Additional information on this topic can be found here.

If your Dropbox contains sensitive files, you might want to encrypt it for protection in the event your laptop is stolen. If you’re already running BitLocker or some other form of full-disk encryption, then you probably don’t need to worry about this. Otherwise, a free piece of software called TrueCrypt can help.

TrueCrypt works by creating an encrypted file on your hard disk that will act as a container for your sensitive documents. The encryption is based on a password you provide. To access the contents, you “mount” the container file, which makes it show up as a new drive letter on your computer. At that point you can create directories, and read and write files, just like you would with a USB key.

If all this sounds complicated, just think of !TrueCrypt like a password-protected USB key.

This page describes how to move your Dropbox folder to an encrypted TrueCrypt volume. The steps are for Windows XP, but I’ve included some notes for Windows 7.

Instructions

Install TrueCrypt and create a new encrypted file container.

  1. Download TrueCrypt and run the installer.  This guide was created using version 7.0a, but you’ll want to grab the latest.
  2. Once it’s installed, run TrueCrypt and click Create Volume.
  3. Choose Create an encrypted file container and click Next.
  4. Choose Standard TrueCrypt volume and click Next.
  5. Click Select File then specify a new filename for the container.  Click Next.
  6. Click Next again to accept the default encryption settings.
  7. Specify the volume size and click Next.
    • It must be big enough to store all of the Dropbox files that you will sync to this computer.  You can also store non-Dropbox files in this container if you want, to encrypt but not sync them.
    • You won’t be able to easily resize it later, so make sure to give yourself adequate space for new files.
    • If hard disk space is a constraint, you can make it smaller than your Dropbox account and use the Selective Sync feature to only store a portion of your Dropbox on this computer.
  8. Provide a password which will be used for encryption and click Next.
    • We’re going to set things up so that you’ll need to enter this password every time you log into Windows in order to gain access to your sensitive files.
    • It’s important you don’t forget your password; if you do, you will lose access to the files stored in the container and also permanently lose any local changes you’ve made that haven’t yet been synced up to Dropbox.
    • Longer passwords are more secure than shorter ones.  If you pick a password that’s only a few characters long and your computer gets stolen by someone who knows what they’re doing, it will be trivial for them to crack it and gain access to your files.  You can combine a short password with a Keyfile to increase security, or use a Smart Card.
  9. Pick the NTFS filesystem, move the mouse around the window for a moment, then click Next.<
  10. Wait for the container to finish formatting then click Exit.

Configure it to be mounted automatically at logon.

  1.    In TrueCrypt, click Select File and pick the container file you created in the previous section.
  2.    Click on an unused drive from the list in the top half of the !TrueCrypt window (we’ll use F:).
  3.    Click Mount and provide the password you created in the previous section.  (The container should now show up as a new drive in Explorer).
  4.    Select Favorites from the menu bar, then click Add Mounted Volume to Favorites.
  5.    If multiple volumes are shown make sure the correct one is selected.
  6.    Under Label of selected favorite volume provide a description (e.g. Dropbox Container)
  7.    Checkmark Mount selected volume upon logon.
  8.    Click OK.

Move your Dropbox to the encrypted drive.

  1. Start Dropbox if it’s not already running.
  2. Right click the Dropbox icon in the system tray and click Preferences.
  3. Click the Advanced tab, then under Dropbox location click Change and select the virtual drive that was created in the previous section (e.g. F:\).
  4. Click OK and wait for the move to complete.
  5. The current version of Dropbox (1.0.20) enforces that the folder be called “Dropbox”. Advanced users can use the pyDropboxPath tool to manually change the folder name if desired.

Delay Dropbox startup until after the volume is mounted.

If Dropbox runs before the encrypted drive is mounted, it will complain that it can’t find your Dropbox folder.  We need to turn off the “run at startup” feature, then create a login script that waits for the drive to become available before starting the program.

  1. In your Dropbox preferences, click the General tab, then turn off the checkmark beside Start Dropbox on system startup.
  2. Create a new text file called bootup.bat somewhere on your C: drive.<
    • If file extensions are hidden by Explorer, you may need to turn them on to ensure the file gets the `.bat` extension rather than `.bat.txt`.  (The option in Explorer is under Tools | Folder Options | View, then under Advanced Settings select Show hidden files, folders and drives).
  3. Paste the following commands into the bat file:
    @echo off
    rem Every second, check to see if volume is mounted
    echo Waiting for volume...
    :keepwaiting
    ping -n 1 -w 1000 127.0.0.1 > nul
    if not exist F:\ goto keepwaiting
    start "Dropbox" "C:\Documents and Settings\YourUserName\Application Data\Dropbox\bin\Dropbox.exe"
  4. Tailor the script as follows, then save it:
    • Change `F:\` to the drive letter of your mounted volume (which you picked in step 2.2)
    • Change the path on the last line to include the location of the Dropbox application files.  e.g. On Windows 7 it would be:
      C:\Users\YourUserName\AppData\Roaming\Dropbox\bin\Dropbox.exe
  5. Create a shortcut to bootup.bat in your Startup folder.  Your startup folder is usually located at:
    • Windows XP: `C:\Documents and Settings\YourUserName\Start Menu\Programs\Startup`
    • Windows 7: `C:\Users\YourUserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`

Reboot and Test

Now reboot your computer. When you log on, you’ll see the bootup.bat window come up, with a !TrueCrypt dialog in front asking for your password. Once you provide it, the encrypted volume will be mounted and Dropbox will start.

If you won’t need access to the files for this logon session, you can instead hit Cancel and close the black bootup.bat window.

Always close Dropbox before you dismount the encrypted volume.

If you try to dismount while Dropbox is still running, !TrueCrypt will warn you. You’ll see a window that says Volume contains files or folders being used by applications or system. Force dismount?. You should click No, exit Dropbox, then try again.

Sensitive Dropbox configuration files (advanced)

There are a few sensitive files which Dropbox stores alongside the application. These include `config.db` (contains private keys that allow access to your Dropbox account), filecache.db (contains sync information about your files), etc. If your laptop is compromised, this information could be used to gain access to your account, or view portions of data (or at least metadata) from your files.

The *.db files are nominally located at:

  • Windows XP: C:\Documents and Settings\YourUserName\Application Data\Dropbox
  • Windows 7: C:\Users\YourUserName\AppData\Roaming\Dropbox

You can use DropboxPortableAHK to relocate the entire Dropbox application, including these files, to the encrypted drive. I tested this briefly (on XP) and at first glance it seems to work, but setup is beyond the scope of this article.

Another solution would be to move just the db files. I haven’t found a way to tell Dropbox to store these files in a different location, but you could move the files then create NTFS symbolic links to them in the original location. While not officially supported, a Dropbox staff member did suggest the idea some time ago in this thread. Vista and Win7 users should be able to create the symbolic links using the mklink command (though I didn’t test that).

In XP the situation is trickier. You can move an entire folder using the Junction utility, but unfortunately this would move the application files as well. That breaks the shell extension (which provides the overlay icons and context menu options in explorer), since Explorer doesn’t have access to the dll file when the volume isn’t mounted. Conceivably, you could relocate DropboxExt.14.dll (or DropboxExt64.14.dll for 64-bit) to another location, but it would involve changing registry entries under the appropriate CLSID’s and likely make updating the software more difficult.

Additional Information

Note that TrueCrypt also has a full-disk encryption feature, but this page is written for people who, for one reason or another, prefer not to use it.

You can use USBCrypt instead, as described here. The author includes a neat trick which lets you auto-start Dropbox when the drive is mounted.

I haven’t gotten autorun working for TrueCrypt. (If it helps, here’s an unanswered question asking how to do just that: http://superuser.com/questions/120238/how-do-i-autorun-applications-after-mounting-a-truecrypt-container)

Share the Knowledge!

Helpful(0) Unhelpful(0)
  • Pingback: Cómo proteger la carpeta de Dropbox | El Blog de Ramón Yago - Informático todoterreno

  • Tyler Whitney

    I’m not sure the point of this considering your files on NOT encrypted on Dropbox when you follow this procedure, they are ONLY encrypted on the COMPUTER. All the files being uploaded to Dropbox are not encrypted and when accessed from any other device or if Dropbox got hacked would be easily readable.

    • Joe

      I was thinking the same thing Tyler.

      • MO

        I whould do the opposite of the guide
        I mean, putting my encrypted coutainer into dropbox…
        So the data stored on dropbox is encryped.
        I wonder why dropboxwiki would not suggest this :) IYSWAM

        • Pete

          Ditto, and have done it on my Mac. Only question I have is whether or not there are any issues that come up with having a volume within Dropbox when accessing from multiple computers. Do you just get the “xxx’s conflicted copy” message?

  • Tyler Whitney

    I mean, I get in the beginning you say “If your Dropbox contains sensitive files, you might want to encrypt it for protection in the event your laptop is stolen.” my point is I would be more worried about somebody hacking Dropbox than my laptop getting stolen. I think its far more likely too.

  • Pingback: A secure Dropbox or cloud solution? | Dual Ring

  • Anonymous

    I hope nobody is following this tutorial and thinking it would encrypt their data against dropbox.
    Because this is not the case – if you want to show Dropbox and their servers only encrypted data, you need to
    1) create a TC volume like “dropbox.tc”
    2) move this volume to your dropbox folder
    3) mount it and put all your stuff in it
    4) unmount and let dropbox sync the file

    • http://adumont.serveblog.net/ Alexandre Dumont

      Yes, in my opinion the article should clearly state that, in case people read it too fast a/o don’t realize that.

  • cronners

    Many thanks for this article. I’ve tried it and it works as stated and suits my needs, i.e. providing some protection for data on a laptop/desktop if it is stolen. When I logon, the Trucrypt volume automounts and asks for the volume password. When entered, the volume mounts, and then dropbox loads and begins synchronisation. For the time being dropbox’s own security is good enough for me.

    I decided against putting the Truecrypt volume inside the dropbox folder as it appears (as far as I can see) to cause potential problems with synchronisation conflicts, can take a long time to synchronise, and only synchronises when you dismount.

  • sconaty

    Another option is http://safeboxapp.com. It also encrypts your content before it is synced to the cloud by Dropbox. However, unlike truecrypt it works at a file, rather than a drive volume, level. This makes Dropbox syncs quicker since only the impacted files needs to be uploaded/downloaded. Also, since it doesn’t use a virtual volume there is no awkward mounting and unmounting of the volume before Dropbox can sync it (disclaimer: I’m a member of the Safebox development team).

  • Skay

    If you mount a file within your Dropbox account, does Dropbox have to re-update and upload the entire volume every time you change the contents? ie. the whole container file is updated not just a few files as is normally the case when using Dropbox. For example, if you had a word document within a 10gb container, change a few words and re-save would Dropbox upload an entirely new 10gb file?

    • Steep

      Yes, I think it would. Since the container is only one file and this file has now been changed, dropbox would upload the entire file. The same thing goes for a TC container of 10 GB ONLY containing a 10 kB txt-doc (and nothing more). Change one letter, and you need to upload the entire 10 GB to dropbox.

      • zertyx

        No, it doesn’t. Dropbox will only upload the changed part of the big file. I did this in the past using a Truecrypt volume within Dropbox. Now I use Boxcryptor, which encrypts each file separately and which is more convenient for mobile use (there is an app for Boxcryptor).

  • Waste

    Thanks for wasting my time on this shit, seriously? what’s the point of all this if my files arn’t enncrypted on dropbox.com they are only encrypted on my computer…

  • D-nnis

    Considering that the files inside TrueCrypt are __NOT__ encrypted in Dropbox: Is this a misleading article!?

  • Pingback: Working Adults: How Do You Use Dropbox? - Page 2 - www.hardwarezone.com.sg

  • Chris

    Within the spirit of this post, I’d like to suggest the following better bootup.bat — it assumes the container.dat will be mounted on K:

    @echo off
    if exist K: goto startdropbox
    start /wait “Truecrypt” “C:Program FilesTrueCrypttruecrypt.exe” /v “C:UsersUsernamecontainer.dat” /lK /a /q
    if not exist K: goto nottoday
    :startdropbox
    start “Dropbox” “C:UsersUsernameAppDataRoamingDropboxbinDropbox.exe”
    :nottoday

    Advantages – no need for hackish “ping”, will work if the volume is already mounted, has a built-in delay until password entry.