If your Dropbox contains sensitive files, you might want to encrypt it for protection in the event your laptop is stolen. If you’re already running BitLocker or some other form of full-disk encryption, then you probably don’t need to worry about this. Otherwise, a free piece of software called TrueCrypt can help.
TrueCrypt works by creating an encrypted file on your hard disk that will act as a container for your sensitive documents. The encryption is based on a password you provide. To access the contents, you “mount” the container file, which makes it show up as a new drive letter on your computer. At that point you can create directories, and read and write files, just like you would with a USB key.
If all this sounds complicated, just think of !TrueCrypt like a password-protected USB key.
This page describes how to move your Dropbox folder to an encrypted TrueCrypt volume. The steps are for Windows XP, but I’ve included some notes for Windows 7.
Install TrueCrypt and create a new encrypted file container.
- Download TrueCrypt and run the installer. This guide was created using version 7.0a, but you’ll want to grab the latest.
- Once it’s installed, run TrueCrypt and click Create Volume.
- Choose Create an encrypted file container and click Next.
- Choose Standard TrueCrypt volume and click Next.
- Click Select File then specify a new filename for the container. Click Next.
- Click Next again to accept the default encryption settings.
- Specify the volume size and click Next.
- It must be big enough to store all of the Dropbox files that you will sync to this computer. You can also store non-Dropbox files in this container if you want, to encrypt but not sync them.
- You won’t be able to easily resize it later, so make sure to give yourself adequate space for new files.
- If hard disk space is a constraint, you can make it smaller than your Dropbox account and use the Selective Sync feature to only store a portion of your Dropbox on this computer.
- Provide a password which will be used for encryption and click Next.
- We’re going to set things up so that you’ll need to enter this password every time you log into Windows in order to gain access to your sensitive files.
- It’s important you don’t forget your password; if you do, you will lose access to the files stored in the container and also permanently lose any local changes you’ve made that haven’t yet been synced up to Dropbox.
- Longer passwords are more secure than shorter ones. If you pick a password that’s only a few characters long and your computer gets stolen by someone who knows what they’re doing, it will be trivial for them to crack it and gain access to your files. You can combine a short password with a Keyfile to increase security, or use a Smart Card.
- Pick the NTFS filesystem, move the mouse around the window for a moment, then click Next.<
- Wait for the container to finish formatting then click Exit.
Configure it to be mounted automatically at logon.
- In TrueCrypt, click Select File and pick the container file you created in the previous section.
- Click on an unused drive from the list in the top half of the !TrueCrypt window (we’ll use F:).
- Click Mount and provide the password you created in the previous section. (The container should now show up as a new drive in Explorer).
- Select Favorites from the menu bar, then click Add Mounted Volume to Favorites.
- If multiple volumes are shown make sure the correct one is selected.
- Under Label of selected favorite volume provide a description (e.g. Dropbox Container)
- Checkmark Mount selected volume upon logon.
- Click OK.
Move your Dropbox to the encrypted drive.
- Start Dropbox if it’s not already running.
- Right click the Dropbox icon in the system tray and click Preferences.
- Click the Advanced tab, then under Dropbox location click Change and select the virtual drive that was created in the previous section (e.g. F:\).
- Click OK and wait for the move to complete.
- The current version of Dropbox (1.0.20) enforces that the folder be called “Dropbox”. Advanced users can use the pyDropboxPath tool to manually change the folder name if desired.
Delay Dropbox startup until after the volume is mounted.
If Dropbox runs before the encrypted drive is mounted, it will complain that it can’t find your Dropbox folder. We need to turn off the “run at startup” feature, then create a login script that waits for the drive to become available before starting the program.
- In your Dropbox preferences, click the General tab, then turn off the checkmark beside Start Dropbox on system startup.
- Create a new text file called bootup.bat somewhere on your C: drive.<
- If file extensions are hidden by Explorer, you may need to turn them on to ensure the file gets the `.bat` extension rather than `.bat.txt`. (The option in Explorer is under Tools | Folder Options | View, then under Advanced Settings select Show hidden files, folders and drives).
- Paste the following commands into the bat file:
@echo off rem Every second, check to see if volume is mounted echo Waiting for volume... :keepwaiting ping -n 1 -w 1000 127.0.0.1 > nul if not exist F:\ goto keepwaiting start "Dropbox" "C:\Documents and Settings\YourUserName\Application Data\Dropbox\bin\Dropbox.exe"
- Tailor the script as follows, then save it:
- Change `F:\` to the drive letter of your mounted volume (which you picked in step 2.2)
- Change the path on the last line to include the location of the Dropbox application files. e.g. On Windows 7 it would be:
- Create a shortcut to bootup.bat in your Startup folder. Your startup folder is usually located at:
- Windows XP: `C:\Documents and Settings\YourUserName\Start Menu\Programs\Startup`
- Windows 7: `C:\Users\YourUserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`
Reboot and Test
Now reboot your computer. When you log on, you’ll see the bootup.bat window come up, with a !TrueCrypt dialog in front asking for your password. Once you provide it, the encrypted volume will be mounted and Dropbox will start.
If you won’t need access to the files for this logon session, you can instead hit Cancel and close the black bootup.bat window.
Always close Dropbox before you dismount the encrypted volume.
If you try to dismount while Dropbox is still running, !TrueCrypt will warn you. You’ll see a window that says Volume contains files or folders being used by applications or system. Force dismount?. You should click No, exit Dropbox, then try again.
Sensitive Dropbox configuration files (advanced)
There are a few sensitive files which Dropbox stores alongside the application. These include `config.db` (contains private keys that allow access to your Dropbox account), filecache.db (contains sync information about your files), etc. If your laptop is compromised, this information could be used to gain access to your account, or view portions of data (or at least metadata) from your files.
The *.db files are nominally located at:
- Windows XP: C:\Documents and Settings\YourUserName\Application Data\Dropbox
- Windows 7: C:\Users\YourUserName\AppData\Roaming\Dropbox
You can use DropboxPortableAHK to relocate the entire Dropbox application, including these files, to the encrypted drive. I tested this briefly (on XP) and at first glance it seems to work, but setup is beyond the scope of this article.
Another solution would be to move just the db files. I haven’t found a way to tell Dropbox to store these files in a different location, but you could move the files then create NTFS symbolic links to them in the original location. While not officially supported, a Dropbox staff member did suggest the idea some time ago in this thread. Vista and Win7 users should be able to create the symbolic links using the mklink command (though I didn’t test that).
In XP the situation is trickier. You can move an entire folder using the Junction utility, but unfortunately this would move the application files as well. That breaks the shell extension (which provides the overlay icons and context menu options in explorer), since Explorer doesn’t have access to the dll file when the volume isn’t mounted. Conceivably, you could relocate DropboxExt.14.dll (or DropboxExt64.14.dll for 64-bit) to another location, but it would involve changing registry entries under the appropriate CLSID’s and likely make updating the software more difficult.
Note that TrueCrypt also has a full-disk encryption feature, but this page is written for people who, for one reason or another, prefer not to use it.
You can use USBCrypt instead, as described here. The author includes a neat trick which lets you auto-start Dropbox when the drive is mounted.
I haven’t gotten autorun working for TrueCrypt. (If it helps, here’s an unanswered question asking how to do just that: http://superuser.com/questions/120238/how-do-i-autorun-applications-after-mounting-a-truecrypt-container)