CryptSync: upload only encrypted files to online storage services

Martin Brinkmann
Mar 27, 2013
Encryption, Software

Several cloud storage services use encryption to protect data of user accounts from being accessed by third parties. While this may be reassuring for many users, some prefer to add encryption of their own to important files on top of that. Why? The core reason is to prevent access to the files even if someone gained access to the account. Say, someone managed to steal your account password for your Dropbox, SkyDrive, Google Drive or whatever-online-storage-service-you-are-using account. This is enough to gain access to all files. With added encryption, the attacker would not only have to steal the username and password, and maybe even intercept a two-factor authentication code, but also the password the files are encrypted with.

You have several options to encrypt files before they are uploaded to a remote server. One of the easiest options available is CryptSync, a free program for Windows. The program keeps pairs of folders in sync on systems it is executed on. One of the folders is encrypted during the sync process, making it an ideal program to encrypt data before it gets uploaded.

The basic idea is the following here. You select a folder with data that you want to host online as the originating folder, and pick a local cloud drive folder as the destination folder. CryptSync encrypts the files during the synchronization using a password you specify.

To create a new folder pair click on the new pair button in the program interface. Here you need to specify the original folder and encrypted folder, as well as the password that you want to use to protect the data.

You can furthermore enable the encryption of file names so that it is not possible to guess a files contents or type from that.  The mirror original folder to encrypted folder option enables one-way syncing instead of two-way syncing.

You can then sync the files once and exit the program, or set it to run in the background all the time. The latter option checks the original folder for new files and folders regularly to encrypt and upload them to the destination folder in the process.

sync  files encrypted screenshot

The files and folders that get synced with the destination folder and the online storage look like this if you have enabled file name encryption as well.

encrypted files

You can run the program from the command line as well which can be useful for the creation of batch files or programs that allow you to run third party programs (like backup software).

The downside of using CryptSync is that you will have two folders locally that store the data. One of them is the original folder, the other the encrypted folder which some may see as redundant. Still, if you are looking for an automated way to protect files that you store at online storage providers then CryptSync is definitely one of the programs to do just that.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. r.key said on September 8, 2019 at 1:17 am

    It seems cloudfogger is shut down. I did a test 5-6 years ago and found cloudfogger puts the file in the cloud _before_ encrypting, so anyone with access to file history in DB would be able to retrieve unencrypted versions of the files. I’d use something else. I thought cryptsync looked promising until I read the issues on github. I’ll wait on that one for a while as well. (@dan)

  2. andre31 said on October 22, 2013 at 9:50 am

    “The mirror original folder to encrypted folder option enables one-way syncing instead of two-way syncing”
    It doesn’t work if you select MIRROR or NOT it is the same is a two-ways !
    So if you delete a file on the original folder it is deleted on the DROPBOX encrypted folder !

  3. Marci said on March 29, 2013 at 8:38 am

    I use an iPhone which backs up to Cloud, so would the process be the same if I’m updating or do I even need to worry about this?

  4. dan said on March 29, 2013 at 5:26 am

    Check out Cloudfogger: accomplishes the same thing without the need for dual folders.

  5. Seban said on March 28, 2013 at 2:48 pm

    You have to uncheck ‘Preserve modification time stamp of file containers’ in the Truecrypt preferences for Dropbox not to upload the whole container file.

    An alternative to CryptSync is Boxcryptor. I use both, depending on further usage of the encrypted files.

  6. ilev said on March 27, 2013 at 2:55 pm

    Encrypting cloud data is mandatory. Microsoft revealed last week that it has surrendered customers data to US authorities.

    1. Martin Brinkmann said on March 27, 2013 at 3:03 pm

      Microsoft is not the only company, read today that US authorities may get realtime access to Gmail and every other US based service.

  7. Will said on March 27, 2013 at 5:56 pm

    It’s not really a question of access per say. US Government (Law enforcement) already has said access. And sadly, so does many criminals.

    It’s really a question of being able to use said access to enforce laws publicly (taking the “bad guys” to court) and using evidence obtained via said access.

    Don’t be fooled. Everything we do online is already scanned, documented, and inventoried. It’s just a matter of being able to use the information legally.

  8. NKT said on March 27, 2013 at 9:31 am

    I think the advantage of this is that individual files are encrypted and uploaded as they are changed.

    With TrueCrypt from what I understand is that it uploads the whole container than the changed files.

    I have been using AxCrypt, but I think this might be even more convenient than individually decrypting a file.

    Though I can see that if you access your files from another location where CryptSync is not installed you will not know which file is what due to the random naming scheme.

    1. Michael said on March 27, 2013 at 5:58 pm

      From what I understand and my experience, Dropbox only needs to upload the portions of the container file that have changed. Avantages of using TC is that you decrypt all the files in one go and you don’t have 2 copies on your hard drive.
      Spideroak have a zero knowledge policy – their USP is that they don’t have access to your files at all

      1. webfork said on March 28, 2013 at 11:14 am

        > Dropbox only needs to upload the portions of the container file that have changed

        My last test on this was more than a year ago, but that was my experience with Dropbox + TrueCrypt: it doesn’t re-upload the entire volume.

    2. Martin Brinkmann said on March 27, 2013 at 10:28 am

      Right. But you do not need to encrypt the file names, that is just an option.

  9. Michael said on March 27, 2013 at 9:22 am

    I currently do something similar using Truecrypt – I keep my encrypted container in my Dropbox and have a batchfile I run on Windows startup that loads the container as a drive so I can access the files.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.