Using Espionage with Dropbox

We received an excellent tip from Ira Rainey of side lane digital development on a simple method of using Espionage with Dropbox.

espionage + dropbox

The method does not involve storing Espionage’d folders inside of Dropbox (which can lead to issues), but rather using Espionage to easily and conveniently encrypt all of the files from your Dropbox on your Mac.

Step 1 – Create a folder called ‘Vault’ in your Home folder

Create a folder called 'Vault'

Step 2 – Add ‘Vault’ to Espionage

Encrypt the Vault folder + Associate with Dropbox

Step 3 – Associate Dropbox & Check ‘Launch At Login’

Set Dropbox to launch at login

  1. Select ‘Vault’ in Espionage
  2. Click the ‘Edit Application Associations’ button
  3. Drop Dropbox onto the list, or select it after clicking the ‘+’ button
  4. Check the box to ‘Launch at Login’ (click ‘Yes’ if prompted to enable ‘Autounlock at login’)
  5. Click ‘Done’, then click ‘Save Changes’

Step 4 – Unlock the Vault folder

Unlock the Vault folder

Step 5 – Adjust Dropbox’s Preferences

Adjust Dropbox's Preferences

  1. Click the Move… button and select the unlocked Vault folder
  2. Uncheck the “Start Dropbox on System Startup” checkbox

That’s it!

Your Dropbox is now encrypted locally, you can now launch Dropbox (you’ll be prompted for the folder’s password). Dropbox will upload any changes to it securely over the internet, and the files are stored encrypted on their servers.

It’s important to note that if you sync your Dropbox with another Mac the files on that machine won’t be encrypted unless you repeat these steps there as well. We are still investigating whether it’s possible to get Dropbox to play nicely with a live Espionage’d folder that’s inside of it.

Many thanks to Ira Rainey for pointing this out! You can read more information about this tip on his blog.

We’re always interested in hearing about how our users use Espionage, so if you have any interesting tips you’d like to share with us don’t hesitate to let us know! 🙂

34 thoughts on “Using Espionage with Dropbox

  1. Reply

    John

    While your files are stored encrypted on your disk and encrypted on their (Amazon’s actually it seems) servers, in the middle all the DropBox employees have access to your data. Dropbox is not a secure storage product as it does not offer end-to-end encryption.

  2. Reply

    Greg Slepak Post author

    John, you bring up a valid point, Dropbox may not be as secure as some may need it to be, and that’s important to keep in mind. I would like to point out though what Dropbox has to say regarding “employees accessing your data”:

    Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)

    I’m guessing that this refers to a subset of Dropbox employees, as surely someone working at Dropbox knows the password to their encrypted S3 account, otherwise it would not be possible for them to transmit unencrypted data—unless it’s being decrypted on-the-fly by the Dropbox client upon receipt by your Mac (note: I’m not referring to any sort of SSL transmission, but to the actual data upon receipt).

    We’ll shoot them an email to see if they can clear this up for us. Once I get their official reply I’ll update this post. If any Dropbox employees reading this would like to comment you are more than welcome to.

  3. Reply

    Justin Pennington

    While this doesn’t apply to espionage, I use encrypted sparse images in my dropbox. Those should provide end to end encryption, I don’t see why the espionage solution wouldn’t provide this as well.

    You are decrypting locally and uploading encrypted pieces.

  4. Reply

    Greg Slepak Post author

    @Justin: The reason is that Espionage moves the sparse image/bundle each time the folder is locked or unlocked. In addition, a symbolic link (alias) is placed in the Dropbox pointing to the decrypted contents (more info here).

    This will cause Dropbox to re-upload a bunch of stuff whenever the folder’s locked status is changed because it doesn’t understand that the files were simply moved, and when it sees the symlink, it interprets that as new files being added to the folder.

    While you can do this, there are several issues to keep in mind:

    1. When the folder is unlocked, decrypted files are uploaded to Dropbox because of the symlink, effectively giving you the same level of security as when you follow the steps in the post above (since Dropbox keeps a history of the folder).

    2. If you’re using Dropbox with Espionage across multiple machines, then you can cause Espionage to get confused if you unlock the folder on one of them, and the folder is suddenly “unlocked” on another, even though it wasn’t unlocked through Espionage.

    So in light of these concerns, we do not recommend using Dropbox to synchronize Espionage’d folders across machines, even though it is technically possible.

    Hope that addresses your question!

    To update regarding Dropbox & the issue of their security: we did send them an email, but we’ve yet to receive a reply from their privacy dept. Not sure how to interpret that, but any interpretation would likely be unfavorable.

    I’ll update the post if and when they do reply. In the meantime I’d recommend not using this method to store any super-sensitive material on Dropbox (and use encrypted disk images with Dropbox manually instead).

  5. Reply

    Greg Turnbull

    I followed the post about setting up dropbox inside of an espionage “vault” folder. However, when I drop new content into the dropbox it doesn’t show up in the sync’d versions of dropbox on other machines or on the cloud (dropbox web interface).

  6. Reply

    Greg Turnbull

    scratch that last one. it just took a lot longer than I expected to see the first sync

    (no way to withdraw a post?)

  7. Reply

    Greg Slepak Post author

    Hey Greg, happy to hear it’s working. 🙂

    If you’d like, I can delete your comments (let me know), but otherwise it would be handy to have them here just so that if others think they encounter this problem, they can see that waiting a bit could solve it.

  8. Reply

    Greg Turnbull

    For some reason dropbox sync takes an hour (or so) from the “vault” as  
    compared with instantly before. I’ll experiment to see if total  
    dropbox size is a contributing factor even when adding/changing one or  
    two small files.

  9. Reply

    Greg Slepak Post author

    Recheck also that you followed all the steps closely, for example check to make sure that the folder is encrypted as a sparsebundle (although I don’t think that should have an effect here), and that Dropbox isn’t running unless Espionage is running.

  10. Reply

    Paul Thompson, Jr

    Hi Greg, I just downloaded a copy of the program. I use Dropbox and access it via my Mac Desk Top and MacBook Pro. I also run Parallels on both of my Mac computers. I use Quicken in the PC Mode and store the data in my DropBox.

    Will I be able to use the password when in the PC Mode to run Quicken? Would I also have to configure the Vault/DropBox for the PC?

  11. Reply

    Greg Slepak Post author

    @Paul, in that situation your Dropbox on Windows wouldn’t be encrypted by Espionage, and so you would just access it as you normally do. If you want the Dropbox to be encrypted on Windows as well then you’ll need to use Windows-specific software for that purpose.

  12. Reply

    Greg Turnbull

    In my experience, espionage and the “vault” do not play well with current and beta releases of DB. Espionage was locking the sparce bundle at its actual use size rather than seeing the free space (local drive). I found this out by checking the permissions and was finding the vault switching to “read only” on its own. I finally took DB out of the vault and have not had this problem since (about a week). Using latest beta of DB, on a Leopard MacBookPro, with and without Parallels. For those who want free on-the-fly encryption of PC hard-drives, Google and consider Free Compusec.

  13. Reply

    Paul Thompson, Jr

    Thanks for your prompt response. I think I will wait until one can lock specific folders within DB, which I understand that you are working on. In the mean time I will just encrypt at the file level. This works for both the Mac and PC. I use PDFPen to encrypt the files.

  14. Reply

    Jim

    In my setup, I have ~/Dropbox and, within that, ~/Dropbox/SecureStuff/.

    ~/Dropbox/SecureStuff is an Espionage’d sparsebundle.

    When it is unlocked, and ~/Dropbox/SecureStuff is a symlink to /Volumes/EspionageMounts/…, Dropbox does not follow the symlink; it syncs the link itself, not what it points to. This is correct behavior at the filesystem level.

    When I lock the folder, Dropbox _appears_ to sync only the ‘band’ files that have changed; it doesn’t appear to resync the entire hidden sparsebundle folder. But, I haven’t been terribly scientific about determining this and this particular sparsebundle is pretty small so the sync might be happening too quickly to see. At the time, my only concern was that Dropbox did not access /Volumes/EspionageMounts/… and sync the unencrypted content of SecureStuff. I see no evidence in my DB account that it does.

    Dropbox v0.7.110.

    Prior to today I would disable SecureStuff in Espionage, when finished working with it, because I couldn’t be bothered to read the docs to figure out exactly what whitelisting Dropbox would do. And, this way I knew that SecureStuff was getting synced to Dropbox in its encrypted entirety.

    Having recently read about what whitelisting does, and that it doesn’t expose the encrypted content to the whitelisted programs, I’ve re-enabled SecureStuff. Next time I modify something in it, I’ll see if something goes horribly wrong or not.

    I don’t have SecureStuff unlocked on, nor do I attempt to access it on, more than one computer at a time. Dropbox.app is whitelisted for SecureStuff on only one computer, as well.

  15. Reply

    Greg Slepak Post author

    Jim, sounds like you have a good understanding of what’s going on and are taking appropriate precautions to prevent conflict (by not using “SecureStuff” between two computers). You can check to see whether files are re-uploaded via the Dropbox web interface. If it says the disk image was simply moved, then that’s good, but if it says that it was deleted and recreated then it likely means it’s being re-uploaded anew.

  16. Reply

    Erik P Rau

    Is there any way to be sure that the Vault folder is actually encrypted? When I followed the instructions above (exactly), I got a warning that Vault couldn’t be encrypted because it couldn’t get the password from the keychain. I had created a password for Vault and when I set up Espionage, I set up the prefs so that it stores passwords on the system keychain. Everything seems to be working well, but I have no idea if Vault is actually encrypted or not, given the warning I received. Any quick way to check this? Thanks!

  17. Reply

    Erik P Rau

    Another issue: when I logout of my computer, so that Vault autolocks, I can’t Dropbox to start again. I get the error messages that Vault’s disk image can’t be mounted.

  18. Reply

    Greg Slepak Post author

    @Erik:

    Everything seems to be working well, but I have no idea if Vault is actually encrypted or not, given the warning I received. Any quick way to check this?

    Yes, check in Espionage whether its encryption is set to “No encryption”. If it’s not, then it’s encrypted!

    Another issue: when I logout of my computer, so that Vault autolocks, I can’t Dropbox to start again. I get the error messages that Vault’s disk image can’t be mounted.

    Please contact support, we’ll help you out.

  19. Reply

    George

    Hi !

    I use Dropbox and never had problems with dmg images stored in ~/Dropbox. So, using Espionage for that should not be a problem as long as one uses only one computer at a time and makes sure that the dmg’s are locked.

    My ‘problem’ is the data files that cannot be moved from their ~/Library/Application support folder (e.g. Postbox, for which even a symlink does not seem to work).

    It seems for those application the only solution is to point the Espionage backup into the Dropbox folder.
    And when using another computer, to restore that backup.

    Does anybody have any better ideas ?

    Thanks !

    George

  20. Reply

    George

    I have tested Espionage and Dropbox quite a bit and had the following results:

    Keeping data encrypted in Dropbox

    First, quit Dropbox on the computer.
    Then move the folder in question into Dropbox and then encrypt it.
    Start Dropbox.
    Folder is synced in it’s encrypted state.
    From then on the folder can be used as normal with Espionage and will stay encrypted in Dropbox (in the cloud).

    However, it is not possible to work with the encrypted file on a second computer. I have tried and gave up looking for a solution, when it became clear that any solution would be so cumbersome as to be impractical).

    In order to sync encrypted files between two computers that stay encrypted on the Dropbox servers, the only solution seems to be to use ordinary dmg images.
    That, of course, leaves out folders like that for the address book.
    A compromise would be the work around described in my previous post.

    George

  21. Reply

    Greg Slepak Post author

    Hey George, have you tried messing around with the enabled state of the folder on the second machine? That will prevent the prompt from being brought up when Dropbox manipulates the encrypted folder during sync. Details here:

    http://www.taoeffect.com/forums/viewtopic.php?f=3&t=4

    Also, I’ve updated the instructions above a bit to be more compatible with Dropbox. The previous instructions removed Dropbox’s ability to add badges to folders. If you used the old instructions, you can switch to the new version by doing this:

    1) Open Dropbox and go into its preferences.
    2) Move the Dropbox to your home folder.
    3) When it’s done, move the Dropbox again, this time select the *unlocked* Vault folder (in your Home folder, it will have a little arrow icon on it) as the destination.

  22. Reply

    Stewart

    I am a long time Dropbox user. I really like the look of espionage.

    In Dropbox I have a number of folders I share with others.

    How does Espionage/Dropbox deal with these shared folders. What do I have to consider?

    many thanks!

  23. Reply

    Greg Slepak Post author

    Hi Stewart,

    If you followed the instructions above everything should just work.

    Cheers,
    Greg

  24. Reply

    Chris

    Can you check Espionage with DropBox 0.8.xxx?

    This is nearing final release, and currently with 0.8.103 the setup instructions do not work. I get error messages that Vault cannot be unlocked, and then it creates Vault-saved, but just never works. Reverting Dropbox back to 0.7.xxx works fine.

    Thanks

  25. Reply

    Greg Slepak

    Hey Chris,

    We just tested out Dropbox 0.8.103 with Espionage according to these instructions and everything seems to be working just fine.

    Dropbox’s UI has changed, so make sure that you’re still following all the steps. Changing the folder’s location is in the Advanced preferences now. Check also that Dropbox isn’t starting before Espionage is, by making sure the “Start Dropbox on system startup” checkbox is unchecked (as described in the directions).

    You might also want to try starting over by moving the Dropbox folder back into your Home folder, restoring the Vault, and re-follow the instructions.

    If that doesn’t help, contact us via our support forum or contact form.

    Cheers,
    Greg, Tao Effect

  26. Reply

    Chris

    Since I got 0.7 working, and saw your post, I decided to just install 0.8.103 over it, and now everything seems to be working.

    While having 0.7 installed, I did run into the same issue I originally had with 0.8, so it must be some timing when first logging in, and Espionage not fully unlocking the Vault folder before Dropbox is started by Espionage. That’s just my best guess.

    Thanks for the quick reply, and hope not to run into any more problems.

  27. Reply

    William

    I keep getting an error from DropBox, “Can’t Sync; Not enough disk space.” I have DropBox v1.010 and Espionage 2.8.7. The disk has 100+G free. I thought the disk bundle created by Espionage would grow as needed.

  28. Reply

    Greg Slepak Post author

    Hi William, the error message suggests that the problems is that there’s not enough space on the Dropbox server, not your local computer. Try getting info on the Dropbox in the Finder (select the Dropbox, and choose File > Get Info to see its size). Then see how much space you have available with Dropbox.

    If you need further assistance, please do not reply here, but contact us on our support forum (see the support page).

  29. Reply

    Sung Gon Yi

    I would like to secure Dropbox folder, however, i am wondering about ‘Public’ folder. Sometimes I would like to send a file to other people. When Public folder is also secured, it would be bad.

  30. Reply

    Greg Slepak Post author

    @Sung Gon Yi, securing the Dropbox folder using these instructions should have no impact on your ability to share files in your Public folder. It simply secures the files locally on your computer.

  31. Reply

    Sharkez

    Been using espionage and dropbox-each separately- for a long time. I’ve now created a computing environment that could use shared access to encrypted files on db so success on this project would be good to hear. I’m also on Lion…

    I’ve just tried the technique noted at http://www.taoeffect.com/forums/viewtopic.php?f=3&t=4 and I’ll see how that works, but was wondering if official support is closer?

  32. Reply

    Greg Slepak Post author

    Sharkez, thanks for your comment. For now we’re recommending users to simply use encrypted sparsebundles manually for the purpose of syncing data securely using Dropbox. Official support with Espionage is not yet here, and we cannot give a time estimate at this time.

  33. Reply

    Ashley Karyl

    I’ve just downloaded the demo of Espionage, principally to see how it compares to Knox, since I’m a big fan of 1Password and these days I think it’s naive not to be serious about your computer’s security.

    Looking specifically at this question of DropBox, I have simply used the free symboliclinker plugin available at macupdate and create a symlink of the original encrypted folder. I then place the symlink in my DropBox folder, which automatically uploads the Espionage encrypted data to DropBox without having to move anything or make any modifications. Unless there is some specific reason why I shouldn’t be doing this it seems like a good solution.

    Since I use DropBox to sync iCal events and the Address Book etc with my other computers I wonder if that will be a problem with Espionage?

    Thanks

    Ashley

  34. Reply

    Greg Slepak Post author

    Hi Ashley,

    For the moment, we recommend against doing that, it could lead to data loss with your contacts as currently Espionage moves the data around as described above and in this document:

    http://www.taoeffect.com/espionage/EspionageHelp/pages/faq-workings.html

Leave a Reply

Your email address will not be published. Required fields are marked *