With the recent media storm surrounding Heartbleed, people are more concerned with the security of their files online than ever. As technical people, we realize more than anyone that our lives online are always vulnerable. With the convenience that online cloud storage brings, its use over the past few years has exploded. We at Lockbox want to make that usage almost impenetrable.

We do this by leveraging the fact that you probably already have multiple cloud storage accounts. Most people now a days have dropbox, google drive, and onedrive. We secure your files by splitting them into three, encrypting them separately and storing each part in a separate cloud storage account. We then store the keys associated with these encryptions in a round robin format in a different cloud storage device than their respective data files. These keys are also encrypted themselves by a lockbox specific key. We use AES-256 encryption throughout the system for maximum security.

We then present a "ghost" cloud storage solution called Lockbox which can be used to upload/access the files that you have stored through this scheme.

What this leaves us is an insanely secure solution that actually stores nothing. If someone were to hack your files, not only would they have to hack three separate cloud storage solutions, but they would also have to decrypt every file, figure out how to extract the keys and decrypt them separately, figure out the order of the files, and figure out the key associations for the encryptions. If someone is able to do this...they deserve your files.

Now you may be asking, what if someone hacks Lockbox? Well we were concerned by this too, so we got rid of the problem. Lockbox is a completely ghost storage solution. There are no users as a part of Lockbox. We store no sql tables, and maintain no permanent data. If someone hacked Lockbox they would find NOTHING. There is also no user-password user authentication. Lockbox defines users based on the cloud storage accounts that are separately authenticated into Lockbox. If a user signs in, they enter an email associated with any one of the accounts they have added to Lockbox. We then search through our network of accounts, find the account associated with the email, and connect it to the other accounts associated with this person, EVEN IF those accounts use a different email address. This is done through hidden files stored in the cloud storage accounts. Again all of this information is accessed by leveraging their storage. Nothing is stored on Lockbox. The user is then authenticated by sending this email a verification code that is only active for this session. After we find and connect the right accounts and authenticate the user, we create a ghost Lockbox specifically for this session. The Lockbox is destroyed after the session is over, and during the session no data is stored on our server at all.

We use the Kloudless API to integrate any cloud storage solution on our end as a generic storage solution, regardless of it's API specifications. We host our solution on Azure at cjw.cloudapp.net (we will be switching to lockbox.cloudapp.net soon). We also maintain an admin terminal to view analytics of site usage using Salesforce technology.

After everything is said and done, the actual experience is simple. Just lock your files with the cloud services you already use.

Share this project: