Monday, January 7, 2013

How to encrypt your data for the Cloud

Today there are plenty of reasons for moving your important personal data into the Cloud, but I am not here today to treat an already widely discussed subject. I will instead focus on its major drawback: once you upload your data to Cloud services such as Dropbox or iCloud, you are no more the owner of your files. Which means that you must blindly trust your storage provider without having nothing more than a general idea of the infrastructure and the security mechanisms in place.

So, when storing data on a public cloud, users should be especially wary because the content is not in their control, but in someone else’s.

The countermeasure to this possible problem is to use a simple encryption mechanism.

In this post I will provide a sample Powershell script which uses a well known piece of software such as 7Zip (which is free and which you can download here) to encrypt your data into a secure archive before sending it to Dropbox (which is one of the major Cloud solutions at the moment).

Here's the code:
#First part
set-location "c:\Program Files\7-Zip\"
& .\7z.exe a d:\archive_temp.zip D:\DOCS_IMPORTANT\*.* -r
#Second part 
$today=Get-Date -format "yyyy-MM-dd"
& .\7z.exe a "D:\transfer_to\Dropbox\archive$today.zip" "d:\archive_temp.zip" -mem=AES256 -mx=5 -pyourverysecretpassword123
remove-item d:\archive_temp.zip -force
#Third part 
& .\7z.exe l -slt "D:\transfer_to_dropbox\Dropbox\archive$today.zip"

As you can see, this script is structured in three main parts.

In the first part I set the working directory to "c:\Program Files\7-Zip\" then run 7Zip from the command line with the 'a' switch. The 'a' switch tells 7Zip to create a new archive and takes three parameters: the filename for the destination archive, the folder to archive and the 'r' switch, which enables recursion.

The output of this first command generates a temporary unencrypted zip archive which I am going to encrypt in the second step.

So, let's move to the second step. Here I take the temporary archive and generate another highly compressed archive (with the -mx=5 switch). This second archive is password-encrypted with a pretty secure 256 bits AES key and stored in a folder named "D:\transfer_to\Dropbox\" with a filename containing the current date in the following format: yyyy-MM-dd.

Since my case Dropbox is configured to replicate "D:\transfer_to\Dropbox\", whatever is inside this folder will move.... onto a cloud, and my data will be geographically safe (in a remote location) and inaccessible (thanks to the encryption). Not bad.

In the third part I run 7z.exe to double check the encryption of my archive (with the -slt switch).

Fell free to re-use my script (saving it with .ps1 extension). It's written for Windows but 7zip exists for different flavors of Linux so it should be easily rewritten for penguin's fans. Just remember to replace the foldername to save and the password used for encrypting (highlighted in red).

Have a nice stay in the Cloud and happy new year! After all 2013 is surely going to be the year of the Cloud for many of us.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...