, , , , , ,

There comes a time in every man’s life when he realizes that it’s totally not smart to keep sensitive personal documents in plain text on Dropbox.

Screenshot 2016-07-23 14.09.31

VeraCrypt Mounting a Volume

For me, that time was last Monday. I spent this week searching for and experimenting with possible solutions, and I’ve now got a system in place that I’m pretty happy with, so I thought I’d share.
The problem, as I see it, is that the important stuff needs off-site backup — but the important stuff tends to be the same as the sensitive stuff, so it’s exactly the stuff that shouldn’t just be sitting on Dropbox. (Yes, I know Dropbox encrypts your data already. If that’s enough for you, more power to you.)

The system I’ve set up on my OS X Yosemite machine is this:

  1. Create a folder in ~/Documents called Encrypted. Collect all my important stuff there.
  2. Use VeraCrypt (free) to create an encrypted volume; we’ll call it EncryptedVolume.
  3. Use Carbon Copy Cloner ($40; worth it) to clone ~/Documents/Encrypted to EncryptedVolume.
  4. Place EncryptedVolume in ~/Dropbox.

Now you can just use your ~/Documents/Encrypted folder on an ongoing basis, and you don’t have to fool with opening encrypted volumes or anything else when you’re in a rush. Just use the folder as normal. And when you do have time, and/or you make important updates, use Carbon Copy Cloner to re-sync the folder to EncryptedVolume. CCC will only copy the updates, Dropbox will only upload the file difference, and nothing will be uploaded until the drive is encrypted and unmounted again. So everything is both efficient and secure during each step.

That’s the best compromise I could find between convenience and security. I chose VeraCrypt both because it’s open source and because it’s available for Windows, Mac and Linux. So if my computing situation changes and I’m ever in a pinch, I can open my encrypted documents on any computer* (I also chose to format EncryptedVolume as FAT for the same reason).

Of course, you can do this without CCC, as long as you don’t mind a little manual housekeeping. But CCC is already the bedrock of my backup solution, so it made sense to leverage it here, too.

*I had one hiccup on Linux — after Dropbox syncs EncryptedVolume to your Linux box, you need to give yourself write permission to the file, or the drive will be mounted read-only. You only need to do this once, the first time it downloads.