OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years



Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category


powered by pmc2m

 

Sharing files securely

Preview:
Often files should be securely shared with others. Even if the sharing doesn't need to be secure, sometimes the files are too big for email. Here are various methods for sharing properly and a few to avoid.

Yesterday I received a call from a company I'd billed. Their computer consultant had asked me to help with an issue. I worked with them and charged for an hour. I missed their bookkeepers call and returned the call and missed them. They wanted my tax ID information. I wouldn’t send it via insecure email. I didn't feel comfortable leaving that information in voice mail. How should I send it?

I made a simple text file and uploaded using a desktop application called FileMail. It took me only a minute to send them an email with a link to that document. I'll receive notification when it’s downloaded. It will automatically be deleted in a week. Everything is secure. It is simple. This is one tool in my secure file sending arsenal. There are some good and many bad options.

The Problems

Email is insecure and it often has size restrictions on how large attachments can be. It’s also poor form to attach large files.
  • Often files, like tax documents are too big to be sent as email attachments.
  • Email is insecure.

Many people use a service instead of email. This is how the insecure services can fool you into thinking they’re secure.

The misdirections

  • "We send all files encrypted." - This is meaningless. Everybody sends everything encrypted. Even insecure email is usually sent encrypted. This just means it’s encrypted while in transit. Not when at rest.
  • "All files are encrypted on our site." This is better, but Who has the keys? If their employees have the keys, the documents aren’t secure.

Other issues that pose a risk

  • Is their site safe from hackers? If they have the keys, and are hacked, the hacker might get your data.
  • Is your account safe from hackers? Do you use a secure password?
  • Could a corrupt employee compromise your security?
  • Of course, no service will protect the files on your computer or on your recipient’s computer.

The answer

So, you must use a system which offers these 4 points.
  1. You encrypt the documents on your computer.
  2. The documents remain encrypted while in transit and at rest on the service.
  3. The service cannot decrypt the files.
  4. Your recipient decrypts the files after they’re delivered.

That way the documents are safe. Of course, it must be so simple it’s as easy as just adding a file attachment to an email.

If someone hacks your account, or the service or an employee is corrupt, it doesn't matter. No one can read your files without your key. This is called "End to End encryption", sometimes abbreviated E2E.

Google and Dropbox do not offer E2E encryption when sharing files. Microsoft jabbers a lot, and I think it might be possible if your tech person were skilled enough and you buy into enough of their enterprise solutions. But simply sharing a file on OneDrive is not secure.

This leaves us with three possible approaches:
Use a service that does it right.
Use a backup program that offers this service.
Encrypt the files yourself then send them.

Two Services that "do it right"

Tresorit offers a service for $125/yr that is excellent if you need to transfer a lot of files securely. Accounting and law firms should look at it. You will have lots of file and folder secure storage on their service all with E2E encryption so their employees don’t have access to it. You can share secure links and add passwords beyond that. They have a 7-day free trial if you’re interested in checking them out.

They also offer a wonderful free service that will create a secure link for you to attach to an email. I've written an article on it. The file is uploaded to their service and will be deleted in a day or a week or after some number of downloads. You can be notified when the file is downloaded if you give them your email address. You can add an additional password. The only flaw in the free service for occasional use is that there is an advertisement for Tresorit at the end after the recipient downloads the file.

FileMail is another service like Tresorit and seems as good. Their service is $150/yr and offers a 7-day free trial. They also offer a free service much like Tresorit's. The advantages are that they even have a Windows desktop app, and don’t have an advertisement at the end. The disadvantage is that they don’t offer an additional password with the free service.

A backup program that does it right

I use both Tresorit and FileMail for small single time files I want to share securely. I feel good about both. However, I use OneBackup from Spideroak for my secure backup. It only does E2E encryption. It can create secure links to single files that are backed up. You can also create a secure shared room with a secure link for others to use. You can add another password to the link to provide even better security. I put my tax information into a shared folder and gave my CPA access to it for taxes. I also have a folder with instructions for my death or incapacitation and my executor, brother and a friend all have access. It has copies of my advanced directive, will, durable power of attorney, password safe and other things they might need. The advantage of this being digital is that if I update some instructions, they will get the updated information when they download the files.

This is just an added benefit to the backup program and I don't need an additional service. I can also use it to share family photos or anything else I back up to the cloud, it doesn't have to be secure stuff.

However, I've become somewhat afraid of using Spideroak One Backup. They aren’t updating their software and some of their servers keep going down and needing repair. They’re pushing their enterprise solution a lot and I wonder if they are abandoning their regular backup option. Spideroak One is working wonderfully for almost all my clients, but a couple are having problems because the Spideroak servers they’re using keep going down and needing repair. I don't know if Spideroak will resolve this issue or if it will spread to other clients.

Do it yourself

All of these options assume that the password you used to secure the files you send is good enough to provide the security you require.

Besides using a service or OneBackup from Spideroak, you can encrypt your yourself and get the password to the recipient either verbally or by some shared knowledge. This is the most difficult option, but it could be useful. One of the biggest problems that Spideroak and the services don't have is that the recipient must be able to decrypt the file. Here are three options:
  1. Zipping with a password
  2. AESCrypt
  3. VeraCrypt

Zip
The Zip protocol offers good encryption and decryption. Windows can decrypt password protected files. But Windows can’t encrypt zipped files. Zipping files is a way to select a group of files and put them all together into a single file and compress them to save space. Instead of 1 or 5 or 500 files, you have a single file with all the extra space squeezed out. You can then add a password to protect those files.

I add 7-Zip to all the computers I set up, and it adds the ability to password protect your zipped files. 7-Zip is free and open source software and very well tested. 7-Zip integrates with Window's file explorer, so you can zip and unzip by just right-clicking on a selection of files.

If you’re comfortable zipping files then adding encryption, this can work for you. If the recipient has a windows machine and knows the password, they can probably decrypt it. You can transfer the file any way you want, because you encrypted it and only you and the recipient have the password.

AES Crypt
AES Crypt is another free and open source product that lets you encrypt files. It also integrates with Windows file explorer and makes it very simple to encrypt and decrypt files. The negative to this solution is that both the sender and receiver need to use it. But it’s very simple to use.

VeraCrypt
VeraCrypt is a program I've used frequently when clients need to keep some files (like client files or accounting or taxes), secure and encrypted on their computer. If you’re already using VeraCrypt and you’re sending your files to another VeraCrypt user, then you could send an entire VeraCrypt volume, as with a good password, it is secure.



Date: April 2022


Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

 
 
  Please direct questions/suggestions about website to the webmaster