From a security perspective,
cloud storage shouldn't have appeared. The problem is that it relies on the user’s ability to trust the provider, but often only the provider’s verbal assurance. However, cloud storage is too convenient for many companies and individuals, and we cannot avoid it. Fortunately, users only store encrypted files and can regain security.
There are many tools available for
cloud encryption, and some are proprietary. But this kind of solution also needs trust-they just transfer the trust requirement to a third party, and basic security requires users to verify the security themselves.
Three encryption tools for the
cloud
A better solution is to use open source tools to encrypt files before putting them in online storage. In Linux, the three most useful tools in this regard are EncFS, Cryptomator and Tahoe-LAFS. As the name suggests, each of these tools treats online storage as a virtual file system, but their quality varies greatly.
1.EncFS
EncFS is often used to create encrypted virtual file systems. If you use a storage site that synchronizes remote directories with local directories, it can create remote virtual file systems as easily as the local environment. For example, with Dropbox, the command to set everything will be:
encfs ~/Dropbox/encrypted ~/Private
This command creates a directory for encrypted files in the home directory and another directory for unencrypted files. This command creates an encrypted directory by asking a series of questions. You can press the p key to enter the default paranoid mode, or press the x key to enter the expert mode, and manually select the encryption option. Expert questions are explained clearly, so even novices should answer it effortlessly, just accept the default values. In addition, you can use the --standard option (using predefined settings) to run the command, skip the answer to the question, this option uses the predefined settings.
The next time the user synchronizes with the online storage on Dropbox, the encrypted directory will be added to it. Files added to the /Private directory will be automatically added to ~-Dropbox/-encrypted.
Note, however, that EncFS cannot prevent providers from moving or deleting files. Similarly, when you install the EncFS version in the Debian "stable" version, the 2014 instructions warn that it is vulnerable to threats from users who have read and write access to files, including reducing encryption complexity and using timing analysis. The problem seems to be resolved in the Testing repository in the Testing repository version, so use this one.
2.Cryptomator
The workflow of Cryptomator is very similar to EncFS in structure. The main difference lies in some terms. For example, in Cryptomator, the encrypted directory is called "vault".
After the Cryptomator window opens, the option to create a vault or open a vault is displayed. Of course, when Cryptomator is running, it must create a vault by assigning a path and a password. Back to the opened window, the user can open the vault and use the system file manager to copy the file to the vault. All files added to the vault will be automatically encrypted. Like EncFS, when a user synchronizes, the vault stored in the local directory of a storage provider such as Dropbox will be uploaded to the cloud.
Whether you prefer EncFS or Cryptomator depends on your habits. If you want to have control over the encryption process, you might prefer EncFS. However, if you prefer desktop applications, you are more likely to prefer Cryptomator.
3.Tahoe-LAFS
Tahoe-LAFS provides the most comprehensive solution. The full name of LAFS is "Least Authority FileSystem", which refers to the classic principle: the file system with the least power. Tahoe basically aims to provide cloud storage providers with as little control as possible over user data.
First, Tahoe uses a 2000-bit RSA public key to automatically encrypt all files. It includes options for encrypting files and options for using Tor.
However, Tahoe is unique in its ability to distribute files. The user can set the grid (server collection) for storage. This feature means that files can actually be stored on multiple servers. For example, a user can store part of a file on Dropbox and another part on Google storage services, so that no service can fully control the file. To decrypt and open files, users must access all storage accounts.
In addition, each file can protect against server failure or any other data loss. By default, each file has 10 sections or shared areas, and any three of them are required to use the file. Most shared areas may actually be lost, and files can still be retrieved. After each file is uploaded, users can adjust the shared area to a maximum of 256. Fewer shared areas require less planning, and more shared areas provide higher security. For each location in the uploaded shared area, Tahoe added a file limit. This file is used to check the integrity of the encryption key, find other shared areas, and retrieve files. Instead of user information or permissions, access to files is controlled by encryption key information. In order to further improve security, the uploaded file cannot be edited. If any changes are made to it, it must be uploaded again. At every step, the storage provider has minimal permissions and is just a completely passive role.
In addition to this basic arrangement, Tahoe also includes an optional web interface and a utility that informs users whether the number of shared areas is below the minimum required for retrieval. You can also use numerous related items, including backup tools, utility sets, and plug-ins for use with other applications (including Puppet).
Tahoe requires strategic planning, and it may take some time to set up before uploading any files. If there is no perfect strategy in terms of the number of shared areas or online storage locations, the results can easily become confusing. However, once set in place, the security provided by Tahoe is very high.
