach does occur and the breacher does get access to the files on Dropbox's servers and the breacher does get past the Dropbox encryption, then the Scrivener projects are left unprotected.


Agreed. My point, though, was that getting past Dropbox's own security is not the trivial task that some commenters have implied.

Katherine
Scrivener Support Team