Encryption Solution: Local + Cloud

[get_g0ing]

Can anyone share a good free encryption solution that works both locally (windows) and on cloud?
I'm not looking to encrypt everything on a PC, but only some files and folders. There are so many tools and apps available that it's confusing. Some have even been discussed on this forum in the past.

My goals is to satisfy these requirements:
1. Local encryption, so that if anyone is able to log into the computer, they won't be able to access the said files (even if they can access other un-encrypted files).
2. Cloud encryption. Even if someone logs in online, they won't have access to the encrypted data (even if they can get the un-encrypted files).
3. Ideally: free, open-source, portable app to encrypt/decrypt.

Currently I'm leading towards these two solutions. Please share your comments and solutions:

1) Veracrypt + Dropbox

Create a Veracrypt container file in Dropbox sync folder. Dropbox will upload the whole file. Use the Veracrypt portable app to mount the file to work with the data: edit, add, delete.

Why Dropbox?
It supports delta sync (aka differential, incremental sync). So it won't upload the whole Veracrypt file after a minor change (unlike Google Drive), but only partially (I've already tested this piece and works as I've described).

2) Cryptomator + Dropbox

Cryptomator looks to be a free and open-source alternative to Boxcryptor that I see mentioned a lot.

Cryptomator looks to have an advantage over VeraCrypt:
- For VeraCrypt I need to specify the container size in advance, which could be an over- or under-estimate. Then I'm stuck with the initial size (unless I create a new container). But Cryptomator encrypts at the file level (if I understood correctly), so no need to specify any size in advance. It'll encrypt each file which Dropbox will upload, no single large file (unlike Veracrypt).
- Can you please comment on this, is my understanding correct?

(Possible) Advantage of Veracrypt over Cryptomator:
- Since Veracrypt has only a single file, I think back up of this file itself might be simpler? You can just copy the single file to an external disk.


I also see two other tools mentioned in online discussions:
Duplicati and nCrypted
Any experience with these? Are they suited to what I'm looking to do?

I came across another program called CryptSync which uses 7-zip to do the encryption. I very much liked the idea of using 7-zip because I know I won't need any special tools to de-crypt. But I see two disadvantages:
- Requires you to maintain two copes of the data: encrypted folder + un-encrypted folder
- Local data is un-encrypted, so doesn't satisfy my requirement 1.

[GAAP]

I use #1 -- DropBox and VeraCrypt. Haven't had any issues with it.

[get_g0ing]

I use #1 -- DropBox and VeraCrypt. Haven't had any issues with it.

How did you decide on size of Veracrypt container?
I'm thinking maybe create a container filer to cover the full dropbox space allowance and upload it.

Did you look into any of the other tools I mentioned and found Veracrypt to be better or did you not even need to bother with them after Veracrypt?

Can you share some details of your solution please, like do you use one container filer or several, etc?

Thank you.

[GAAP]

I use #1 -- DropBox and VeraCrypt. Haven't had any issues with it.

How did you decide on size of Veracrypt container?
I'm thinking maybe create a container filer to cover the full dropbox space allowance and upload it.

Did you look into any of the other tools I mentioned and found Veracrypt to be better or did you not even need to bother with them after Veracrypt?

Can you share some details of your solution please, like do you use one container filer or several, etc?

Thank you.

I only encrypt things that really need to be protected. The inherent DropBox protection is sufficient for most of what I store in the cloud. This in turns means that a smaller container can be used for the critical stuff that I don't want getting loose if DropBox gets hacked.

I use DropBox to automatically backup pictures from cell phones -- which would make a total encrypted volume unworkable.

I want to be able to share some items between PCs and/or mobiles without having to worry about encryption -- that lets me have access to a shared storage space that is several times larger than the storage on my tablet, for example.

I chose VeraCrypt as the successor to TrueCrypt -- and one that has had a lot of people spend a lot of time looking for bugs, backdoors, etc. I don't know that to be true for the other software that you mentioned. VeraCrypt lets me use cascading ciphers and extremely long random keys.

A note on 7-zip: the last I checked, you had to explicitly encrypt files every time you added them to the archive or updated them. Otherwise, those changes went in unencrypted. That may have changed since I last looked.

[adam1712]

...

Why Dropbox?
It supports delta sync (aka differential, incremental sync). So it won't upload the whole Veracrypt file after a minor change (unlike Google Drive), but only partially (I've already tested this piece and works as I've described).

...

Did you test this with a small change to an encrypted file? I'm curious about how this could possibly work with an encrypted volume for VeraCrypt. Most good encryption should make large changes to an entire volume even with a small change to the actual. I used Dropbox with TrueCrypt (the predecessor to VeraCyrpt) before it stopped being maintained. It definitely felt like every change required the entire volume to be re-uploaded for me.

I switched to EncFS, it's faster to upload since individual files are separate but I don't care for the interface of starting and stopping the application as much. I'm interested if anybody else has experience with Cryptomator as I hadn't heard of it. One thing to consider is that file-based (as compared to volume encryption) allows someone to see how many files are there and their relative size. For my use, I don't really have an issue with it but at some level it is slightly less secure.

[get_g0ing]

I use #1 -- DropBox and VeraCrypt. Haven't had any issues with it.

How did you decide on size of Veracrypt container?
I'm thinking maybe create a container filer to cover the full dropbox space allowance and upload it.

Did you look into any of the other tools I mentioned and found Veracrypt to be better or did you not even need to bother with them after Veracrypt?

Can you share some details of your solution please, like do you use one container filer or several, etc?

Thank you.

I only encrypt things that really need to be protected. The inherent DropBox protection is sufficient for most of what I store in the cloud. This in turns means that a smaller container can be used for the critical stuff that I don't want getting loose if DropBox gets hacked.

I use DropBox to automatically backup pictures from cell phones -- which would make a total encrypted volume unworkable.

I want to be able to share some items between PCs and/or mobiles without having to worry about encryption -- that lets me have access to a shared storage space that is several times larger than the storage on my tablet, for example.

I chose VeraCrypt as the successor to TrueCrypt -- and one that has had a lot of people spend a lot of time looking for bugs, backdoors, etc. I don't know that to be true for the other software that you mentioned. VeraCrypt lets me use cascading ciphers and extremely long random keys.

A note on 7-zip: the last I checked, you had to explicitly encrypt files every time you added them to the archive or updated them. Otherwise, those changes went in unencrypted. That may have changed since I last looked.

Thanks for sharing the details.

[URSnshn]

Just a thought. When I went through this project recently on a Mac, I discovered that I could easily have an unencrypted Mac with a encrypted folder, but if I wanted to trash an item out of the encrypted folder it would become unencrypted if I simply dragged it to the trash. To properly trash the item in the latter scenario, I would have to create a new encrypted folder that I would trash and transfer documents to it. I'd have to do that every time I wanted to toss something away. That was a pain.

So I encrypted my computer - MUCH easier!

[get_g0ing]

...

Why Dropbox?
It supports delta sync (aka differential, incremental sync). So it won't upload the whole Veracrypt file after a minor change (unlike Google Drive), but only partially (I've already tested this piece and works as I've described).

...

Did you test this with a small change to an encrypted file? I'm curious about how this could possibly work with an encrypted volume for VeraCrypt. Most good encryption should make large changes to an entire volume even with a small change to the actual. I used Dropbox with TrueCrypt (the predecessor to VeraCyrpt) before it stopped being maintained. It definitely felt like every change required the entire volume to be re-uploaded for me.

I switched to EncFS, it's faster to upload since individual files are separate but I don't care for the interface of starting and stopping the application as much. I'm interested if anybody else has experience with Cryptomator as I hadn't heard of it. One thing to consider is that file-based (as compared to volume encryption) allows someone to see how many files are there and their relative size. For my use, I don't really have an issue with it but at some level it is slightly less secure.

Yes, I did. I tried very small changes like creating a blank text document or adding a couple of letters in a text file.

[2015]

I use Veracrypt and Google Drive. I'm extremely happy with the set up. I created a system where my VC containers are categorized by: (1) docs most frequently updated; (2) docs less frequently updated; and (3) a container devoted to pics only (I don't take many pics) so this isn't updated often. The the purpose of the system was to allow for faster uploading of containers to Drive.

I keep two copies of each categorized container in the cloud. After updating docs in a container, I always delete one of the Drive containers first, upload the updated container, then delete the second Drive container to be replaced by a second copy of the first uploaded container. This way, I am subscribing to the 3-2-1 method of file storage (3 copies, on two different media, with one offsite). 3 copies (one encrypted container on the laptop) and two duplicate copies of each categorized container in Drive, on 2 different media (on on laptop HD and actually 2 in cloud storage), and actually 2 offsite in the cloud.

What I've since learned to do is multi-task and surf the web or do some other work while a container is being uploaded in the background. I've also found it doesn't take long for a container to be uploaded since I have them separated into a few different containers using the above-described categorization.

[Mursili]

I switched to EncFS, it's faster to upload since individual files are separate but I don't care for the interface of starting and stopping the application as much.

I don't know if this helps the OP, but I have also settled on encfs and a variety of unix tools for backing up to various cloud and cloud-like repositories. I have no idea if encfs works on windows. What I do know is that the file-by-file encryption of encfs allows the full use of various tools available on all platforms for moving files around efficiently. Others can get to see how many files as well as their approximate sizes, but that is all.

[boogiehead]

Just curious if you guys don't mind me asking.... what type of files are you guys encrypting? And are you guys using this solution to prevent (i.e. dropbox, google drive) from having free access to your data once you upload it to the cloud?

[bltkmt]

I tried Boxcryptor for a while and did not like it. I now just zip the files that I want to be more secure and put a strong password on the zip file.

[VictoriaF]

I use Veracrypt and Google Drive. I'm extremely happy with the set up.

2015,

Thank you for sharing your encryption approach. Was there a particular reason that you chose GoogleDrive over Dropbox?

Victoria

[get_g0ing]

I tried Boxcryptor for a while and did not like it. I now just zip the files that I want to be more secure and put a strong password on the zip file.

That's actually a recommended way also.

CryptSync does this automatically.

[michaeljc70]

I tried Boxcryptor for a while and did not like it. I now just zip the files that I want to be more secure and put a strong password on the zip file.

I do the same. I use 7-zip. I can even access the files on my cell with an app that support zip files with encryption. These are files that aren't changing all the time, so it isn't a big hassle for me.

[2015]

I use Veracrypt and Google Drive. I'm extremely happy with the set up.

2015,

Thank you for sharing your encryption approach. Was there a particular reason that you chose GoogleDrive over Dropbox?

Victoria

It was an easy decision because while DB charges $99/year for 1TB of storage Drive provides 15GB free. As is, I only use 5GB which includes the duplicate backups of each container I upload. I also like Google's very strong security measures. I've detailed in another thread how all of my financial accounts are linked to a dedicated Google email account with no phone number attached so it's not possible to be socially engineered. Instead, it can only be accessed via Yubikey, with access backups of Google Authenticator and the printed account access codes. I access this account and drive only in Avast's Bank Mode, which is separate and apart from my regular Comodo browser, and which serves as a computer within a computer. Before exiting Bank Mode, I wipe browsing history clean and it's as if the entire browsing session never existed.

I know there are others who are fans of paid encryption and paid storage due to auto backup and mirroring, but I don't like the idea of auto backup. I like manually controlling what goes to the cloud and quite frankly, it's extremely easy to update my containers using the method I described previously above. In fact, I'm deleting/replacing some containers containing updated files in Drive in the background right now while I'm on Bogleheads.

Some people think placing encrypted containers in already encrypted services such as DB and Drive is double work, but I disagree. I feel really secure knowing all of my files without exception lie behind encryption on my laptop and also while in the cloud.

[2015]

Just curious if you guys don't mind me asking.... what type of files are you guys encrypting? And are you guys using this solution to prevent (i.e. dropbox, google drive) from having free access to your data once you upload it to the cloud?

Yes, exactly. I use VC for the very reason that I want control over the encryption locally, and then I upload it to the cloud (in my case, Drive). With Drive, you have the ability to enable mirroring activity but I'm won't enable that in order to retain total encryption control.

With VC, if you make a change to a single file in an encrypted container, the entire container (not just the file) must be uploaded replacing a previous container in the cloud. As I stated above, this isn't an issue for me because I categorize containers by files most frequently updated, less frequently updated, and infrequently updated. Deleting an older container version and replacing it with an updated container is no issue for me as it runs in the background while I do other things.

I experimented with maximum size of containers versus cloud upload/download time and settled on around 250MB maximum container size. My pics container is around 900MB but I almost never update it, and again, if I ever did have to upload a new container I would run it in the background anyway. Needing a maximum 5GB of storage, I only have a total of 5 containers, each uploaded twice to Drive so I have two copies in the cloud at all times.

[get_g0ing]

I use Veracrypt and Google Drive. I'm extremely happy with the set up.

2015,

Thank you for sharing your encryption approach. Was there a particular reason that you chose GoogleDrive over Dropbox?

Victoria

It was an easy decision because while DB charges $99/year for 1TB of storage Drive provides 15GB free. As is, I only use 5GB which includes the duplicate backups of each container I upload. I also like Google's very strong security measures. I've detailed in another thread how all of my financial accounts are linked to a dedicated Google email account with no phone number attached so it's not possible to be socially engineered. Instead, it can only be accessed via Yubikey, with access backups of Google Authenticator and the printed account access codes. I access this account and drive only in Avast's Bank Mode, which is separate and apart from my regular Comodo browser, and which serves as a computer within a computer. Before exiting Bank Mode, I wipe browsing history clean and it's as if the entire browsing session never existed.

I know there are others who are fans of paid encryption and paid storage due to auto backup and mirroring, but I don't like the idea of auto backup. I like manually controlling what goes to the cloud and quite frankly, it's extremely easy to update my containers using the method I described previously above. In fact, I'm deleting/replacing some containers containing updated files in Drive in the background right now while I'm on Bogleheads.

Some people think placing encrypted containers in already encrypted services such as DB and Drive is double work, but I disagree. I feel really secure knowing all of my files without exception lie behind encryption on my laptop and also while in the cloud.

Thank you for sharing. I want to discuss little bit more on Avast:

By using Avast browser (or firefox or any other), I wonder if we are giving our private info to one company vs another (e.g. Google through Chrome). Maybe I need some education on this? Because if I use Avast because if they *claim* it's really secure, then Google also claims that they are safe.

So my question is:
- How do I know any security or encryption company or service is telling the truth?

This is the reason I trust VeraCrypt because it's open-source and many security experts have reviewed its code to confirm it does what it says it does. For same reason I preferred Cryptomator (open) over Boxcrypter (close).

So questions about browsing internet and banking online:
- Is there a method or process recommended by professionals? In terms of which browser (plus extensions) is safest (after expert investigation).

[2015]

2015,

Thank you for sharing your encryption approach. Was there a particular reason that you chose GoogleDrive over Dropbox?

Victoria

It was an easy decision because while DB charges $99/year for 1TB of storage Drive provides 15GB free. As is, I only use 5GB which includes the duplicate backups of each container I upload. I also like Google's very strong security measures. I've detailed in another thread how all of my financial accounts are linked to a dedicated Google email account with no phone number attached so it's not possible to be socially engineered. Instead, it can only be accessed via Yubikey, with access backups of Google Authenticator and the printed account access codes. I access this account and drive only in Avast's Bank Mode, which is separate and apart from my regular Comodo browser, and which serves as a computer within a computer. Before exiting Bank Mode, I wipe browsing history clean and it's as if the entire browsing session never existed.

I know there are others who are fans of paid encryption and paid storage due to auto backup and mirroring, but I don't like the idea of auto backup. I like manually controlling what goes to the cloud and quite frankly, it's extremely easy to update my containers using the method I described previously above. In fact, I'm deleting/replacing some containers containing updated files in Drive in the background right now while I'm on Bogleheads.

Some people think placing encrypted containers in already encrypted services such as DB and Drive is double work, but I disagree. I feel really secure knowing all of my files without exception lie behind encryption on my laptop and also while in the cloud.

Thank you for sharing. I want to discuss little bit more on Avast:

By using Avast browser (or comodo or firefox or any other), I wonder if we are giving our private info to one company vs another (e.g. Google through Chrome). Maybe I need some education on this? Because if I use Avast because if they *claim* it's really secure, then Google also claims that they are safe.

So my question is:
- How do I know any security or encryption company or service is telling the truth?

This is the reason I trust VeraCrypt because it's open-source and many security experts have reviewed its code to confirm it does what it says it does. For same reason I preferred Cryptomator (open) over Boxcrypter (close).

So questions about browsing internet and banking online:
- Is there a method or process recommended by professionals? In terms of which browser (plus extensions) is safest (after expert investigation).

I'm not sure I understand your question. I use Comodo Firewall as well as their chrome-based browser because it's less well known. I've used Comodo for years and am happy with it. Avast is a free anti-virus software that comes with some additional protection features, such as Bank Mode. The main reason I like doing all financial transactions in Bank Mode is it functions as a computer within a computer and wiping the history clean before closing out makes the session vanish as if it never happened. I also do some shopping at times in Bank Mode because after closing it out and unwanted tracking ads don't appear in my regular Comodo browsing sessions like they do when I don't shop in Bank Mode. I trust Avast because it works.

Google encrypts information during the process of uploading and downloading to Drive. It's not that I don't trust Google, but were I to place unencrypted sensitive information in Drive and say some rogue Google employee gained access, or if Google's servers were compromised, my information would be compromised. It's for this reason that I encrypt locally before uploading anything to the cloud, and it's for this reason that I don't use mirroring (I want complete control over the process locally).

A sibling who has worked in cloud security and for all of the big tech companies for decades was blown away when I explained my security process. He told me even the geeks don't go to the lengths I do. This made me feel secure in my process.

[Ice-9]

My encryption scenario is similar to many above, but I'll chime in too, as I have a small twist to add.

* I use VeraCrypt with Google Drive. Similar to user 2015 above, I break up my encryption archives into four containers to reduce the wait for each update to upload. However, I break it up by general category - statements, taxes, etc. The statements container fills to capacity at the container size I've selected approximately every three years, so I have some historical containers with dates in the filename too.

* I've been doing this since about 2011 first with TrueCrypt and then later with VeraCrypt. The conversion of older containers to VeraCrypt was easy.

* I also have free cloud accounts with OneDrive and Dropbox (about 7 Gb due to the free extra space they've given with offers for referals or connecting photos, etc). I have my iMac set to automatically copy the four containers to the other two cloud folders twice a month. I used Python, but apparently this is also easy to do with the Mac Calendar's Automator function. (Based on what I just learned about Dropbox's incremental uploads from the OP, however, I may consider switching up my workflow and making Dropbox my main container location where editing takes place and then send the twice-a-month copies to Google Drive and OneDrive going forward.)

[abracadabra11]

Cryptomator user here. I also have Veracrypt but use it primarily for whole disk encryption.

The cryptomator desktop application for windows and linux is a bit basic and not particularly well integrated IMO, but its mobile app is great. Very easy to link fingerprint to password/database to get quick access to files. Cryptomator really needs an auto-mounting feature similar to Veracrypt.

There's still a lot left to be desired in the open-source encryption space for a relatively seamless desktop (multiple OS support), cloud, and mobile user experience.

[GAAP]

Just curious if you guys don't mind me asking.... what type of files are you guys encrypting? And are you guys using this solution to prevent (i.e. dropbox, google drive) from having free access to your data once you upload it to the cloud?

Primarily financial and/or ID information: account numbers, tax records, pictures of passports, etc.

So my question is:
- How do I know any security or encryption company or service is telling the truth?

You don't -- so layering security solutions is a reasonable countermeasure.

So questions about browsing internet and banking online:
- Is there a method or process recommended by professionals? In terms of which browser (plus extensions) is safest (after expert investigation).

"Safest" is hard to define. Some things I do include:

• Use a current version of a well-supported browser.
• Don't use a browser that promises to speed up your connection by adding a proxy somewhere (several mobile browsers do this and some PC browsers).
• Start any such session with no other windows/tabs/sessions open.
• Use private-browsing/incognito-mode or similar to avoid saving cookies.
• Don't allow the site to recognize you for later, easier access.
• Use Two-Factor Authentication.
• Use long, random passwords.
• Never repeat passwords.
• Use a secure password manager.
• Avoid financial aggregation sites.
• Avoid web-based password managers.
• Always use HTTPS.

There's still a lot left to be desired in the open-source encryption space for a relatively seamless desktop (multiple OS support), cloud, and mobile user experience.

+1000 -- a shockingly primitive environment in general.

[get_g0ing]

Cryptomator user here. I also have Veracrypt but use it primarily for whole disk encryption.

The cryptomator desktop application for windows and linux is a bit basic and not particularly well integrated IMO, but its mobile app is great. Very easy to link fingerprint to password/database to get quick access to files. Cryptomator really needs an auto-mounting feature similar to Veracrypt.

There's still a lot left to be desired in the open-source encryption space for a relatively seamless desktop (multiple OS support), cloud, and mobile user experience.

Hi,

Can you please explain auto-mount of VeraCrypt, how do you use it?

[get_g0ing]

Start any such session with no other windows/tabs/sessions open.

Why is this?

[GAAP]

Start any such session with no other windows/tabs/sessions open.

Why is this?

Because those open sessions may have access to whatever you're working with at the time. A lot of stuff is stored temporarily, even in incognito/private mode. If it's stored, it's accessible.

[get_g0ing]

Start any such session with no other windows/tabs/sessions open.

Why is this?

Because those open sessions may have access to whatever you're working with at the time. A lot of stuff is stored temporarily, even in incognito/private mode. If it's stored, it's accessible.

Good one. I didn't appreciate this before. Good advice IMO

[get_g0ing]

Start any such session with no other windows/tabs/sessions open.

Why is this?

Because those open sessions may have access to whatever you're working with at the time. A lot of stuff is stored temporarily, even in incognito/private mode. If it's stored, it's accessible.

And by financial aggregation sites, I think you mean sites like Mint?

I'm always uncomfortable with sites that ask login credentials of my bank. For example if you want to link bank to PayPal it will ask for actual credentials of online banking of the bank. Many other sites do this. I think even Fidelity likes to do this.

[2015]

Just curious if you guys don't mind me asking.... what type of files are you guys encrypting? And are you guys using this solution to prevent (i.e. dropbox, google drive) from having free access to your data once you upload it to the cloud?

Primarily financial and/or ID information: account numbers, tax records, pictures of passports, etc.

So my question is:
- How do I know any security or encryption company or service is telling the truth?

You don't -- so layering security solutions is a reasonable countermeasure.

So questions about browsing internet and banking online:
- Is there a method or process recommended by professionals? In terms of which browser (plus extensions) is safest (after expert investigation).

"Safest" is hard to define. Some things I do include:

• Use a current version of a well-supported browser.
• Don't use a browser that promises to speed up your connection by adding a proxy somewhere (several mobile browsers do this and some PC browsers).
• Start any such session with no other windows/tabs/sessions open.
• Use private-browsing/incognito-mode or similar to avoid saving cookies.
• Don't allow the site to recognize you for later, easier access.
• Use Two-Factor Authentication.
• Use long, random passwords.
• Never repeat passwords.
• Use a secure password manager.
• Avoid financial aggregation sites.
• Avoid web-based password managers.
• Always use HTTPS.

There's still a lot left to be desired in the open-source encryption space for a relatively seamless desktop (multiple OS support), cloud, and mobile user experience.

+1000 -- a shockingly primitive environment in general.

Excellent advice, every bit of it!
I would add: use nonsensical answers to all security questions and store those answers in your password manager with each associated account. I would also use a pin with any account that allows for it's use, but particularly with your phone carrier to support thwarting of social engineering.

[get_g0ing]

2015,

Thank you for sharing your encryption approach. Was there a particular reason that you chose GoogleDrive over Dropbox?

Victoria

It was an easy decision because while DB charges $99/year for 1TB of storage Drive provides 15GB free. As is, I only use 5GB which includes the duplicate backups of each container I upload. I also like Google's very strong security measures. I've detailed in another thread how all of my financial accounts are linked to a dedicated Google email account with no phone number attached so it's not possible to be socially engineered. Instead, it can only be accessed via Yubikey, with access backups of Google Authenticator and the printed account access codes. I access this account and drive only in Avast's Bank Mode, which is separate and apart from my regular Comodo browser, and which serves as a computer within a computer. Before exiting Bank Mode, I wipe browsing history clean and it's as if the entire browsing session never existed.

I know there are others who are fans of paid encryption and paid storage due to auto backup and mirroring, but I don't like the idea of auto backup. I like manually controlling what goes to the cloud and quite frankly, it's extremely easy to update my containers using the method I described previously above. In fact, I'm deleting/replacing some containers containing updated files in Drive in the background right now while I'm on Bogleheads.

Some people think placing encrypted containers in already encrypted services such as DB and Drive is double work, but I disagree. I feel really secure knowing all of my files without exception lie behind encryption on my laptop and also while in the cloud.

Thank you for sharing. I want to discuss little bit more on Avast:

By using Avast browser (or comodo or firefox or any other), I wonder if we are giving our private info to one company vs another (e.g. Google through Chrome). Maybe I need some education on this? Because if I use Avast because if they *claim* it's really secure, then Google also claims that they are safe.

So my question is:
- How do I know any security or encryption company or service is telling the truth?

This is the reason I trust VeraCrypt because it's open-source and many security experts have reviewed its code to confirm it does what it says it does. For same reason I preferred Cryptomator (open) over Boxcrypter (close).

So questions about browsing internet and banking online:
- Is there a method or process recommended by professionals? In terms of which browser (plus extensions) is safest (after expert investigation).

I'm not sure I understand your question. I use Comodo Firewall as well as their chrome-based browser because it's less well known. I've used Comodo for years and am happy with it. Avast is a free anti-virus software that comes with some additional protection features, such as Bank Mode. The main reason I like doing all financial transactions in Bank Mode is it functions as a computer within a computer and wiping the history clean before closing out makes the session vanish as if it never happened. I also do some shopping at times in Bank Mode because after closing it out and unwanted tracking ads don't appear in my regular Comodo browsing sessions like they do when I don't shop in Bank Mode. I trust Avast because it works.

Google encrypts information during the process of uploading and downloading to Drive. It's not that I don't trust Google, but were I to place unencrypted sensitive information in Drive and say some rogue Google employee gained access, or if Google's servers were compromised, my information would be compromised. It's for this reason that I encrypt locally before uploading anything to the cloud, and it's for this reason that I don't use mirroring (I want complete control over the process locally).

A sibling who has worked in cloud security and for all of the big tech companies for decades was blown away when I explained my security process. He told me even the geeks don't go to the lengths I do. This made me feel secure in my process.

Sorry let me try to explain again my concern:

You said "Bank Mode is it functions as a computer within a computer and wiping the history clean before closing out makes the session vanish as if it never happened". My point is that you got this information from Avast itself (I assume), but how do we know that they are actually doing this. What if they are secretly tracking all the info on their server? Or if they have secret backdoor like many companies.

I would be more trusting if there was some open-source browser and was audited and recommended by professionals (like VeraCrypt for encryption).

[mountains]

I'm on a Mac. I'm using Google Drive (dropbox would work just as well) and use an encrypted MacOS sparsebundle disk image. I was too lazy to investigate 3rd encryption options.

[oneleaf]

I don't know if this helps the OP, but I have also settled on encfs and a variety of unix tools for backing up to various cloud and cloud-like repositories. I have no idea if encfs works on windows. What I do know is that the file-by-file encryption of encfs allows the full use of various tools available on all platforms for moving files around efficiently. Others can get to see how many files as well as their approximate sizes, but that is all.

Yea, I also use encfs and find it the best and easiest for incremental backups to the cloud. The decrypted version is always mounted on my PC, while the encrypted version is continuously updated and ready for updates to the cloud.

UNIX tools like encfs and rsync, which are native to most Linux distros are by far the best encryption and backup tools out there. Never could find anything as good in Windows.

[2015]

Sorry let me try to explain again my concern:

You said "Bank Mode is it functions as a computer within a computer and wiping the history clean before closing out makes the session vanish as if it never happened". My point is that you got this information from Avast itself (I assume), but how do we know that they are actually doing this. What if they are secretly tracking all the info on their server? Or if they have secret backdoor like many companies.

I would be more trusting if there was some open-source browser and was audited and recommended by professionals (like VeraCrypt for encryption).

Maybe I'm not making myself clear. Avast's Bank Mode is not a VPN (although Avast's security suite allows for VPN, but you have pay for that, IIRC). I'm not interested in VPN due to the very concerns you site, and because I don't feel I need VPN.

OTOH, Bank Mode is simply a type of browser, no different than if I were browsing using Firefox, Safari, Chrome, or any other browser. I only access financial sites which use the https: protocol.

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted.

[GAAP]

Just curious if you guys don't mind me asking.... what type of files are you guys encrypting? And are you guys using this solution to prevent (i.e. dropbox, google drive) from having free access to your data once you upload it to the cloud?

Primarily financial and/or ID information: account numbers, tax records, pictures of passports, etc.

So my question is:
- How do I know any security or encryption company or service is telling the truth?

You don't -- so layering security solutions is a reasonable countermeasure.

So questions about browsing internet and banking online:
- Is there a method or process recommended by professionals? In terms of which browser (plus extensions) is safest (after expert investigation).

"Safest" is hard to define. Some things I do include:

• Use a current version of a well-supported browser.
• Don't use a browser that promises to speed up your connection by adding a proxy somewhere (several mobile browsers do this and some PC browsers).
• Start any such session with no other windows/tabs/sessions open.
• Use private-browsing/incognito-mode or similar to avoid saving cookies.
• Don't allow the site to recognize you for later, easier access.
• Use Two-Factor Authentication.
• Use long, random passwords.
• Never repeat passwords.
• Use a secure password manager.
• Avoid financial aggregation sites.
• Avoid web-based password managers.
• Always use HTTPS.

There's still a lot left to be desired in the open-source encryption space for a relatively seamless desktop (multiple OS support), cloud, and mobile user experience.

+1000 -- a shockingly primitive environment in general.

Excellent advice, every bit of it!
I would add: use nonsensical answers to all security questions and store those answers in your password manager with each associated account. I would also use a pin with any account that allows for it's use, but particularly with your phone carrier to support thwarting of social engineering.

Also store a description of the site image or whatever visual feature is provided that ensures you are actually on the right site -- don't trust your memory.

I launch the browser session from the password manager, never by doing a google search for it.

For the more advanced, using a true email alias (not just the gmail "userid+alias@example.com" thing) for each account that maps to a real account has some potential value -- it's hard to hack an email account that doesn't exist.

[get_g0ing]

For the more advanced, using a true email alias (not just the gmail "userid+alias@example.com" thing) for each account that maps to a real account has some potential value -- it's hard to hack an email account that doesn't exist.

This sounds interesting, can you clarify what you mean please. I don't get it.

[GAAP]

Start any such session with no other windows/tabs/sessions open.

Why is this?

Because those open sessions may have access to whatever you're working with at the time. A lot of stuff is stored temporarily, even in incognito/private mode. If it's stored, it's accessible.

And by financial aggregation sites, I think you mean sites like Mint?

I'm always uncomfortable with sites that ask login credentials of my bank. For example if you want to link bank to PayPal it will ask for actual credentials of online banking of the bank. Many other sites do this. I think even Fidelity likes to do this.

Exactly -- or any brokerage account that wants to log into other accounts to aggregate your portfolio information, etc.

I also allow very few automatic payments that are pulls from my checking account -- basically only two credit cards.

[rich126]

I didn't read all of the messages in this thread but it depends on what you are trying to do.

For example, most businesses want the entire hard drive encrypted in case it gets stolen the data should be safe. Apple has encryption built in (AES256) that you can turn on. Microsoft has Bitlocker in some versions. One issue with full disk encryption is that once you log in, the drive is unlocked and anyone who has access to your machine can read the data.

Then you have products that create folders and you just drop your files in that folder and it will get encrypted.

As some others have touched on, some of the products have flaws in them, where unencrypted data may reside in memory or in a cache.

Also, as GAAP (and probably others) have mentioned there are reasons why you are told to close browsers, flush caches, etc. There are techniques called session hijacking that involves stealing your authenticated session and use it for malicious purposes. As everyone should know, they are a lot of security holes in software, web browsers, web apps, etc.

Even with some two factor systems, there are ways people get around them (SIM jacking) where they can go into a store and get your account moved from one sim to a sim they have and then they receive your security token via SMS. Brian Krebs has discussed this several times.

Security it tough. And since companies are rarely held liable, it isn't getting better as fast as it should be.

[get_g0ing]

I didn't read all of the messages in this thread but it depends on what you are trying to do.

For example, most businesses want the entire hard drive encrypted in case it gets stolen the data should be safe. Apple has encryption built in (AES256) that you can turn on. Microsoft has Bitlocker in some versions. One issue with full disk encryption is that once you log in, the drive is unlocked and anyone who has access to your machine can read the data.

Then you have products that create folders and you just drop your files in that folder and it will get encrypted.

As some others have touched on, some of the products have flaws in them, where unencrypted data may reside in memory or in a cache.

Also, as GAAP (and probably others) have mentioned there are reasons why you are told to close browsers, flush caches, etc. There are techniques called session hijacking that involves stealing your authenticated session and use it for malicious purposes. As everyone should know, they are a lot of security holes in software, web browsers, web apps, etc.

Even with some two factor systems, there are ways people get around them (SIM jacking) where they can go into a store and get your account moved from one sim to a sim they have and then they receive your security token via SMS. Brian Krebs has discussed this several times.

Security it tough. And since companies are rarely held liable, it isn't getting better as fast as it should be.

Good reminder. Of course everything has loophole:

Like fingerprint to unlock, even though it is supposed to be more secure than password. But if you are heavy sleeper, in hypothetic someone can access your phone while you are sleeping in aeroplane What you think? I will myself say this is small risk and unlikely, but similarly SIM jacking is also not that easy.

So just like something that is considered secure (fingerprint) may not be that secure, same way, something that is considered insecure (SMS as 2nd facotr) may not be that insecure. For example when I call phone company to discuss my own account, it's only after authentication they discuss even a small detail.

Bottom line for me from these discussion is that we need to be between too little security and paranoia. Because if someone really wants to go after someone's data, a dedicated or expert attacker with resources can do so. But we should not also be the low hanging fruit that our data is accessed with little effort.

[GAAP]

For the more advanced, using a true email alias (not just the gmail "userid+alias@example.com" thing) for each account that maps to a real account has some potential value -- it's hard to hack an email account that doesn't exist.

This sounds interesting, can you clarify what you mean please. I don't get it.

If you own your domain, you may have ability to do this. Basically, you create an alias that accepts inbound emails under one name while actually using another name. For example, Vanguard@example.com and Schwab@example.com could be pointed to MyFinances@example.com. You would login to MyFinances@example.com, but you could provide the others for logging into the appropriate sites. You would never tell anyone about MyFinances@example.com, and would never originate messages from it.

This works best for unidirectional email paths -- where only one party sends email (like brokerages and banks that have a secure messaging function internal to their website). Even a brokerage employee could not hack your actual email account, because they would never know what it really is. You would also know that any email coming from the brokerage would have to be addressed to that single alias -- and, by definition, if it shows up in your "regular" email account, it's bogus.

This is more a layer of obfuscation than actual security, protecting only some corner cases -- but the harder you make it for an attacker, the more likely they'll go somewhere else.

[get_g0ing]

For the more advanced, using a true email alias (not just the gmail "userid+alias@example.com" thing) for each account that maps to a real account has some potential value -- it's hard to hack an email account that doesn't exist.

This sounds interesting, can you clarify what you mean please. I don't get it.

If you own your domain, you may have ability to do this. Basically, you create an alias that accepts inbound emails under one name while actually using another name. For example, Vanguard@example.com and Schwab@example.com could be pointed to MyFinances@example.com. You would login to MyFinances@example.com, but you could provide the others for logging into the appropriate sites. You would never tell anyone about MyFinances@example.com, and would never originate messages from it.

This works best for unidirectional email paths -- where only one party sends email (like brokerages and banks that have a secure messaging function internal to their website). Even a brokerage employee could not hack your actual email account, because they would never know what it really is. You would also know that any email coming from the brokerage would have to be addressed to that single alias -- and, by definition, if it shows up in your "regular" email account, it's bogus.

This is more a layer of obfuscation than actual security, protecting only some corner cases -- but the harder you make it for an attacker, the more likely they'll go somewhere else.

Very cool. Likely a regular user might not need this as you already hint, but still very interesting. Out of curiosity, any way to do the same without owning a domain (using the popular email services)?

On related note: do you see any value to using these encrypted emails you sometimes hear about like Lava mail and Proton mail.

What about VPNs? Can they help with security of your identity or private data. A common criticism I hear is they themselves track you and keep logs.

[GAAP]

Very cool. Likely a regular user might not need this as you already hint, but still very interesting. Out of curiosity, any way to do the same without owning a domain (using the popular email services)?

On related note: do you see any value to using these encrypted emails you sometimes hear about like Lava mail and Proton mail.

What about VPNs? Can they help with security of your identity or private data. A common criticism I hear is they themselves track you and keep logs.

I've only seen aliases of this type available with owned domains. You could also try an obfuscation service like Abine Blur https://dnt.abine.com/#feature/masking.

I've rarely had a need to email anything with sufficient value from my personal account to justify encryption -- and encrypted files have done well for that.

I use a VPN anytime I'm on a public WiFi system -- on the assumption that the operator of that system is not my friend, or that others may be listening. Anyone listening will get random characters, even if the underlying protocol (like email), is sent in cleartext. I don't use it for privacy purposes.

[MrNo]

For the more advanced, using a true email alias (not just the gmail "userid+alias@example.com" thing) for each account that maps to a real account has some potential value -- it's hard to hack an email account that doesn't exist.

This sounds interesting, can you clarify what you mean please. I don't get it.

If you own your domain, you may have ability to do this. Basically, you create an alias that accepts inbound emails under one name while actually using another name. For example, Vanguard@example.com and Schwab@example.com could be pointed to MyFinances@example.com. You would login to MyFinances@example.com, but you could provide the others for logging into the appropriate sites. You would never tell anyone about MyFinances@example.com, and would never originate messages from it.

This works best for unidirectional email paths -- where only one party sends email (like brokerages and banks that have a secure messaging function internal to their website). Even a brokerage employee could not hack your actual email account, because they would never know what it really is. You would also know that any email coming from the brokerage would have to be addressed to that single alias -- and, by definition, if it shows up in your "regular" email account, it's bogus.

This is more a layer of obfuscation than actual security, protecting only some corner cases -- but the harder you make it for an attacker, the more likely they'll go somewhere else.

Very cool. Likely a regular user might not need this as you already hint, but still very interesting. Out of curiosity, any way to do the same without owning a domain (using the popular email services)?

On related note: do you see any value to using these encrypted emails you sometimes hear about like Lava mail and Proton mail.

What about VPNs? Can they help with security of your identity or private data. A common criticism I hear is they themselves track you and keep logs.

I am using ProtonMail just for this and only for my financial accounts. The email is fully encrypted.
Ie for Vanguard I’m using vanguard+my_email_address@protonmail.com, and for Bank of America I use bofa+my_email_address@protonmail.com
It works great and I use different email for each account but they go into same inbox.
This is only setup for my financial accounts

[GAAP]

I am using ProtonMail just for this and only for my financial accounts. The email is fully encrypted.
Ie for Vanguard I’m using vanguard+my_email_address@protonmail.com, and for Bank of America I use bofa+my_email_address@protonmail.com
It works great and I use different email for each account but they go into same inbox.
This is only setup for my financial accounts
[/quote]

My primary issue with this method is that it is trivial to search an email address for "+" and strip off the first part, leaving the true underlying address. I assume that the email header will transit several unfriendly locations on it's route to the final destination -- and that at least one of those sites will have automated the process of looking for such addresses.

Secondarily, some sites just don't work with email addresses in that format.

However, these are not critical concerns, and there are definite benefits from doing this.

[GAAP]

I am using ProtonMail just for this and only for my financial accounts. The email is fully encrypted.
Ie for Vanguard I’m using vanguard+my_email_address@protonmail.com, and for Bank of America I use bofa+my_email_address@protonmail.com
It works great and I use different email for each account but they go into same inbox.
This is only setup for my financial accounts

My primary issue with this method is that it is trivial to search an email address for "+" and strip off the first part, leaving the true underlying address. I assume that the email header will transit several unfriendly locations on it's route to the final destination -- and that at least one of those sites will have automated the process of looking for such addresses.

Secondarily, some sites just don't work with email addresses in that format.

However, these are not critical concerns, and there are definite benefits from doing this.

[get_g0ing]

I am using ProtonMail just for this and only for my financial accounts. The email is fully encrypted.
Ie for Vanguard I’m using vanguard+my_email_address@protonmail.com, and for Bank of America I use bofa+my_email_address@protonmail.com
It works great and I use different email for each account but they go into same inbox.
This is only setup for my financial accounts

My primary issue with this method is that it is trivial to search an email address for "+" and strip off the first part, leaving the true underlying address. I assume that the email header will transit several unfriendly locations on it's route to the final destination -- and that at least one of those sites will have automated the process of looking for such addresses.

Secondarily, some sites just don't work with email addresses in that format.

However, these are not critical concerns, and there are definite benefits from doing this.

For Gmail, most services reject the + format in my experience.

[get_g0ing]

Very cool. Likely a regular user might not need this as you already hint, but still very interesting. Out of curiosity, any way to do the same without owning a domain (using the popular email services)?

On related note: do you see any value to using these encrypted emails you sometimes hear about like Lava mail and Proton mail.

What about VPNs? Can they help with security of your identity or private data. A common criticism I hear is they themselves track you and keep logs.

I've only seen aliases of this type available with owned domains. You could also try an obfuscation service like Abine Blur https://dnt.abine.com/#feature/masking.

I've rarely had a need to email anything with sufficient value from my personal account to justify encryption -- and encrypted files have done well for that.

I use a VPN anytime I'm on a public WiFi system -- on the assumption that the operator of that system is not my friend, or that others may be listening. Anyone listening will get random characters, even if the underlying protocol (like email), is sent in cleartext. I don't use it for privacy purposes.

Clarification on the VPN use:
So if you are at a cafe with a Wifi that shows as "Open" (most home Wifi show up as "Secured"), and if you connect a VPN, does that make your connection secure?

[Pancakes-Eggs-Bacon]

Clarification on the VPN use:
So if you are at a cafe with a Wifi that shows as "Open" (most home Wifi show up as "Secured"), and if you connect a VPN, does that make your connection secure?

The VPN establishes a secure tunnel between two endpoints:
1) Endpoint client device: Your cell phone, tablet, laptop, etc.
2) Endpoint server: Your commercial VPN provider's server.

From the 3rd party VPN provider's datacenter, your connection then exits onto the regular Internet, meaning your connection is only as good as whatever protocols are in use: HTTPS vs. HTTP, secure e-mail like IMAPS and SMTPS vs. unsecure e-mail, etc.

Everything in between those two endpoints can be considered protected by the VPN and more difficult to read without advanced level attacks and budgets, if at all.

[get_g0ing]

Clarification on the VPN use:
So if you are at a cafe with a Wifi that shows as "Open" (most home Wifi show up as "Secured"), and if you connect a VPN, does that make your connection secure?

The VPN establishes a secure tunnel between two endpoints:
1) Endpoint client device: Your cell phone, tablet, laptop, etc.
2) Endpoint server: Your commercial VPN provider's server.

From the 3rd party VPN provider's datacenter, your connection then exits onto the regular Internet, meaning your connection is only as good as whatever protocols are in use: HTTPS vs. HTTP, secure e-mail like IMAPS and SMTPS vs. unsecure e-mail, etc.

Everything in between those two endpoints can be considered protected by the VPN and more difficult to read without advanced level attacks and budgets, if at all.

1. So if I'm at a cafe and connect to a Wifi that shows as "Secured" and I don't use a VPN, am I equally secure or insecure as my home Wifi?
2. And if I connect to a Wifi showing as "Open" is it a best practice to use a VPN?
3. Is there any benefit (or use case) of using VPN on home Wifi?

thanks.

[Watty]

Just FYI, encrypted USB drives are available which might be useful in some situation.

When I am traveling I have images of things like by passport, driver's license, credit cards, etc that I put on an Encrypted USB drive.

[Pancakes-Eggs-Bacon]

1. So if I'm at a cafe and connect to a Wifi that shows as "Secured" and I don't use a VPN, am I equally secure or insecure as my home Wifi?

Yes and no. There's a higher likelihood of running into troublemakers when using public Wi-Fi. Some locations may be more hazardous than others, such as airports. Depends.

Just because your Wi-Fi connection shows as "Secure" doesn't mean it's secure. For example, there's a type of Wi-Fi attack known as "evil twin" where the attacker creates a fake Wi-Fi network with the same name; e.g. "Starbucks," "McDonalds," "Library," etc. and naive client devices like your cell phone, tablet, or laptop connect to it thinking it's secure, but all connections are then monitored by the attacker.

That, and the Wi-Fi provider itself could be infected or malicious. So maybe that Airport free Wi-Fi is heavily monitored or has corporate surveillance software that intercepts all your web traffic (even HTTPS) and does all sorts of bad things.

Summary: Not necessarily. I'd say public Wi-Fi is generally speaking less secure than home Wi-Fi even without VPN, since more bad apples are out and about in public. One would have to be a guest, neighbor, or sitting on the street outside your house in order to really cause harm to your home Wi-Fi.

2. And if I connect to a Wifi showing as "Open" is it a best practice to use a VPN?

Yes. Sometimes it's safer to just use your phone's mobile data (4G LTE) connection than connect to public Wi-Fi without a VPN.

3. Is there any benefit (or use case) of using VPN on home Wifi?

Yes. I've been using a commercial VPN provider from home 24/7 for the past couple years now and won't ever go back. It helps prevent your ISP (Charter Spectrum, Comcast, Cox, AT&T, Verizon, etc.) from being able to surveill what websites you visit or to tamper with them.

Summary: Using a VPN at home helps protect you from your ISP. It can also protect you from attackers (hackers) on the Internet from targeting your real IP address since 99% of the time all they can see is your "fake" IP address from your VPN provider, which is shared with 1000's of other customers.

Edit: There's many other use cases. One -- which may be a Boglehead money-saving idea -- is that airplane tickets, car rental, and hotel reservations may be cheaper if you "appear" as though you are local to the destination. In other words, planning a trip to New York City? You might find cheaper prices if you VPN into New York City and appear like you're local instead of a "tourist."

[GAAP]

Clarification on the VPN use:
So if you are at a cafe with a Wifi that shows as "Open" (most home Wifi show up as "Secured"), and if you connect a VPN, does that make your connection secure?

The VPN establishes a secure tunnel between two endpoints:
1) Endpoint client device: Your cell phone, tablet, laptop, etc.
2) Endpoint server: Your commercial VPN provider's server.

From the 3rd party VPN provider's datacenter, your connection then exits onto the regular Internet, meaning your connection is only as good as whatever protocols are in use: HTTPS vs. HTTP, secure e-mail like IMAPS and SMTPS vs. unsecure e-mail, etc.

Everything in between those two endpoints can be considered protected by the VPN and more difficult to read without advanced level attacks and budgets, if at all.

1. So if I'm at a cafe and connect to a Wifi that shows as "Secured" and I don't use a VPN, am I equally secure or insecure as my home Wifi?
2. And if I connect to a Wifi showing as "Open" is it a best practice to use a VPN?
3. Is there any benefit (or use case) of using VPN on home Wifi?

thanks.

1. No -- you control the home Wifi, you have no idea who controls that "secured" wifi. I could provide you with a "secure" wifi that also happens to mirror everything you do to server somewhere.

2. Yes.

3. The more securely you run your home Wifi, the smaller the use case and vice versa. There are other use cases, such as the desire to access content that is restricted to a geographic area.