odrive

The odrive Developer Hub

Welcome to the odrive developer hub. You'll find comprehensive guides and documentation to help you start working with odrive as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

odrive Encryption (Encryptor)

Zero knowledge encryption for all of your storage

PREMIUM FEATURE

The zero-knowledge encryption add-on lets you create encryption folders using any storage linked to your odrive. You can turn vanilla storage into strongly encrypted, secure cloud storage.

❗️

IMPORTANT

Only you will know the passphrase, so do not lose it! Without your passphrase you cannot access your files. We have no way of helping you to recover your passphrase if you forget it.

HOW TO SETUP ODRIVE ENCRYPTED FOLDERS

Follow the instructions below to get started. You may also find this short video to be helpful.

  1. Open up a web browser and navigate to the odrive Encryptor section https://www.odrive.com/account/myodrive?catid=encryption

  2. Click "Create encryption folder" to open the setup form.

  3. Provide a distinct name for the folder.

  4. Choose the storage location. The location should be empty. Encryptor will ignore any existing files in the chosen folder.

Example:

📘

Please Note

  1. Since encrypted data will appear as long, alphanumeric folder/file names on the remote storage, we recommend you create Encryptor folders within a subfolder, as opposed to directly in the root folder. This will prevent confusion when viewing these locations outside of odrive.

  2. odrive places the Encryptor folders inside the "Encryptor" folder, at the root of your odrive folder. Because of this, it may be desired to include something about the remote storage used for the Encryptor folder, so that you can easily remember what storage is backing each Encryptor folder. For example: odrive/Encryptor/Sensitive Documents (Amazon Drive)

ACCESSING YOUR ENCRYPTOR FOLDERS

Once you have created a new Encryptor folder, that folder will show up inside the "Encryptor" folder within the odrive folder on your desktop

You can set up as many encrypted folders as you need, and each encryption folder can use a different secret passphrase.

📘

Please Note

Make sure that odrive automatic synchronization has not been stopped. Automatic synchronization needs to be enabled to ensure that the Encryptor folders are reflected in the odrive desktop application.

Setting your secret passphrase

The first time you access the Encryptor folder on your computer, odrive will ask you for the secret passphrase. If a passphrase has not been setup before, this is where you will specify what you want the passphrase to be (dialogue appears in the background).

If a passphrase has previously been set, then you will need to enter that to decrypt your files.

HOW OUR ENCRYPTION WORKS

Data Encryption:

  • Generate a random 64-bit salt (S)
  • Generate a 128-bit key (K) using PBKDF2 with S and the user’s passphrase (P), 5000 iterations, and HMAC-SHA256 for PRF
  • Generate a random 128-bit initialization vector (IV)
  • Compute a hash (H) of the file data using SHA256
  • Plaintext (PT) is: (file data + H + PKCS #7 padding to the next multiple of 16 bytes)
  • Generate the ciphertext (CT) using AES-256-CBC to encrypt PT using the K and IV
  • Get the 8-bit internal odrive Encryption version designation (V)
  • Write to output file V+S+IV+CT

Data Decryption:

  • Read V, S, and IV from the beginning of the encrypted file
  • Derive K using S and P
  • Decrypt the CT using K and IV to plaintext (PT)
  • Unpad the PT
  • Strip H from the end of PT
  • Calculate new hash (H2) of the resulting PT and compare to H

File/Folder Name Encryption:

  • Generate a random 64-bit salt (S)
  • Generate a 128-bit key ( K ) using PBKDF2 with S and the user’s passphrase (P), 5000 iterations, and HMAC-SHA256 for PRF
  • Generate a random 128-bit initialization vector (IV)
  • Plaintext (PT) is: (4 zero bytes + the filename + PKCS #7 padding to the next multiple of 16 bytes)
  • Get the ciphertext (CT) using AES-256-CBC to encrypt the PT using the K and IV
  • Get the 8-bit internal odrive Encryption version designation (V)
  • URL-safe, base64 encode (V+S+IV+CT)

File/Folder Name Decryption:

  • Decode URL-safe, base64 filename
  • Read V, S, and IV from the beginning of the decoded filename
  • Derive K using S and P
  • Decrypt the CT using K and IV
  • Check that the new filename starts with 4 zero bytes
  • Strip zero bytes and padding

Where is the Key Stored?
The key is never stored.

The key is derived from the salt and passphrase, as described above. The passphrase is stored on the local system (and only the local system), once you enter it for the first time. It is stored to prevent needing to continually enter the passphrase. There is an advanced feature to turn this off, so that you have to enter the passphrase every time you restart odrive.

The passphrase is kept in the keychain on MacOS and in an encrypted registry entry on Windows using Microsoft’s CryptoAPI.

Does Encryption affect file size?
Files sizes increase due to the additional information prepended to the ciphertext and the hash that is appended to the plaintext. The plaintext also needs to be padded to a multiple of the block size. The amount of padding needed will vary, depending on the size of the original file.

What happens to my encrypted data if I choose to cancel my Premium subscription?
You will still be able to access all of your Encrypted data. Encryptor folders switch to read-only mode.

ADDITIONAL RESOURCES

A command line python utility was created by one of our Engineers to allow decryption of Encryptor content outside of odrive.
https://github.com/amagliul/odrive-utilities

Updated about 5 hours ago

odrive Encryption (Encryptor)


Zero knowledge encryption for all of your storage

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.