Security is always possible but has rarely been easy. Storing unencrypted files and folders is much simpler and more compatible than going through the effort to use encryption. But the recent security flub at Dropbox set me looking for a secure way to store data there. Here’s a quick and easy way to create a secure, Dropbox-compatible disk image for Mac OS X.
Dropbox-Friendly
You might also want to read Keep Multiple Macs in Sync with Dropbox and Compression, Encryption, Deduplication, and Replication: Strange Bedfellows
Yesterday, “Storagemistress” suggested a method of securely hiding … “stuff” … using the excellent open-source software, TrueCrypt. This has the advantage of cross-platform compatibility and obfuscation (she suggests using a movie title as “cover”) but isn’t all that Dropbox friendly. Change one bit in that file, and the whole thing will have to be re-synced.
Mac users have a great alternative method: The SparseBundle. This has a few advantages over monolithic disk images:
- SparseBundles are thin provisioned, growing as data is added and only taking up as much space as is actually used (to the nearest 1 MB), while conventional disk images are entirely provisioned when they are created.
- SparseBundles store data in 1 MB “bands” that can be independently synchronized with rsync or Dropbox, as opposed to conventional images that are stored as a single file.
These two elements make SparseBundles excellent for securing valuable data while protecting it off-site. Dropbox loves the 1 MB bands, and I feel better knowing my data is encrypted in case the service has another “oops” moment.
Create Your SparseBundle
Creating a SparseBundle Disk Image is fairly straightforward. Note that this only works in Mac OS X 10.5 “Leopard” and newer releases.
- Launch Disk Utility – I like to just type that into Spotlight, but it’s in Applications/Utilities
- Click “New Image” as seen in the image at the top of this post
- Give your SparseBundle a file name in “Save As” and locate it in a folder (e.g., your Dropbox folder!)
- Enter a friendly name for the disk image – this can be the same or different from your file name
- We’ll leave “Format” and “Partitions” untouched
- Click the dropdown menu for “Size” and select “Custom” to enter a custom maximum file size
- Click “Encryption” to enable 128- or 256-bit encryption
- Click “Image Format” and select “sparse bundle disk image”
- Now click “Create” to start the image process
- Since we selected encryption, a new dialog box will appear asking for a password – this is what you will enter every time you use this image, and Apple helpfully rates your password strength for you
- Click “Ok” and you’re done – the bundle will mount as a new drive
As you add and remove files from this disk image, they will be encrypted and stored in 2 MB “slices” (actually files in a directory). These work great with Dropbox, Rsync, and many other utilities.
This image can be mounted on any Mac, provided the password is known. But don’t try to mount it on more than one machine simultaneously!
Note: If you want to obscure these files, you can rename the SparseBundle. It won’t be usable from Finder, but you can still mount it from the command line using hdiutil. But it’ll be a directory of equal-sized files, so you won’t fool anyone who knows what they’re doing.
Stephen’s Stance
Encryption is an important tool for individuals regardless of what they’re storing. Given the recent security failings of Dropbox, I highly recommend using methods like this to secure your important data before using the service!
I wouldn’t recommend this route. It seems like a great idea in theory, but in my experience, sparsebundles are just too fragile to be used this way (or really, in almost any way).
Just Google “corrupt sparsebundle” or check out:
http://forums.dropbox.com/topic.php?id=23260
http://forums.dropbox.com/topic.php?id=13785
I would recommend using smaller sparseimages for sensitive data rather than trying to encrypt the whole thing.
Interesting feedback on sparsebundles with Dropbox. I’ve never had any issues, but I’m not really pounding on mine. Sparseimages seem like the direction encouraged in the forum…
BTW, I have deduced how Dropbox stores and deduplicates files. I’ll blog on it next week!
Great article! Thanks. Could you offer a comment about how the updating of the files to Dropbox happens? That is, do I have to mount the image in order to use the files, then unmount it in order to have Dropbox update them?
This is great info – I’ve been looking at Knox from Agilebits.com – to provide data encryption with personal data on dropbox.
However your instructions have shown me how to achieve what appears to be the same thing for free – cheers.
Okay, I followed the instructions and now I see the new disk image on the finder which I labeled DB. Is that it? When I look at the info on disk utilities, it says it has 4 files (not the hundreds in my dropbox), is that correct? Do I eject the disk image, or always keep it on the finder?
Thanks for this article – it worked the first time for me. For secrets saved in a text file, I used Evernote. Select the text, right-click, and select encrypt. Enter your passcode and the text is hidden. It’s readily accessible from the web version of Evernote.
This is, unfortunately, a terrible terrible idea. Never ever use a sparse disk image with dropbox.
Sparse bundles, as the article explains, are really just folders with a lot of smaller sub-files inside. Unfortunately, if you open the sparsebundle on one computer and then again on a second computer Dropbox will detect a collision between the two. It will then duplicate one of the bands and add a name to that file to indicate that there was a collision. The net result is then that your ENTIRE sparsebundle is now corrupt. Because files are stored across these bands, even deleting one of the bands and renaming the other one will not fix the issue. Trying to revert to an older version using Dropbox’s history will also not work because you need to make sure you revert the entire folder of bands to the same point in history – something Dropbox does not support. Manually reverting every file will also fail because the actual dates on the individual bands do not match up with the date of the sparsebundle as a whole.
I speak from experience here. I am a computer IT guy who did exactly what you described (not as a result of this article, just something I had decided to do myself) and wound up losing my entire sparsebundle for the reasons I described. Even having done a week’s worth of research and with a lot of low-level computer administration experience I could not resurrect my data. I was forced to revert to a separately backed up version from a time-machine disk.
Whatever format you use for encrypted files, they MUST be single, monolithic files to work with Dropbox. If they are not, you run the risk of Dropbox modifying the structure of the “bundle” and you will lose your data. If you must have smaller encrypted folders, do exactly that. Make several encrypted disk images (not sparsebundles) and use them like you would old-school floppy disks (but make them about 20 MB in size or something like that). Store a little bit on each disk based on what you want to keep together. But never ever use a sparsebundle.