TransWikia.com

Preventing access to encrypted files at all

Information Security Asked on October 28, 2021

Suppose I create an encrypted container using VeraCrypt and want to upload it to Google Drive/One Drive for storage. The container is encrypted with AES-256.

I know that no one can extract any meaning from that random data.

But I am a very paranoid person!

I know that the random data doesn’t make any sense, but those people can still read all of that (random) data. And that’s where I get uncomfortable!

It’s like I have stored my important belongings in a very strong locker and sent the locker into the "wild". The adversaries can see through it, but the locker camouflages the things inside. BUT, the things are still there in their hands, somewhere hidden inside the locker.

I don’t want anyone to read any of my data at all, whether encrypted or not.

Is there any way of preventing the adversaries from accessing the (encrypted) data at all, even after releasing the data?

Note: Though I have specifically mentioned the above 2 online storage companies, but for me everyone is an adversary, from Google/Microsoft to the very capable Three-letter-agencies and their powerful governments. And I don’t want them to access any of my data, even if it’s encrypted.

3 Answers

Is there any way of preventing the adversaries from accessing the (encrypted) data at all, even after releasing the data?

For almost every single case, there's no way. The "after releasing the data" statement means your data (or a copy of it) left your hands and went to someone else.

But there's one way (not that I would recommend to this scenario): very expensive, not practical at all, and as cumbersome as carrying a safe around: an HSM (Hardware Security Module). An HSM is hardened to protect its contents at all costs, having multiple sensors to make sure they are working on a predefined set of environment values (temperature, acceleration, voltage, vibration, and so on). If any of those variables are outside of the expected range, it erases its contents.

But there's another issue: an HSM only keeps private keys. It's kind of a write-only device. After storing the private key on it, it never ever leaves. You send the data, it uses the private key internally, signs or decrypts the data, and returns the resulting decrypted or signed data.

If you are irrationally paranoid and very rich, you can convince a vendor to design a kind of HSM for you that stores multiple gigabytes of data, and receives commands signed by your key to store or serve its contents. It will be very expensive, not practical at all, but you can rent floor space on any datacenter and put it there.

Again, you don't need to go so overkill. Protect the key with your life, and release the encrypted data. Properly encrypted data with AES256 using secure methods is considered unbreakable with current technology. Having the encrypted version of anything sans the key is the same as having a file full of white noise. Or having a long, truly random password, but you don't know the username nor the server or service where that password belongs. It does not mean anything and not helps anyone gain access to anything.

Answered by ThoriumBR on October 28, 2021

The only way to be certain that your data is safe is to manage the storage, network, and transport of the data yourself.

Some questions to ask:

  • Does this data need to go offsite? Can it be stored locally?
  • Does the provider have any known breaches?
  • Who uses the provider? IE is BIGCORP a customer?
  • Could you store this data on an encrypted drive at a friend's house?

However with good hygiene with the encryption and the transport the risk is minimal, unless you are uploading state secrets...

Answered by Zapto on October 28, 2021

Here is what you asked: "I want to hand the encrypted data to this party to store and process, but I don't want them to see the encrypted data."

That's not possible or realistic.

If you don't want them to have access to the data, then don't give them access. Don't give it to them.

You could try multiple levels of different encryption, but that's just encrypting in layers. They still see the encrypted data, just higher levels of it.

You could hide the encrypted data in other data so that they don't notice the data, but they could still notice it, if they looked for it.

Answered by schroeder on October 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP