Video Screencast Help

Problems using NetShare with Synchronization Utilities (e.g. Dropbox)

Created: 25 Mar 2011 • Updated: 27 Mar 2011 | 4 comments

I am using PGP Corporate Desktop v10.1.1 on a Windows 7 system, and I wanted to see how PGP would interact with Dropbox (http://dropbox.com).  My goal was to impose PGP encryption on Dropbox synced/shared data.

Dropbox auto-synchronizes a given local PC folder hierarchy across other participating PCs and a remote file store (operated by Dropbox and implemented on top of Amazon/S3).  Access to data is either through the identified folders on one of the participating PCs or via a web interface to the remote file store.  Dropbox is a recently popular instance of many available syncronization utilities, and provides a simple, automated and reasonably transparent way to share files, and to back them up and view them online.

It turns out that it's very easy to lose encryption of data in the synced online/remote location.  Here's an example:

  1. Use NetShare to CREATE a managed sub-folder of the Dropbox synced folder, and then create a file in that folder
  2. EXIT PGP Services
  3. The Dropbox REMOTE copy (there, having been synced by Dropbox) is NOT encrypted = Verify by browsing Dropbox website and viewing directly or downloading and viewing.
  4. The LOCAL copy IS encrypted and not viewable.

This is a disturbing interaction if your naive assumption is that objects under NetShare management will RELIABLY REMAIN ENCRYPTED wherever and however they are copied about.  I am told this problem does NOT exist when using Microsoft Sync Center to syncronize a local PGP NetShare folder and a remote file-share.  Dropbox is NOT creating remote file-shares.  What is it doing?

More generally, what is going on that could explain or allow for this kind of loss-of-encryption on copy?  Has either PGP or Dropbox architecture/design allowed for a race-condition between copy and encrypt actions?  Must it be the case that Dropbox syncronization is implemented "above" PGP in such a way (e.g. user-space operation) that it is seeing the unencrypted data streem?  Dropbox does binary diffs (see https://www.dropbox.com/help/8) before syncing in order to minimize bandwidth utilization, which at least vaguely suggests a lower level implementation.

Does anyone have experience with this or have a more knowledgeable perspective to share?

Comments 4 CommentsJump to latest comment

mms1380's picture

Hi,
Somewhat late posting on this one, but didn’t see anything much to close this one yet.

PGP NetShare is not really intended for the use you are describing and hence the result. One could of course argue that the PGP Desktop would “alarm” about files leaving a defined NetShare and being decrypted in the background. I have tested Dropbox myself and received the same result.

Here is my view on this:
The intension with PGP NetShare is to create  common area where authorized users can access and modify files. Files are being encrypted to defined keys when stored within this defined NetShare area. Policy can set files to remain encrypted when moved outside the NetShare area, but only when being moved to local (LAN) defined placed, including your own local machine. As soon as a file is being sent to a remote location with e.g. e-mail, FTP-client or remote backup-up with own compression/encryption the NetShare file copy to be sent is automatically being decrypted in the background by the PGP service before sent.

For your scenario you could view Dropbox as a background “FTP-sync” service that automatically sends off your files from your defined local Dropbox folder. Hence, PGP will decrypt all files before sending them off to the remote destination.

I agree with that it would have been nice with an notification option to be able to be informed about when automatic decryption is performed.

So, this explains your situation with Dropbox and PGP NetShare.

/M

mwoj's picture

I can't share this view.

PGP NetShare is indeed "to create common area where authorized users can access and modify files". But why storage location should be limited to la local LAN?

A remote location like cloud storage (in this example Dropbox) where an enterprise save/share securely their data is becoming very common and the counts proving the demand is increasing.

Hence this is a valid scenario for distributing files without remote VPN in at low bandwidth (depending on the area where you located) to the company and exchange files.

For example:

In a private managed cloud the infrastructure is dedicated , access is granted by the internal enterprise network and implemented by the Service Provider.

In a private hosted cloud the infrastructure is dedicated and managed by the Service Provider. The access can be done by VPN or public network. In this scenario there is a need to transparent encrypt the data in the cloud also make accessible to the employees form any place they working.

Funny trough, I recently done some research with Dropbox and S3 Services with NetShare before finding this post.

The reason why this currently does not work (I guess) is that NS (NetShare) filter driver does assume Dropbox is running in the user context so it does decrypt the file when the application is accessing it for read (and of course transfer).

The same like you would work with Word, the .doc is transparent decrypted when accessing/working with it.

There is a workaround I found to make this work but is not recomended for daily work:

Install DropBox on both computers:

On Computer A:

1) Stop Dropbox Sync

2) Create NS Folder in Dropbox folder and copy some files in it

3) Close the folder

4) Close PGPDesktop (if open) and PGPTray

5) Resume Dropbox Sync

On Computer B:

1) Start Dropbox

2) Let files sync

3) Stop Dropbox

4) Launch PGPTray and access the encrypted folder

 

Use the same procedure for the other direction.

In summary you can't work with Dropbox and NetShare at the same time, that’s why you running into the issue from the first post.

I would appreciate if Symc Dev/PM would explore other opportunities for the usage of NetShare mentioned above.

Thank you.

mwoj's picture

There seems to be a even more easier workaround to make this working for daily work:

Basically you need to add "Dropbox.exe" to the blacklisted programs, that prevent to decrypt files when accessing NetShare folders for syncing.

1) Navigate to tab "Consumers => Consumer Policy => Choose your NetShare Policy => "Desktop..." Button

2) Enable Blacklisting (Prevent the automatic decryption of files by the following applications:)

    Add "Dropbox.exe" to the blacklist at "Others:"

3) Save the settings

4) Refresh PGP Desktop Policy on the Client

Apply this setting on all clients who working with NetShare and DropBox.

Now the data should stay encrypted when synchronizing.

 

In my testing this only works with a bound Desktop (in combination with Universal Server), since I was not able to set the Preference in a standalone Desktop installation.

mms1380's picture

Hi,

I do agree, but I was only telling how NetShare works. At least with current version(s). Yes, one could apply 'Blacklisting' to prevent PGP NetShare from automatically decrypting, but that requires managed environment.

/M