2 Ways to Encrypt Dropbox Files on Ubuntu Desktop & Server
If you are wondering “is Dropbox safe for confidential files”, you have come to the right place. This tutorial shows you 2 ways to encrypt files in your Dropbox account to protect your confidential files from prying eyes. This will be very helpful for those who are worried about privacy and security when storing files on cloud storage providers. Experienced Linux users can set up their own cloud storage using NextCloud, but not everyone has the skill or time to manage self-hosted cloud storage. When your Dropbox files are encrypted, no one can read them without the encryption password.
Note: This tutorial works on all current Ubuntu versions, including Ubuntu 18.04, 20.04, and 20.10.
The first method uses a graphical tool called Cryptomator and the second uses a command-line tool CryFS, which is suitable for servers. Both of them are open-source. If you haven’t installed Dropbox on Ubuntu yet, please check out the following tutorials.
These two tools can also be used to encrypt other cloud storage like Google Drive and NextCloud. I use Dropbox as an example.
Dropbox File Encryption with Cryptomator on Ubuntu Desktop
Cryptomator is a free, open-source and easy-to-use software for encrypting cloud storage. It uses client-side encryption, which means each file is encrypted on the user’s computer before sending to the cloud. File content, file name, file size and directory names will all be encrypted.
It can run on Linux, Mac, Windows, Android and iOS. To install Cryptomator on Ubuntu, run the following 3 commands in terminal, which will install Cryptomator from the developer‘s PPA.
sudo add-apt-repository ppa:sebastian-stenzel/cryptomator sudo apt update sudo apt install cryptomator
Once installed, Cryptomator can be started from your application menu.
Or you can start it from the command line.
cryptomator
When you first start Cryptomator, there is no vault. A vault is basically a virtual hard drive. So we need to click the plus button at the bottom left corneer and create a vault.
Choose Create New Vault.
A new window appears. Give your vault a name.
And choose your Dropbox folder as the destination.
Next, set a password to protect your vault. You can also create a recovery key in case you forget your password. If you store the password in a password manager, I think you don’t need a recovery key.
To start using Cryptomator, you need to re-enter your password to unlock the vault.
The vault will be mounted as a virtual hard drive under ~/.local/share/Cryptomator/mnt/. You can press Ctrl+D to bookmark vault directory in your file manager.
Now you can put your files in the vault and they will be automatically encrypted in the background and then stored in your Dropbox folder, which is then synchronized to Dropbox servers. For example, I put 3 png files in the vault.
Here is how they look like in Dropbox.
Since Cryptomator do encryption and decryption on-the-fly, the unlocked vault doesn’t take any space on your hard drive. Once your encrypted files are synchronized to Dropbox servers, you can lock your vault.
Once it’s locked, the virtual hard drive disappears from your file manager, so no one can see the original files without password.
How To Access Encrypted Files on Another Computer
Install Dropbox and Cryptomator on the second computer. Wait for Dropbox to finish syncing. Then start Cryptomator on the second computer and select “Open Existing Vault“.
Navigate to the Dropbox folder and select the Cryptomator master key.
The master key is encrypted with your vault password, so you need to click the Unlock Now button and enter your vault password to decrypt the key, which in turn will unlock the encrypted vault.
If you want to share encrypted files, then create a separate vault with a different password and let your family, friends, or coworkers install Crypmator, and then tell them the password. Currently, there’s no command-line version of Cryptomator. That’s where CryFS comes in.
Using CryFS to Encrypt Dropbox on Ubuntu Server & Desktop
CryFS stands for cryptographic filesystem. It is a free, open-source encryption tool created specifically for cloud storage. Its usage is very similar to Cryptomator and can encrypt file contents, file name, file size, and directory structure.
CryFS is included in the Ubuntu repository since 17.04, so you can install CryFS by running the following command in the terminal.
sudo apt install cryfs
Ubuntu 16.04 users need to install CryFS from its repository. First, create a source list file for CryFS.
sudo nano /etc/apt/sources.list.d/cryfs.list
Then add the following line into the file.
deb http://apt.cryfs.org/ubuntu xenial main
Save and close the file. Next, download and import CryFS public key using the following command.
wget -O - https://www.cryfs.org/apt.key | sudo apt-key add -
Update package index and install CryFS.
sudo apt update sudo apt install cryfs
To create an encrypted vault in Dropbox, run the following command.
cryfs ~/Dropbox/encrypted ~/mountdir
This will create two directories. ~/Dropbox/encrypted is where the encrypted versions of your files are stored. They will be synchronized by Dropbox. ~/mountdir is where you access the decrypted files. You will be asked to create a password.
Now you can put files in mountdir directory and they will be automatically encrypted on the background and stored in ~/Dropbox/encrypted/ directory.
If I create a plain text file in ~/mountdir using the following command,
linuxbabe@ubuntu:~$ echo "hello world" > ~/mountdir/file
The file content, file name, file size and directory structure will be encrypted in Dropbox folder.
linuxbabe@ubuntu:~$ ls ~/Dropbox/encrypted/A60/
8EB642B7806A722005C45A7BBACD0
You can access your files through your mount directory, CryFS actually places them in ~/Dropbox/encrypted after encrypting. CryFS will encrypt and decrypt your files on the fly as they are accessed, so files will never be stored on the disk in unencrypted form.
To unmount, run:
fusermount -u ~/mountdir
To remount, run the following command and enter your password.
cryfs ~/Dropbox/encrypted ~/mountdir
How To Access Encrypted Files on Another Computer
Install Dropbox and CryFS on the second computer. Wait for Dropbox to finish syncing. Then mount the encrypted directory using the following command. You will need to enter your CryFS password.
cryfs ~/Dropbox/encrypted/ ~/mountdir
Now you can access files in ~/mountdir.
That’s it! I hope this tutorial helped you encrypt Dropbox on Ubuntu using Cryptomator and CryFS. As always, if you found this post useful, then subscribe to our newsletter to get more tips and tricks.
Very cool! I never thought of this until now, but I use the KDE Plasma Desktop and they have the “Vaults” feature built right into it. I bet that can be put into Dropbox.
I’ve stopped using Dropbox because I formatted my main partition with the F2FS filesystem to help preserve my SSD. But Dropbox has a whitelist for supported filesystems and they don’t support F2FS 🙁
But that’s a happy accident because now I’m using MEGA.nz, which offers more space, has better Linux software support, **and** it has zero-knowledge cloud storage (full cloud encryption), which gives me everything that I want. I think you should check out MEGA.
Unfortunately, Mega is much slower than Dropbox, and is worse for the use case of this article in that Dropbox uses file indexing to decide what to upload. Mega, like most cloud clients, uses file timestamps. Dropbox seems pretty unique in trading CPU for bandwidth, which makes it well suited for working with encrypted blobs.
(By the way, I use VeraCrypt volumes to have encrypted files on cloud since it’s cross-platform and well-trusted.) So say you have this 100 GB encrypted volume. You make one change to one file inside the volume. With Mega, you instantly have two problems:
1. Time metadata of volume files changes unreliably, so the Mega client might not even notice that it needs to reupload the container.
2. If it does notice the container changed, it will proceed to upload the entire container. So, whenever you change your container, you’re using 100 GB of bandwidth. Your ISP will hate you.
In contrast, Dropbox would begin using your CPU to index the container, identify changes to the byte sequence of the file, and only upload those changes.
Also, you mentioned that Mega has zero knowledge encryption, and you seem like you suggested this is means you don’t have to do all this encrypted volume stuff. That’s not true. If I’m encrypting a container, I’m in full control over the security of the data in that container. Trusting the cloud provider when they say, “You don’t have to do all that, we already encrypted your stuff (from ourselves); you can trust us! 🙂” is an inferior alternative.
Also, you mentioned you use F2FS to try to “save your SSD”. This is a mistake. You don’t need to use F2FS unless you want slightly faster performance at the cost of worse support in tons of software, from Dropbox to the Grub boot loader, which seems like a bad trade off.
This was the most unhelpful reply I’ve read in a long time. A big no thanks to you. Learn to communicate with people better.
@skaffen-amtiskaw thanks for making some really good points; I’ll probably give veracrypt or something similar a try, together with dropbox. I’ve tried nextcloud now for a few weeks, but the fact is that file sync is a hard problem to figure out with all the corner cases, and at least in linux dropbox seems to be ahead of everything else.
Thanks for your tips, Michael. Will give MEGA a try.
Hi Xiao,
This is a really neat setup for storing confidential files that I haven’t come across before. Thanks for another great tutorial!