Archive for March 25, 2016

How a Lawyer Protects Client Data with Boxcryptor file encryption

One of the over-arching themes of this year’s ABA Techshow was encryption and client file security. How secure are client files that reside in the cloud with services such as Dropbox or OneDrive?

Of course, I have FileVault enabled on my MacBook Pro and Mac Mini. So the client files are stored locally on encrypted hard drives. Additionally, my external backup drives are encrypted.

When files are moved from my computer to “the cloud,” they are encrypted while in transit. So, to the extent they are intercepted, they would be unreadable without the encryption key. Once the files arrive on the cloud provider’s server, the files are stored encrypted. Only the cloud provider has the encryption key – I do not. In the (unlikely?) event that their servers are breached, my files could be vulnerable. Also, the cloud provider could hand over my documents in response to a subpoena or court order – possibly without my knowledge.

In order to secure these files, they can be encrypted on my computer. These encrypted files are then synced to the cloud provider. In essence, my files on Dropbox are doubly encrypted – with Dropbox holding only one of the encryption keys. As a result, anything they handed over (or lost) would be unreadable to the recipient.

I use a program/service called Boxcryptor to encrypt my client files. Boxcryptor creates a virtual disc that mirrors the contents of my Dropbox folder. Any files that I create or edit should be done on the virtual disc. In this virtual disc, I can choose which files or folders are encrypted. This article will describe how a lawyer protects client data with Boxcryptor file encryption.

For example, suppose that I want to encrypt a single file in a client folder (which is a subfolder of the Dropbox folder and contains all of that client’s files). A simple “right click” on the file on the Boxcryptor virtual drive shows the context menu. In this menu, I have the choice to encrypt the file (along with the standard choices of copy, get info,….). The encryption is instantaneous. The file on the virtual drive is only changed by the addition of a green label. The analogous file on my internal drive has it’s name changed with the addition of the file extension “.bc” (so letter1.docx becomes letter1.docx.bc – but only on the internal drive not the virtual drive).

If I “right click” on the file I just encrypted, the context menu will now show an option to “decrypt” the file. Doing this removes the green label (on the virtual drive file) and removes the “.bc” file extension (on the internal drive version).

Encrypting a folder can be done in a similar manner. However, encrypting a folder will encrypt all files contained within the folder (including subfolders), add the green label to all files and folders, and add “_encrypted” to the folder name (not to the files or subfolders). Decrypting the folder will remove the green label from all files and folders, and add “_decrypted” to the folder name (in addition to “_encrypted” which was already added. (Note: Boxcryptor will tell you that you are free to change the folder names to remove the “_encrypted”, “_decrypted” or both).

Once a folder is encrypted, any files saved to an encrypted folder on the virtual drive (or its encrypted subfolders) are automatically encrypted. Files saved to the encrypted folder on the internal drive are NOT automatically encrypted. This presents a problem when creating files on another computer or iPad.

It is important to understand that since the files are encrypted on DropBox, they are inaccessible from the Dropbox iPad app, iPhone app or web interface. The contents of the folders are visible, but the files cannot be opened or previewed since they are encrypted. (Although I have not enable this option, you can encrypt the file name as well).

In order to view or edit client files on the iPad, they need to be opened in the Boxcryptor app and “shared” with another app for editing (e.g. Microsoft Word for .doc or .docx files; PDFpenPro or Good Reader for PDF files). PDF viewing in the Boxcryptor app is fine, but the app’s reproduction of .doc files is not 100% accurate. However, when these .doc files are “shared” with Word, the files look like they should.

Here is the problem: Files created on the iPad are saved to Dropbox. When I turn on the MacBook Pro, the Dropbox files are synced. A “copy” of the file is also copied to the Boxcryptor virtual drive. Unfortunately, these files are not automatically encrypted when they are saved to an encrypted folder. This occurs since files are only automatically encrypted when they are saved (rather than copied) to an encrypted folder on the Boxcryptor virtual drive.

Obviously, it’s a hassle to have to sift through the Dropbox folder looking for files that might need to be encrypted. If only there was a program that could continuously look into my encrypted folders and encrypt any unencrypted files. Fortunately, there is – HAZEL!

Using Hazel, this becomes a two part problem: (1) getting Hazel to identify the correct file(s), and (2) getting Hazel to act on those file(s).

My client files are located in a subfolder of the Dropbox folder call “OneDrive”. I need Hazel to look for unencrypted files in encrypted folders. However, I need Hazel to ignore 5 encrypted subfolders (Closed, FORMS, MEDIATION, Research, and TEMPLATES). The folders I want Hazel to look in have the form: “Smith, John” or “Johnson, Beth_encrypted” – including any subfolders and subfiles.

For the folder OneDrive, I created rules:

First, a rule to look into subfolders of OneDrive:

How a Lawyer Protects Client Data with Boxcryptor file encryption

Next, I need Hazel to find files based on the following criteria:

How a Lawyer Protects Client Data with Boxcryptor file encryption


If a matching file is found, two scripts are triggered: (1) a shell script that plays a sound, and (2) an AppleScript that tells Boxcryptor to encrypt the file. This is a problem since Boxcryptor is not scriptable with AppleScript. As a workaround, I scripted OS X’s UI (User Interface) elements.

First, I needed to set up Boxcryptor as a service. Services are the actions that are available from the contextual menu (i.e. a “right click”). To do this “right click” on the Boxcryptor app in the Applications folder, then select “Show Package Contents”. In Finder, navigate to the Contents:Resources folder. Select the file BoxcryptorServices.service.tgz . From this file, you need to extract the file BoxcryptorServices.service and copy it to the Library:Services subdirectory (on my Mac, this is located at Macintosh HD:Users:Jim:Library:Services – your user name and the name of your drive are probably different). Now you have added two services: “Encrypt with Boxcryptor” and “Decrypt with Boxcryptor.”

Second, I assigned a keyboard short cut to the service “Encrypt with Boxcryptor.” This done by opening “Keyboard” in System Preferences. From the top of the window, select “Shortcuts.” From the left side of the window, select “Services.” Next scroll through the service and select “Encrypt with Boxcryptor.” On the right end of the selection, click on “add shortcut.” Add what ever ocscure key conbination you want – just make sure it isn’t already being used. I used “command-control-option-E”.

Since the service has been assigned a keystroke, it can be invoked in a script with AppleScript, which has been triggered by Hazel.

This is the AppleScript that I use:

How a Lawyer Protects Client Data with Boxcryptor file encryption

Essentially, Hazel is looking for unencrypted files on my internal hard drive. If a matching file is found, the corresponding file on the Boxcryptor virtual drive is acted on by the AppleScript. This action changes the file on the internal drive.

By using this process I can be sure that the client files that I want to be encrypted are encrypted no matter where they are created.