How does Encryption work?

Reading about your new add on for encryption sounds pretty exciting. I have some questions that I and others would probably like to know regarding using this service.

If the files are encrypted on one PC can they be de-crypted on another as long as you have the oDrive app, matching account, and pass phrase?

Adding on to the first question if my PC dies how do I get to the cloud data? Assumption-ally build a new PC with oDrive app, matching account, and pass phrase?

My first fear reading about the word “key-chain” listed on the announcement is I don’t have a MAC which is what I associate with the word key-chain. Where is the information stored on a Windows PC?

I understand why a new folder needs to be created for the encryption to work so with that in mind can I shuttle items around to keep an existing folder structure? (I assume yes)
ex. folder named “Stuff” renamed to “Stuff_temp” new “Stuff” created and encrypted. Contents of “Stuff_temp” moved into new “Stuff” that is encrypted.

Hi Marty,
Great questions! I moved your post into this existing thread because I think folks looking here will be able to benefit from these questions, and because I am still getting familiar with all the features on the new forum

If the files are encrypted on one PC can they be de-crypted on another as long as you have the oDrive app, matching account, and pass phrase?

Yup! You’ve got it exactly right. odrive knows that you have an encrypted folder defined. When you install on another system, it will display the encrypted folders. When you try to get into them it will ask you for your pass phrase to decrypt. The same goes for your second question, if you need to rebuild or reinstall on a PC

My first fear reading about the word “key-chain” listed on the announcement is I don’t have a MAC which is what I associate with the word key-chain. Where is the information stored on a Windows PC?

This is a good point. We may need to add some additional language. On Mac it is stored in the keychain. On Windows it is in an encrypted registry entry.

I understand why a new folder needs to be created for the encryption to work so with that in mind can I shuttle items around to keep an existing folder structure? (I assume yes)ex. folder named “Stuff” renamed to “Stuff_temp” new “Stuff” created and encrypted. Contents of “Stuff_temp” moved into new “Stuff” that is encrypted.

Correct. The files you put into the “Stuff” folder will need to enter through the “Encryptor” root folder. Anything that passes through there will be encrypted. In your scenario you could rename Stuff to Stuff_temp, sync (download) the items you want encrypted, and then drag them into odrive\Encryptor\Stuff. You would then see all of those files in an encrypted state when looking at the Stuff folder from outside of the Encryptor entry point.

I know that some of this can be a bit confusing at first, so just let me know if you need any additional clarification.

More information about encryption can be found here (Usage and FAQ at the bottom): https://www.odrive.com/features/encryption

There is also an in-depth thread on odrive encryption that details the exact Encryption and Decryption process, here: Encryption questions: Key storage, decryption process, and others

Thanks!

Let’s say a folder is encrypted with odrive and stored in dropbox. Can I download the encrypted folder on another computer from dropbox and decrypt it without going through odrive?

I’m trying to determine whether the encrypt/decrypt procedures can only be done via the odrive app.

The encrypted content is self-contained. You can move it to anywhere and create an encryption folder over the content to decrypt it.

Technically, you don’t need the odrive app to decypt. You could perform the decryption steps with odrive.

Is there a specific use case you are trying to solve?

No specific use case. Just wanted to see if users are reliant on odrive to decrypt the data if we decide to use the encryption add-on. I assume there are ways to decrypt the encrypted content using the same passphrase with other software. I wouldn’t want to lose all my content in the event something happens to the odrive company.

This is something I’ve been looking for a while and am strongly considering moving my local backups to cloud storage + encrypted. Really excited to see this feature available now.

Got it. We designed our encryption feature to be portable, which is different but very powerful.

As you noted, this approach gives you independence from odrive. Your encrypted content is still your data. You have full control, you don’t need odrive to decrypt.

The other powerful capability is decoupling data management from encryption. You can backup, archive, and move your data without limitation. You can create encryption folders to view the content on any storage at any time in the future.

What do you means you can decrypt your data without odrive? And how?

I stop my trial period and pretty much lost the Encrypted folder access. So now I cannot recover the encrypted data without buying your subscription again. I did try encfs, but doesn’t seems to work.

I don’t want to be tied to odrive to access my data, especially not have to pay $120 per year for backup data I will access time to time.

If there is a way to get back the Encrypted data without having to pay again the subscription, please provide step by step way to do it.

I do like the idea of having my data encrypted in the cloud, and being able to sync whatever I need. But I don’t like the idea of having to be force to pay a third party to recover my data, especially if you guys were to drop the service one day or simply decide to increase price or anything!

Thanks for the feedback @Denis_Martin. Much appreciated.

When you canceled sync, the encryptor folder on your computer was moved to your recycle bin. You should be able to recover the decrypted files. If you need to turn encryption back on to get your data out, please contact customer service and we will give you some time to migrate.

Hi guys,

Is there any way to create encryption folders at different locations other than the main “Encryptor” folder?

My issue is this:
I want to sync & encrypt folder A on hdd 1, as well as sync & encrypt folder B on hdd 2.
Pro takes care of syncing multiple folders, but as is it right now, I can only have a single “Encryptor” folder.

Or am I missing something?

OK. I bit. Last year I was an enthusiastic supporter of encryption and Odrive. I started a subscription, created an encrypted folder on Amazon CloudDrive and … never was prompted for an encryption password. I can create new files and they remain unencrypted, whether accessed through ODrive or online via the Amazon CloudDrive website. Somethting is missing here…

Hi @darius and @EthanH,

We are discussing ways to make this a bit more intuitive, but for now let me explain a couple things.

There is an “Encryptor” folder that is created at the root of odrive once an Encryption point is created (odrive\Encryptor). This is where you will interact with any Encryption links you have created.

The Encryption links are still connected to the underlying storage that you pointed to when setting them up, but the interaction point is through “Encryptor” and not through the “standard” odrive links interface. If you do browse through the “standard” interface you will see the storage, as it exists on the linked source. It will interact with it in the same way it normally does, as that interface is not aware of the encrypted state of the files, nor does it want to be. If you were to drop files into Encryptor and then looked at the corresponding location in the “standard” interface, you will see the files are all garbled and unreadable (encrypted ). For the most part, you never need to look at Encrypted stores through the standard interface unless you just want to see that the files are, indeed, encrypted.

Inside the Encryptor folder you will find all of the individual encrypted links you have created. It is almost like a second odrive root, except it is specifically for the encrypted links you have created.

Does that make sense?

If not, just let me know and I will explain further.

Hi Tony,

That was my thought based on the documentation in the Encryption area. The link that opens is named “Create encryption folder” rather than the documented “add encryption folder” but I figured it should work. The problem is that I cannot create a new folder except within an already-linked storage bucket. Amazon, Google, Dripbox, etc. are all available but no option to create a new root folder nor use the Encryptor folder that appeared in the root of odrive. The Encryptor folder does not appear in the web interface.

The same behavior occurs when I make an encrypted folder within a different cloud storage account. Odrive claims the encrypted link is made, creates the folder in the cloud provider’s account, but nothing appears within the Encryptor folder in the odrive root.

OK. One problem solved, now another. Restarting everything let me create an encrypted folder. The odrive web interface did make a new folder in CloudDrive and claimed that to have a matching one within the Encryptor folder. Unfortunately, the encrypted subfolder within odrive’s Encryptor folder does not exist.

Hi @EthanH,
That is correct. The encrypted folder you are created will be within one of your linked sources. Think of it as a layer on top of your linked storage. When you create that new folder it will then appear inside the Encryptor folder at the root of odrive.

The flow will look something like this:
User has Dropbox linked at odrive/Dropbox (via the odrive desktop interface).
User creates an encrypted folder in Dropbox/My_Super_Secret_Stuff (via the odrive web interface)
Once that is created, a new folder will appear in odrive/Encryptor/My_Super_Secret_Stuff (via the odrive desktop interface)
When User drops data into odrive/Encryptor/My_Super_Secret_Stuff/ it will be automatically encrypted and uploaded. The encrypted data will be visible, in its encrypted state, in odrive/Dropbox/My_Super_Secret_Stuff
The encrypted data will be visible as unencrypted only through odrive/Encryptor/My_Super_Secret_Stuff

For the Encryptor folder not showing up, try a right-click->odrive->refresh in that directory. The desktop client may not have picked it up yet, so you can nudge it along.

Thanks - that was the ticket. Neither rebooting nor using a different computer showed anything within the Encryptor folder. I needed to do a manual odrive>refresh.

This brings up a different problem for those odrive customers on Windows. Encrypted folder and filenames are mangled. That’s great - no reason to let a cloud provider see the actual filename. A potential gotcha is that the names as stored with the cloud provider are a minimum of 56 characters long, and quickly grow with longer file or folder names. Windows still maintains a 256 character limit on a maximum path length (all folders from the root and the current filename) for standard use in Explorer, etc. Yes, you can circumvent this, but it is difficult.

Most cloud provider’s Windows desktop clients default to syncing everything. When odrive encryption is enabled, it is easy to create a folder path that blasts over the 256 character limit and requires jumping through hoops with Powershell to access or maintain. Standard Windows backups choke on these folders as do virus scanners, etc. Giving a warning about this behavior and providing instructions on how to disable full syncing for at least the most common cloud clients would prevent frustration for potential customers.

I will also like to know how can I download the encrypted folder on another computer from dropbox and decrypt it without going through odrive.
Please, could anybody elaborate a bit more?
Thank you,
J.

I have a similar question. For example: Can I send/share by email a link to encrypted file (encrypted with odrive) for a friend, and after send to him the password/key through a different channel (sms, whatsapp, Telegram…) to open it? Could this work?

Can I sync an external folder with encryption to the cloud ? ( I don’t want to put folder into the local Encryptor folder, the size of the external folder is 2T more )

Unfortunately all encrypted folders reside under the Encryptor folder. You will need to either refactor your storage scheme to use the Encryptor folder as a root or duplicate everything.

Another issue we are running up against is that odrive’s automatic synchronization with encrypted shares is functionally one way only, at least on Windows computers. Changes to a file on one computer are properly synced up to the cloud. If you use odrive on more than one computer, changed files will not sync back from the cloud until either a manual sync is performed or, if you are lucky, you browse to the relevant folder in Explorer. see this thread for full details.