File Encryption and Dropbox

I have mentioned below how happy I am with Dropbox as I move between home and office. I am generally happy for the files to be transferred across the internet but do have one file where I would like a bit more security. So here’s what I did.

The general idea is to encrypt the file within Dropbox and to be able to decrypt it on more than one machine, for example, a home machine and a business machine. I am not involved in sharing files with others although gpg can cater for this as well.

I first used the password utility in Ubuntu 9.04 to define a personal password. As a process, this seems to vary a bit even within Ubuntu 9.04 so I started with a fresh install.

Applications,Accessories,Passwords and encryption keys
File,New and select ‘PGP key’
Give  your full name, your email address.
Enter the passphrase twice. Passphrases are always a compromise between something which you can actually remember and something which can be easily broken. I tend to err on the side of something you can remember although it is obviously better if the passphrase cannot be found in a dictionary.

It takes a fair old time to generate the key. Next we need to backup the full key. Needless to say, you should look after this backup file and keep it remote from the computers you use (for example on a memory stick). To do this:
right-click on your password line. Do not choose the export option as this will save only the public key. Instead:
properties, Details, Export and save the .asc file somewhere you can find it again.

You can now encrypt the file with:
gpg -e -r charles /home/charles/sqlite3/organiser.sqlite
where charles is the first name of the full name I gave to the password (though I believe gpg can recognise any of the names you give). Obviously the path above is specific to the file I want to encrypt.
This will create an encrypted file (in my case) organiser.sqlite.gpg in the same directory.

To decrypt the file you can use:
gpg -o /home/charles/sqlite3/organiser.sqlite -d /home/charles/Dropbox/sqlite3/organiser.sqlite.gpg

You can get the gist of gpg from ‘man gpg’ in a terminal.

That process would be a pain if you had to do it often so I have incorporated it in the Gambas application. Once you use a shell command from within Gambas, you tend to lose any error messages from gpg so it is wise to get Gambas to check that all is well after decryption.

Here is the form_open() procedure:

PUBLIC SUB Form_Open()
 DIM gpgRes AS Integer
 DIM iCont AS Integer


 'check that an encrypted file exists
 IF Exist("/home/charles/Dropbox/sqlite3/organiser.sqlite.gpg") THEN
    'Check whether a decrypted file already exists (it shouldn't)
    IF Exist("/home/charles/sqlite3/organiser.sqlite") THEN
       iCont = Message.Question("A decrypted database already exists. Do you want to continue?", "Yes", "No")
       IF iCont = 1 THEN 'overwrite the existing decrypted file
          gpgRes = 1
       ELSE 'close the program to remedy problem
          Message.Error("Program will terminate")
          gpgRes = 0
       gpgRes = 1
    Message.Error("Can't find the encrypted database. Program will terminate")
    gpgRes = 0

 IF gpgRes = 1 THEN
    'decrypt organiser.sqlite
    TRY SHELL "gpg --no-tty -o /home/charles/sqlite3/organiser.sqlite -d /home/charles/Dropbox/sqlite3/organiser.sqlite.gpg" WAIT
    'check that gpg has successfully decrypted the file
    IF Exist("/home/charles/sqlite3/organiser.sqlite") THEN
       'open locl file
       $hConnOrg.Type = "sqlite3"
       $ = "/home/charles/sqlite3/organiser.sqlite"
       sqlByCode = "select * from orgEntry order by 'o_code'"
       resOrg = $hConnOrg.Exec(sqlByCode)
       IF resOrg.count > 0 THEN
          lstRow = resOrg.Count
          lstCode = resOrg!o_code
          lstCode = 0
       Message.Error("There has been an error decrypting the datafile. Program will terminate")

We now do the reverse when we close the program down. In other words we create an encrypted data file in the Dropbox directory for distribution across the cloud and then delete the un-encrypted file on the computer:

PUBLIC SUB Form_Close()
   INC Application.Busy
   WAIT 1
   SHELL "gpg -e -r charles /home/charles/sqlite3/organiser.sqlite" WAIT
   IF Exist("/home/charles/sqlite3/organiser.sqlite.gpg") THEN
     SHELL "mv /home/charles/sqlite3/organiser.sqlite.gpg /home/charles/Dropbox/sqlite3" WAIT
     SHELL "rm /home/charles/sqlite3/organiser.sqlite" WAIT
     DEC Application.Busy
     DEC Application.Busy
     Message.Error("There has been a error encrypting the data file.\nPlease rectify the problem with gpg")

I could have used Gambas ‘move’ and ‘kill’ commands above but the shell to mv and rm seems to save a line.

Finally we need to install our private key on a second computer say at work rather than at home so that we can decrypt the file from another machine. As mentioned the .asc file with full backup created earlier should not be left on the hard disk and would ideally be on a memory stick.

On the second computer:
applications, accessories,Passwords and encryption.
file, import and find the full backup on the memory stick
This should set up the same entry that you had on the initiating computer and allow gpg to decrypt the same file.

When decrypting the file on a second machine, you may get an error message from gpg that the key is not trusted. I have not been able to solve this from the gui so open a terminal and:
gpg –edit-key charles
where charles is the key in question.
This results in a command prompt from which:
and then:
5 (for ultimate)
Well you do trust yourself don’t you?
From the command prompt, quit to exit and close the terminal window

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: