Archive for March 2016

How a Lawyer Protects Client Data with Boxcryptor file encryption

One of the over-arching themes of this year’s ABA Techshow was encryption and client file security. How secure are client files that reside in the cloud with services such as Dropbox or OneDrive?

Of course, I have FileVault enabled on my MacBook Pro and Mac Mini. So the client files are stored locally on encrypted hard drives. Additionally, my external backup drives are encrypted.

When files are moved from my computer to “the cloud,” they are encrypted while in transit. So, to the extent they are intercepted, they would be unreadable without the encryption key. Once the files arrive on the cloud provider’s server, the files are stored encrypted. Only the cloud provider has the encryption key – I do not. In the (unlikely?) event that their servers are breached, my files could be vulnerable. Also, the cloud provider could hand over my documents in response to a subpoena or court order – possibly without my knowledge.

In order to secure these files, they can be encrypted on my computer. These encrypted files are then synced to the cloud provider. In essence, my files on Dropbox are doubly encrypted – with Dropbox holding only one of the encryption keys. As a result, anything they handed over (or lost) would be unreadable to the recipient.

I use a program/service called Boxcryptor to encrypt my client files. Boxcryptor creates a virtual disc that mirrors the contents of my Dropbox folder. Any files that I create or edit should be done on the virtual disc. In this virtual disc, I can choose which files or folders are encrypted. This article will describe how a lawyer protects client data with Boxcryptor file encryption.

For example, suppose that I want to encrypt a single file in a client folder (which is a subfolder of the Dropbox folder and contains all of that client’s files). A simple “right click” on the file on the Boxcryptor virtual drive shows the context menu. In this menu, I have the choice to encrypt the file (along with the standard choices of copy, get info,….). The encryption is instantaneous. The file on the virtual drive is only changed by the addition of a green label. The analogous file on my internal drive has it’s name changed with the addition of the file extension “.bc” (so letter1.docx becomes letter1.docx.bc – but only on the internal drive not the virtual drive).

If I “right click” on the file I just encrypted, the context menu will now show an option to “decrypt” the file. Doing this removes the green label (on the virtual drive file) and removes the “.bc” file extension (on the internal drive version).

Encrypting a folder can be done in a similar manner. However, encrypting a folder will encrypt all files contained within the folder (including subfolders), add the green label to all files and folders, and add “_encrypted” to the folder name (not to the files or subfolders). Decrypting the folder will remove the green label from all files and folders, and add “_decrypted” to the folder name (in addition to “_encrypted” which was already added. (Note: Boxcryptor will tell you that you are free to change the folder names to remove the “_encrypted”, “_decrypted” or both).

Once a folder is encrypted, any files saved to an encrypted folder on the virtual drive (or its encrypted subfolders) are automatically encrypted. Files saved to the encrypted folder on the internal drive are NOT automatically encrypted. This presents a problem when creating files on another computer or iPad.

It is important to understand that since the files are encrypted on DropBox, they are inaccessible from the Dropbox iPad app, iPhone app or web interface. The contents of the folders are visible, but the files cannot be opened or previewed since they are encrypted. (Although I have not enable this option, you can encrypt the file name as well).

In order to view or edit client files on the iPad, they need to be opened in the Boxcryptor app and “shared” with another app for editing (e.g. Microsoft Word for .doc or .docx files; PDFpenPro or Good Reader for PDF files). PDF viewing in the Boxcryptor app is fine, but the app’s reproduction of .doc files is not 100% accurate. However, when these .doc files are “shared” with Word, the files look like they should.

Here is the problem: Files created on the iPad are saved to Dropbox. When I turn on the MacBook Pro, the Dropbox files are synced. A “copy” of the file is also copied to the Boxcryptor virtual drive. Unfortunately, these files are not automatically encrypted when they are saved to an encrypted folder. This occurs since files are only automatically encrypted when they are saved (rather than copied) to an encrypted folder on the Boxcryptor virtual drive.

Obviously, it’s a hassle to have to sift through the Dropbox folder looking for files that might need to be encrypted. If only there was a program that could continuously look into my encrypted folders and encrypt any unencrypted files. Fortunately, there is – HAZEL!

Using Hazel, this becomes a two part problem: (1) getting Hazel to identify the correct file(s), and (2) getting Hazel to act on those file(s).

My client files are located in a subfolder of the Dropbox folder call “OneDrive”. I need Hazel to look for unencrypted files in encrypted folders. However, I need Hazel to ignore 5 encrypted subfolders (Closed, FORMS, MEDIATION, Research, and TEMPLATES). The folders I want Hazel to look in have the form: “Smith, John” or “Johnson, Beth_encrypted” – including any subfolders and subfiles.

For the folder OneDrive, I created rules:

First, a rule to look into subfolders of OneDrive:

How a Lawyer Protects Client Data with Boxcryptor file encryption

Next, I need Hazel to find files based on the following criteria:

How a Lawyer Protects Client Data with Boxcryptor file encryption

 

If a matching file is found, two scripts are triggered: (1) a shell script that plays a sound, and (2) an AppleScript that tells Boxcryptor to encrypt the file. This is a problem since Boxcryptor is not scriptable with AppleScript. As a workaround, I scripted OS X’s UI (User Interface) elements.

First, I needed to set up Boxcryptor as a service. Services are the actions that are available from the contextual menu (i.e. a “right click”). To do this “right click” on the Boxcryptor app in the Applications folder, then select “Show Package Contents”. In Finder, navigate to the Contents:Resources folder. Select the file BoxcryptorServices.service.tgz . From this file, you need to extract the file BoxcryptorServices.service and copy it to the Library:Services subdirectory (on my Mac, this is located at Macintosh HD:Users:Jim:Library:Services – your user name and the name of your drive are probably different). Now you have added two services: “Encrypt with Boxcryptor” and “Decrypt with Boxcryptor.”

Second, I assigned a keyboard short cut to the service “Encrypt with Boxcryptor.” This done by opening “Keyboard” in System Preferences. From the top of the window, select “Shortcuts.” From the left side of the window, select “Services.” Next scroll through the service and select “Encrypt with Boxcryptor.” On the right end of the selection, click on “add shortcut.” Add what ever ocscure key conbination you want – just make sure it isn’t already being used. I used “command-control-option-E”.

Since the service has been assigned a keystroke, it can be invoked in a script with AppleScript, which has been triggered by Hazel.

This is the AppleScript that I use:

How a Lawyer Protects Client Data with Boxcryptor file encryption

Essentially, Hazel is looking for unencrypted files on my internal hard drive. If a matching file is found, the corresponding file on the Boxcryptor virtual drive is acted on by the AppleScript. This action changes the file on the internal drive.

By using this process I can be sure that the client files that I want to be encrypted are encrypted no matter where they are created.

Client File Security

Think about all the documents that exist in a client’s file: court filings, financial affidavits, correspondence to and from clients and opposing counsel, bank records, credit card bills, tax returns, pay stubs, and insurance (car, home, health, life) information.

Occasionally, a client will ask: “How are my documents stored?”

This article is a description of the steps I take to safeguard your private information.

First, a little background on what happens with your private document that you give me:

Court documents – these are the documents that I prepare and that you and/or I sign before they are filed with the clerk of Court electronically. Copies are electronically sent to the opposing party or their lawyer. These documents are scanned when received and shredded at the end of your case. The digital version of the file is retained.

Discovery documents – these are the documents that must be produced so they can be reviewed by the other party or their lawyer. Typically, these documents include bank records, credit card bills, tax returns, pay stubs, and insurance (car, home, health, life) information. Similar information is received from the opposing party. These documents are also scanned when received and shredded at the end of your case. Of course, I’d be happy to return your discovery documents to you at the end of you case.

So, how do I protect the digital versions of your private information?

First, I encrypt the hard drive of the computer that I use for running my law firm. I use FileVault (a program built in the Mac operating system). If my computer is stolen, all data on the hard drive is inaccessible to the thief without the encryption key. You data is just as safe as any of my own personal information on the hard drive. The thieves may have my computer, but your data is locked inside and they don’t have a key.

The thieves could try to automate the guessing of the encryption key. Even if they had a computer that could guess 4 billion passwords per second, it would take 12 trillion years, on average, to guess the correct 16 (or fewer) character password! How secure are your passwords?

Second, the hard drive inside my computer is backed up to the online service BackBlaze. So, if my hard drive fails or is stolen, all data can be retrieved from the back up. The BackBlaze program encrypts all data with an encryption key before it is transmitted from my computer over a secure SSL (https) connection to their system. The data is stored in encrypted form. In theory, since BackBlaze has the encryption key, they could view your data. However, I have elected to use an additional security feature that they offer by encrypting their key with a phrase that I choose. That way, they cannot ever view your data.

Third, your documents are accessible on my various devices via Dropbox. They are never stored on these devices, but can be viewed and edited since all the files are synced via DropBox. So, your documents exist on my computer and on the Dropbox servers. Dropbox encrypts your data as it it in transit and when it is on their servers. They hold the encryption key.

Fourth, I remove the ability of Dropbox to view the contents of your files. To do this, I run the program BoxCryptor on my computer. Essentially, it encrypts the contents of my Dropbox folder and creates another folder on my computer where I can access the unencrypted versions of client files. This allows me to protect client documents both on my computer and in the cloud. Dropbox can see only that a specific file exists, they can’t open and view the contents of the file. Additionally, without the BoxCryptor program running, you could be sitting at my computer and not be able to view or open client files because they would be encrypted.

Fifth, BackBlaze and Dropbox both use an additional layer of security called two-factor authentication. In BackBlaze, a code is sent to my phone when I log into their system. Even if a thief has my computer, and my BackBlaze password, they will not be able to access the data stored with BackBlaze without the code from my phone. Dropbox sends a similar a code whenever a login is attempted from an unauthorized computer or mobile device.

Lastly, I also backup my computer’s hard drive to an external hard drive. The data on this drive is also encrypted. Only I have the encryption key so the data on the drive would be inaccessible to a thief.

Please know that I take the security of your personal information very seriously. If you have any questions about your documents or my security procedures, please feel free to call the office or use the contact form on this website.

(This article was originally posted at http://www.jimmullaney.com/client-file-security/ )