Locally encrypting the entire Dropbox folder

Because it hurts when your sensitive stuff gets into the wrong hands. No third-party software needed.

Note: this article is from 2013. Your mileage may vary.

We tech-savvy folks take our MacBooks with us at most occasions and there is always the chance we leave our bag open and alone in some corner. When my beloved iPhone 4 was stolen a couple of months ago I started to care more about my (digital) property so I spent some time figuring out how to prevent thieves from (A) stealing my MacBook and (B) doing lots of creepy things with all the sensitive data on it. Allow me to elaborate on eliminating case (B).

Thieves can easily access data without knowing your login password if you do not use FileVault or similar full-disk encryption software. I use my MacBook to make music on stage so I cannot afford any performance issues caused by FileVault. Now what. My Dropbox space has grown a lot in the last few years, so it was pretty obvious to drop things like the 1Password keychain and other sensitive stuff in the box and have it smoothly sync’d to my home iMac. Since my Dropbox password is fairly complex and most sensitive things are already stored in an encrypted way I won’t whine about data safety in the cloud. Physical access is the problem here.

If I put those 40 Gigabytes of ones and zeroes in an encrypted disk image that resides in my Dropbox, I would most certainly come across the following issues:

1. There’s really really much to sync, even if Apple .sparsebundle images are broken up into multiple ~8MB so-called bands so that some kind of incremental updates could happen.
2. If I myself or any collaborator from my shared folders updates files while the disk image is mounted, Dropbox would start sync’ing and overwrite some bands on all machines that are connected to the internet. That would totally destroy the disk image and leave me with 40GB of crap data. Worst case scenario.

Conclusion: Don’t ever attempt to encrypt the contents of your Dropbox unless you are the only user and only have one device connected for sync’ing with Dropbox.

Solution: If you want your data physically secured, just put the entire Dropbox folder in an enclosing encrypted disk image. The following steps (Mac OS X only!) could take quite a bit of time, depending on the size of your Dropbox and there are some nasty caveats to take care of. If you’re either afraid of using the Terminal, don’t have a full system backup, have no OS X user account password or automatic login enabled, please stop right now and get your shit done.

1. Open Disk Utility and create a new disk image with ⌥⌘N. Choose the Bundle Image either with 128-bit or with 256-bit encryption and give it the size of your maximum Dropbox quota. The disk format should be Mac OS X Extended (Journaled). Give it a secure password, allow OS X to store the password in your login keychain and save it in one of the subfolders of your Home directory, e.g. ~/Documents.
   Storing the password in the keychain is important at this point as we want to be able to automount the image after logging into the user account so that we won’t get any problems with Dropbox software.
2. Quit Dropbox so that the icon disappears from the menu bar.
3. If you haven’t already, mount the disk image and move the entire Dropbox folder to the root of the image. The result should look something like this.
4. Caveat #1: If you use Dropbox to sync application data, e.g. your Fontcase or FontExplorer library, most apps will not recognize the path change and refuse to work properly.To prevent this and to get back the native feel of accessing Dropbox via your home folder, open a Terminal session and symlink the Dropbox folder to your home folder. In my case (your paths might vary): ln -s /Volumes/Dropbox/Dropbox ~/Dropbox
5. Caveat #2: The image won’t mount itself upon login, so let’s fix this by creating a LaunchAgent in ~/Library/LaunchAgents that runs a shell script upon login. You could download my .plist file and replace the file paths according to your setup using Xcode or a text editor.
   This is only half of the job though; as you might have guessed you still need the shell script that gets executed after logging in. Download my sample shell script here, replace the path to your sparsebundle image and put the script in any subdirectory of your home folder.
   Cool thing: no plain-text passwords needed anywhere if you allowed storing the disk image password in the keychain in step 1.
6. In the Terminal, load the LaunchAgent using launchctl load -w ~/Library/LaunchAgents/YOUR-PLIST-FILENAME.plist
7. Reboot your Mac. In some cases a full re-index of the Dropbox may be required but this doesn’t hurt anyone. If Dropbox asks you to relocate your Dropbox folder simply select the symlink in your home folder.

That’s it! The data in your Dropbox should be safe and sound if you shut down your Mac or unmount the disk image. Please don’t hesitate to leave your feedback.