Robert's blog
Robert Važan

Europe-based online storage with client-side encryption

Review of existing encrypted clouds including Wuala, Tresorit, Memopal, younited, and a few alternatives like BoxCryptor.

First, I had only once computer. Then I had two and later three, but I've used each one for different purpose. Then I started to blend my workflows and my sync woes started. After some one-off syncs, I've tried to use online apps for sharing, which I believe to be the future, but they suffered on mobile networks. I tried SparkleShare, which is dataloss-proof, but it took ages to resync. I've selected DropBox for its sync speed, but NSA spoiled the fun. So I took the time to review more secure alternatives.

NSA did two major things to the cloud. Firstly, it partitioned the Internet into US and non-US internet and also into many regional internets, all with their own regional cloud services. Secondly, it killed any trust people might have had in the cloud. Nobody can trust private data to the cloud anymore. Even if the cloud is regional, the complexity of the Internet and hosting services makes it impossible to control access to the data.

I behaved accordingly and looked for services in Europe (where I live) and for services with client-side encryption that only let the cloud to see encrypted data.

BoxCryptor or similar tool would allow me to use unencrypted cloud storage by layering encryption on top of the cloud storage. It's a good way to get lots of storage and encryption at the same time. Unfortunately, it's really shaky. It's easy to accidentally upload unencrypted data. Additionally, such software often consumes extra storage space on local disk or causes extra sync delays. Not good.

I really prefer cloud services with native encryption. I narrowed it down to two condenders: Wuala and Tresorit. I've also looked at other European storage providers, notably Memopal and younited, for their lower storage cost, but these services lacked client-side encryption, so no business there.

Wuala was quite buggy during testing, but that turned out to be a minor annoyance after something way more important nuked my plans with Wuala. You see, it's Swiss company, storing data in Germany and France, owned by French storage solution maker LaCie, all right? What they don't tell you on the frontpage is that LaCie was recently bought by Seagate, an American company. Fail, big fail. The chain of command makes it possible for NSA to insert backdoor in Wuala and to keep Swiss mouths shut about it.

After few moments of cursing and a while of unhappy mood, I've found Tresorit, my big hope. Tresorit is a startup from neighboring Hungary, far away from any center of political influence. Initially facing justified distrust, they are now very open about their security measures.

The largest security WTF is Microsoft Azure listed as "trusted" third party. After giving it a little more though, I realized it's rather inconsequential, because Tresorit client is signed (i.e. no download tampering is possible) and all data leaving that client is encrypted using client-side key. I would be nevertheless more happy to see my data managed by European companies just in case all this encryption magic suddenly fails.

The whole service has matured into something moderately usable, but I've got two issues that nuked it. Firstly, there's a file size limit of 2GB. Cloud services are generally bad at managing big files, but this arbitrary limit means that random videos from my camera won't get uploaded and eventually get lost. Losing files is a mortal sin of any cloud storage. Big no-no. The other issue is that Tresorit's client takes ages to finish some initial resync after it is started. It takes as many seconds as there are files in my "tresors". That means several hours on my file archives.

I've reported these issues as well as my concern with Trestorit ownership, but it might take months to have it all resolved if they bother at all (update: my feature requests didn't get through the moderation queue for two weeks, what are they doing there?). What's up with the ownership, you ask? After the Wuala fiasco, I am rather wary of security companies that don't describe their ownership clearly. Tresorit founders are Hungarians, but they have investors. Who are these investors, who owns them, and how much control do they have?

My recommendation is to go with Tresorit free 5GB account if you have a few small files. I will have to stay with Wuala after all. It can handle large files and a large number of files, which is the thing I am paying for. Anyway, I will keep an eye on Tresorit. Meantime, I will hope that the Swiss will play whistleblowers in case Wuala is compromised.

I don't quite understand the business plan of Tresorit. They offer 5GB free, which is about the amount of data their service can handle. How do they get customers paying for 100GB when they cannot handle that much data?

Wuala isn't that performance conscious either. After using it for a while, I can confirm it has no sync priorities. It just syncs one random file at a time. If that random file happens to be 3GB video, all the smaller files won't sync for an hour. It also forced me to upgrade my mobile data plan, because large transfers cannot be separated from the small ones. It's 8€ extra for higher data plan, which is more than the the 6€ I pay to Wuala.

BTW, making payments to Wuala requires some patience. They claim to accept payment cards, but this only works through PayPal as a payment processor, so PayPal is really the only option. Even though Wuala loves PayPal, PayPal for some reason hates Wuala. PayPal refused to send money from my card to Wuala without providing any reason to either me or Wuala. Wuala then silently canceled my subscription without bothering to send me an email. This is the only service that requires me to top up PayPal account before making payments.

Comments

yeah,my wuala account blocked after seagate partnershp,wuala bloacked me in a sudden,didnt even urg me to backup your data and I lost everything!
Anonymous
I had Tresorit as well and liked it, , BUT when I found out they run their services on Microsoft Azure System my trust for Tresorit went out the Window, Tresorit does not have to or follow USA law in the sense that they do not have to obey NSA requests about backdoors etc like any American based online cloud storage company has to, BUT Tresorit has teamed up with Facebook and , well, Facebook is not directly known for their privacy keeping policy, Facebook sell most if not all user-information to highest bidder and they sell this information A LOT, now, Tresorit does not have to follow American law as I mentioned, and are not based in USA, BUT Facebook is , and Facebook falls under P.R.I.S.M (PRISM) , and when Tresorit now have teamed up with Facebook , ,well, lets say, after that dickmove from Tresorit I canceled my Tresorit Premium account and removed all my files from Tresorit to 3 thumb-drives (1 original and 2 copies).American based Cloud, Social or Storage company are obligated to follow American law and will have to follow / accept NSA backdoors, and Ed Snowden is living proof of that NSA is leaking important information and that is why American based online Storage/Social companies can not be trusted with sensitive/private information.
Anonymous
Comments are closed for this post.