Just testing Knox

ashleyk

Hello,

I'm a long time user now of 1Password and just thought I'd take a look at Knox to see what it's all about.



Recently I've started using DropBox a lot more and I'm finding it's a great solution with 1Password but the other great tool I've found for DropBox is Symbolic Linker on the Mac, which allows me to leave folders in their normal place, while just creating a link, similar to an alias inside the DropBox folder. I've done this for example with the Safari preferences, so if I work on one of my Macs now for a month those changes will automatically be updated on my other Macs when I use them.



Something I just wondered about is if Symbolic Linker or some other means could be used so that as a folder is changed the Knox encrypted file is updated and uploaded to your DropBox folder? I can create encrypted disk images through the disk utility, so I'm struggling at the moment to see the real benefits of Knox.



Thanks



Ashley

ashleyk

I've just discovered a rather cool trick. Using an app called secretsync anything dropped inside there is automatically encrypted and then included inside your DropBox. Better still this can be done with Symbolic Linker so you don't need to move the original items and all of this is free up to the basic 2 gig limit. It's beautifully simple and cross platform.



I'd love to see an Agile inspired version of this that could also work on normal web servers <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=':wink:' />

khad

Thanks for trying Knox, Ashley!



Like Knox, Disk Utility creates encrypted disk images. It’s all in the user interface. We think that creating and managing disk images manually is a chore! In contrast, Knox makes these tasks easy and pretty. It additionally automates the backup of your vaults so you can “set it and forget it”.



Also, FileVault is built into OS X, very easy to set up, and encrypts a lot of data: your whole “Home” folder (or startup drive in Lion). One disadvantage of this is that all your files are available when you are logged in.



Since Knox makes creating and managing multiple vaults so simple, you can easily and quickly create a vault for each project or client. You can open and close Knox vaults on demand, which means that only the vaults you need have to be open at any given time, leaving the others safely locked away.



SecretSync is interesting, but I haven't had a chance to look at it too carefully myself. One thing to note is that due to the client-side encryption you will not have access to your data from the Dropbox web interface. I'm also not sure how delta syncing is affected by their encryption, so syncing large files with SecretSync may take considerably longer than without.



It reminded me to reread this older Economist article, "Keys to the Cloud Castle":



http://www.economist.com/blogs/babbage/2011/05/internet_security



If you haven't yet read it, you might want to check it out. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

ashleyk

Hi Khad,

After trying secretsync for a day I've decided to take a step back because DropBox was caught in a continual phase of upload even when there were no obvious changes made to the files. It might be useful in limited ways or if you have a fast cable connection with no bandwidth limits but otherwise I'm not sure it's practical. Secretsync themselves suggest you only encrypt confidential items so perhaps this is an acknowledgement that the uploading will be constant otherwise.



I think a sensible balance has to exist and my main reason for wanting secure external backups is just as a fallback position in case the house ever caught fire or got flooded and my computers were destroyed. You can have multiple backup solutions in your house that suddenly become useless in a scenario like that and these days my whole business revolves around the computer.



Using the example of the 1Password keychain I know that is already encrypted before uploading but would you want your accounts or other details stored in a "cloud" on various different servers around the world without any real idea who might gain access to it all? Seeing what happened earlier in the year with Sony was a bit of a wake up call about what can happen when large systems are targeted by hackers. Many people are perhaps rather too naive about the information that can be used for ID fraud as well.



I'm warming to Knox but it doesn't yet have that same compelling must have feeling I experienced with 1Password after a couple hours of use and I'm wondering if it might be due for a move to MAS as well, which could change things.



Thanks



Ashley

ashleyk

I've been looking more at Knox and feel it would really benefit from greater integration with 1Password. For example if I create a new vault I'd like to see the name and password details automatically saved to 1Password and possibly in a preconfigured template to make it quick and easy.



I know in theory that I could maintain documents full time in an image but that still feels like a big step psychologically, even though I operate Windows via Parallels in exactly the same way. Right now I'm now sure how many folders etc. I would want to store this way and I understand Agile recommend excluding the folders from Time Machine. Fortunately I have SuperDuper though so I guess they'd be safe.

khad

[quote]I've been looking more at Knox and feel it would really benefit from greater integration with 1Password. For example if I create a new vault I'd like to see the name and password details automatically saved to 1Password and possibly in a preconfigured template to make it quick and easy.[/quote]

I will definitely pass your vote for this along to the developers. I also think it would be a great addition. We just need to find the time to implement it. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



[quote]I know in theory that I could maintain documents full time in an image but that still feels like a big step psychologically, even though I operate Windows via Parallels in exactly the same way. Right now I'm now sure how many folders etc. I would want to store this way …[/quote]

Once the vault is unlocked, it essentially behaves just like any other folder. It shouldn't be too much of a hassle, but let me know if there is a specific problem you are running into.



[quote]I understand Agile recommend excluding the folders from Time Machine. Fortunately I have SuperDuper though so I guess they'd be safe. [/quote]

We recommend excluding [i]active[/i] vaults from Time Machine, but the backups that Knox creates can (and, in all cases I can think of, [i]should[/i]) be included in Time Machine backups. That is to say, "backup the backups" but not the actual vaults. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



So if your vaults are stored in ~/Documents/Knox you will want to exclude that folder from Time Machine backups, but if the folder where you have told Knox to create backups is ~/Documents/Knox Backups you will want to be sure that is still included in your Time Machine backups. Likewise with Dropbox syncing. You can store the backups in your Dropbox folder, but we strongly recommend against storing your active vaults in your Dropbox folder.



Of course, SuperDuper is a great solution as well. I use it — well, Carbon Copy Cloner actually — in combination with TIme Machine and Dropbox for maximum protection. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

ashleyk

I did actually check out Espionage as an alternative but immediately after installing it I found Time Machine was broken and absolutely refused to back up anymore, so I ended up reluctantly having to wipe the drive and start again. I also tried using it with symbolic linker for DropBox but when I checked online all the folders were empty so that experiment wasn't too successful either for some reason.



DropBox is great but like anything it occurred to me that any system is only as secure as the people behind it and in any organisation there is a chance of finding a bad apple or somebody who simply messes up due to human error. As a very real example a few years ago the British government somehow lost the bank details of 25 million people when two CDs went missing in transit and I seriously doubt if it took that long before those details found their way into the hands of criminals. [url="http://news.bbc.co.uk/1/hi/7103566.stm"]http://news.bbc.co.uk/1/hi/7103566.stm[/url]



Eventually I ended up buying the license to Knox and I now make sure that data uploaded to DropBox is encrypted using Knox where possible, so if you also use 1Password and make use of FileVault 2 in Lion I'd say you are relatively safe at least from the perspective of what you can do personally. Unlike FileVault in the past this new version seems like a great improvement.



Getting back specifically to Knox it really just needs greater integration with 1Password. For example when I save a password for a vault there is an option to save it using the Apple Keychain but wouldn't it be better if there was an option to have it saved instead by 1Password?



I also seem to have had some difficulty with Knox changing the backup location of certain vaults and I've now treble checked that to make sure it can't (shouldn't) happen again but in the list of vaults it actually lists two of the backups rather than the originals and there doesn't seem to be any easy way to correct this other than deleting them and starting again from scratch.