User Manual
StableBit CloudDrive
A secure virtual hard drive, powered by the cloud.

Encryption

(Build 870)

Back to Contents

All cloud drives created in StableBit CloudDrive are either encrypted using strong encryption, or simply obfuscated. Moreover, StableBit CloudDrive never stores any unencrypted data either on your local drives or in the cloud. StableBit CloudDrive calls this Full Round Trip Encryption.

For any cloud drives where you choose not to encrypt the drive, StableBit CloudDrive will obfuscate the drive's data using AES 128-bit CBC. This is not done to secure your data, but to obfuscate it from casual machine or human scanning.

Full Round Trip Encryption

The way that StableBit CloudDrive accomplishes full round trip encryption is fairly straight forward. As data is written to the virtual disk, those write requests are sent to StableBit CloudDrive's virtual disk driver. Before performing any processing of those write requests, the first thing that the virtual disk driver does, is encrypt the contents of those requests at the point of entry. Any further processing of the incoming data is now encrypted.

Similarly, when data is read from the virtual disk, the virtual disk driver decrypts the encrypted data at the point of entry to the disk driver.

This means that all of the processing that StableBit CloudDrive does with your data, is fully encrypted. This includes storing it in the local cache, or uploading it to the storage provider.

Trust No One

The encryption scheme that StableBit CloudDrive uses is a very simple one. There is a one and only encryption password, and you are the only one who knows it. No one can decrypt your data without that password.

CAUTION

As a consequence of this, if you lose your password, no one at StableBit or at your storage provider can help you gain access to your data.

That's why it is very important to backup your encryption password and store it in a safe place.

Encryption Algorithm

For the actual encryption algorithm, StableBit CloudDrive uses the industry standard AES 256-bit algorithm (in CBC mode) to protect your data.

When you enable full drive encryption, StableBit CloudDrive will generate for you a new cryptographically secure 256-bit password. This password is the one and only key that will be used to encrypt and decrypt the data on your cloud drive. You will need to enter this key every time that the encrypted cloud drive mounts.

In order to increase the entropy of the newly generated key, data that is based on your mouse movements is applied to it as well.

In order to validate whether you've entered a valid password, a validation blob is generated for this purpose. To generate the validation blob, first, a SHA-256 hash of your AES key is generated. The hash is then encrypted with AES 256-bit CBC using the AES key itself. The result is then stored along with your cloud drive's data at the storage provider.

When StableBit CloudDrive needs to validate whether you've entered the correct password, it decrypts this validation blob with the key that you've entered and compares the result with the hash of your entered key. If they match, then you've entered a correct password and the drive is unlocked.

Password Phrase

The recommended method of unlocking your encrypted drive in StableBit CloudDrive is by entering the master decryption key directly. However, as another option, you can choose to use a password phrase to unlock your drive instead. A password phrase is easier to remember than a long and random key, but if you're not careful, it can be easier to guess.

That's why, when choosing a password phrase, it is very important to make sure that it's a sufficiently strong password. StableBit CloudDrive will give you some guidelines to follow when choosing your password phrase, and it is highly recommended that you follow them. See Creating a Drive > Password Phrase for usage information.

StableBit CloudDrive uses PBKDF2 with HMAC SHA-512 (200,000 rounds) to derive the master encryption key from the password phrase.

Chunk Integrity Verification

When chunk integrity verification is enabled, in addition to being encrypted, the data stored at the storage provider is also signed for authenticity.

As well as ensuring that the data at the storage provider doesn't get corrupted, this signature ensures that the data is also checked for authenticity. If anyone tries to forge a malicious chunk of data at the storage provider, StableBit CloudDrive will detect this and it will refuse to decrypt it. It will never put data through the decryption algorithm if it fails the signature check.

Verify Chunk Integrity is normally enabled for all cloud storage providers by default.

See Creating a Drive > Advanced Settings for information on how to manually enable or disable Verify Chunk Integrity when creating a new cloud drive.

When Verify Chunk Integrity is used, a key expansion algorithm is applied to the master key to expand it in size and generate an AES encryption key and a HMAC key. The algorithm used for this key expansion is HKDF HMAC SHA-512. When this happens, the resulting AES key is used to encrypt and decrypt the data, while the resulting HMAC key is used to sign the data uploaded to the storage provider using HMAC SHA-512.

Automatic Unlocking

As a convenience feature, you can choose to have StableBit CloudDrive automatically unlock your encrypted drive every time that your computer starts up. When enabled, this will store an encrypted version of your password on your local system.

For more information on using automatic unlocking and best practices, see Creating a Drive > Automatic Unlock

The exact encryption algorithm used to protect your saved key depends on the version of Windows that you're running and is tied to the SYSTEM user account.

For more information see https://en.wikipedia.org/wiki/Data_Protection_API.