Making Dropbox secure for lawyers and law offices

Filed under: Cloud | Tags: , , , |


Lawyers are particularly concerned about using cloud based service to store information. Here are some of the issues attorneys face:

  • I am handing over sensitive client matters to a third-party! Note: this is despite the fact that lawyers already do this when they store client files in a rented office.
  • Where are the files stored? Are any files stored outside of the United States?
  • What are the security procedures at the cloud service provider?
  • Who can see my data?
  • Will the data be handed over to law enforcement and under what conditions (subpoena)?
  • Will I be notified if data is handed over?

The flaw (some say the fatal flaw) with using a cloud service like Dropbox is the service ultimately has access to your files and could theoretically view or reveal your data.

There have been a number of workarounds including putting your files into an encrypted container. I discussed the trade-off with this in “Is Cloud Storage Secure Enough for Lawyers.” The problem is that you lose the benefit of constant synchronization: instead of files constantly being backed up and synced, you have to sync a single LARGE file when all you want to do is shut down your system and go home.


The goal has been per file encryption and services like Spider Oak have stepped up to the plate to offer this. However, moving away from Dropbox, means moving away from a known service which is currently the market leader with cross-platform application on desktop (Windows, Apple/Mac, and Linux) and mobile devices (iPhone, iPad, Android, Blackberry) plus many applications support Dropbox right out of the box!

Dropbox mobile

Dropbox just logo

Plus, Dropbox just works! Sync is hard. Just ask anyone who has tried to keep contacts synchronized between various computers and online services: you get old information, conflicts, and duplicates. With Dropbox files sync accurately and quickly — even “files” like Circus Ponies Notebook which are actually folders work!

Now, I’m not saying other service do not work just as well. It is just that any contender needs to be considerably better to make me move.

The ONE thing Dropbox lacks is — per-file encryption. That is, until SecretSync.


SecretSync is a cross-platform (PC, Apple and Linux) service which works with Dropbox and automagically pre-encrypts your files before they are sent up to DropBox’s servers.


But doesn’t that break all those apps which rely on Dropbox but don’t support SecretSync?

No. You can choose which files go into your SecretSync folder and which stay in your plain vanilla Dropbox folder.

  • Put your super-secret and confidential material into the SecretSync folder
  • Keep regular and app-specific folders (PlainText, Simplenote, TextExpander, WritingKit, iAnnotatePDF, JotNot) in your Dropbox folder. In other words: just keep them where they are!


Secret Sync provides a unique encryption key (one for each device) which you use to encrypt your data.

We’re a completely separate entity from Dropbox. We provide your encryption key dynamically to each computer where you’ve installed SecretSync.
We have absolutely no access to your files. SecretSync encrypts your files locally on your computer, using the key we provide. After the files have been encrypted, SecretSync puts the encrypted files in Dropbox, which syncs them.
So although we know the key, we have no access to your files. Dropbox has your files, but they’re encrypted.

Even though SecretSync provides the encryption key, SecretSync (the service) never sees your data. The SecretSync app encrypts the data on your system and before sending the encrypted data to Dropbox.

However, to be even more secure, you can also use a passphrase with the encryption key:

If you choose to use a passphrase, your passphrase is stored locally on your computer. You’re the only one with access to it. When SecretSync starts, it downloads the encryption key assigned to your account from our servers. On your computer, it uses a one-way SHA-256 hash function to combine your passphrase with the encryption key we provide. So when you use your own passphrase, our encryption key effectively becomes a ‘salt’ for your passphrase.

PBKDF2 is applied to generate a strong derived key, even if you provide a weak passphrase, like your password.

The passphrase can be any value, including your own encryption key. If you provide an actual encryption key here, e.g. a 256-bit truly random value, you’ve achieved a level of encryption that depends entirely on your private encryption key, since this is known only to you.

So, not only can you encrypt your data so that Dropbox can’t see it. You can encrypt in such a way that even SecretSync (the service) couldn’t unencrypt it!

What’s SecretSync cost?

  • Free for up to 2gb
  • $40 per year for up to a 20 gb encrypted directory
  • $60 per year for up to a 1 tb encrypted directory

Keep in mind that your SecretSync directory will be smaller than your Dropbox directory. Even if you pay for a 50 gb or 100 gb Dropbox account, you may only need a 20 gb encrypted SecretSync account.

Thanks to Randall Juip (twitter, google+) for his presentation at MILOfest for bringing this service to my attention!

Want another take on SecretSync? Check out what Lifehacker has to say.

Top image: Creative Commons License photo credit: DaveBleasdale