Securing sensitive files in OneDrive’s cloud

Topic

New Reply

ISSUE 18.20 • 2021-05-31 LANGALIST By Fred Langa Does it feel like rolling the security dice when you save your files to a cloud-based service? When t
[See the full post at: Securing sensitive files in OneDrive’s cloud]

2 users thanked author for this post.

Mick Mickle, abbodi86

Reply | Quote

Replies

What about Personal Vault? Per Microsoft, Personal Vault is “a protected area in OneDrive that you can only access with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.”

To get access to sensitive files placed in Personal Vault, a hacker would have to not only get into your Microsoft account, but would also have to know the authentication method for your Personal Vault.

Sounds secure to me. Why not mention it in your article?

2 users thanked author for this post.

b, bobmo11

Reply | Quote

The Personal Vault’s secure folder is very limited in what it can do. It will not, for example, allow for automatic syncing of general files from the Documents folder; you have to more or less manually add things.

In fact, Microsoft does *not* recommend Personal Vault for general storage, instead suggesting it for longer-term storage of limited types of mostly-unchanging documents such as scans of your license, passport, tax records, property deeds, etc. — not the daily churn of files in the Documents folder. (MS info: https://www.microsoft.com/en-us/microsoft-365/blog/2019/06/25/onedrive-personal-vault-added-security-onedrive-additional-storage/ )

Personal Vault is simply not well-suited for workaday, general-purpose, automated file syncing and storage of files that change regularly or rapidly.

Reply | Quote

Another alternative for securing your “cloud” storage is to use Boxcryptor (www,boxcryptor.com). It locally encrypts files and folders and is available across virtually all computing platforms and works with most, if not all, commercially available cloud storage systems.
There is a free ( with limitations) and paid versions. I have been using it for years and found it to be a robust and reliable solution.
Perhaps this would be a good topic for the newsletter.

1 user thanked author for this post.

windbg

Reply | Quote

I just cannot get it to work the way you describe. In File Explorer I see two “Documents” folders: one under “OneDrive” and one under “This PC.” I have checked all of the boxes under OneDrive’s “Settings > Account > Choose folders” to enable “You can get to these items even when you’re offline.”

But that means they are synched in both directions — if I delete a file from “This PC/Documents” it is also deleted from “OneDrive/Documents.” So “your working copy … will be kept local with a separate and still-encrypted copy tucked away in the Microsoft-protected cloud” is NOT protected from any loss of the local copy.

How else could it possibly work? The whole idea of OneDrive is that any changes to a file will be mirrored to the Cloud, and back again on demand, and OneDrive has no way to know whether those changes were intentional or accidental.

Unless there is another “don’t mess with these files” setting that I have not found……..

Reply | Quote

Why pay for a VPN when you may already have one. Check your router and see if it’s built in. When I’m using somebody else’s wireless I log in to my VPN and that way my traffic is encrypted all the way to my home Internet connection.

If you use KeePass then use a keyfile. The keyfile should only be on your home computer and your laptop / tablet / phone. My KeePass database file is publicly exposed but I’m not worried about it because without my password and the keyfile you are never going to be able to unencrypt it.

Reply | Quote

Another way to secure sensitive files in any cloud:

1. Place your most private files in a virtual encrypted disk.
2. Dismount/close the virtual disk.
3. Copy the single virtual encrypted disk file to the cloud directory.

If you need to restore the backup or update/read a file from a different device, copy the encrypted disk file back out of the cloud to your local only copy. Open the virtual disk to read or edit. Close it. If edited, copy the virtual disk file back to cloud directory.

Your password manager’s encrypted database file ends up encrypted three times by three different encryption systems from three different vendors: the password manager vendor, the encrypted virtual disk vendor, and hopefully the cloud provider.

Note: A virtual encrypted disk is different from whole disk encryption and the virtual disk resolves down to a single file that is mounted as a new drive letter or directory when open and when closed the drive letter or directory is not available and the contents are encrypted regardless of the login status of your device.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

windbg wrote:

Your password manager’s encrypted database file ends up encrypted three times by three different encryption systems from three different vendors

And then when your system breaks and you need to access your cloud to restore the backup, you don’t have the password because it’s in the cloud.

Keep at least one copy of your password database local and away from your PC. And test that you can open it without using anything already installed on your PC.

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

There is also an option to store and use sensitive files in a third-party virtual local drive (using full disk encryption) that is integrated with OneDrive or another cloud provider.  Stablebit CloudDrive (https://stablebit.com/CloudDrive) seamlessly joins the local encrypted storage with the cloud encrypted storage, caching most frequently used files locally.  (By the developer of Stablebit Scanner and Stablebit DrivePool.)

[Moderator edit] CloudDrive is a commercial product costing $40. Please ensure you mention this when posting (advertising without prior approval is against Da rules)

Edit:  Sorry about the “advertising” aspect.  Yeah, it’s got a price tag as described by moderator.  Fred Langa’s article was very fine and informative (as usual), but I wanted to point out that there’s at least one exception to his note cautioning against relying on “whole-disk encryption” in connection with storing sensitive files on OneDrive.

Reply | Quote

Very informative and good article, but I do not see the full value of using VPN, as long as it is not a cloud provider that offers VPN. If you use VPN you get an extra layer of security but it is only to VPN provider, from there you need to trust HTTPS up to cloud provider. The fact that you want to disguise your location is probably of less interest since cloud provider already knows who you are.

1 user thanked author for this post.

b

Reply | Quote