Cloud Encryption Explained with Game of Thrones

One question we hear regularly is: Why should I encrypt my cloud? So far, nothing happened to me or my data. Well, it might be true that your cloud offers some type of encryption, too. But do you know which data is encrypted and in which way? To put it in terms of Game of Thrones: When Daenerys, Tyrion or Arya move through Westeros and Essos, you probably feel better knowing that the White Walkers are far far away. Ideally, behind a large, thick wall.

Is Your Wall High Enough?

One more question brings us to what is at stake here: Why do you think your sensitive data, or your friends, or business partner’s data deserves less protection than a fictional character in your favorite TV show? Well, one answer could be, because data is abstract and because the threats to your data are more hidden and less obviously scary than everything that happens in Game of Thrones.

Spoiler alert: This article contains spoilers about Game of Thrones. Specifically, about the fact that a certain character survives all 6 seasons up until now. If you do not want to know, skip the end-to-end encryption chapter ;) And if you do not want to know how the seventh season ends, better stop reading now.

Samwell Tarly: “The White Walkers sleep beneath the ice for thousands of years. And when they wake up...”

Pypar: “And when they wake up... what?”

Samwell Tarly: “I hope the Wall is high enough.”

Encryption does not mean security per se. Chances are high that your cloud provider does offer encryption, but not at all times and not in a way that makes sure that nobody could ever access your data. This article shows how to differentiate between different types of encryption with examples from Game of Thrones. Learn how to build a wall that is high enough to protect your data from most of the threats out there.

Encryption types – Knowledge is power

When a service you use assures you that your data is encrypted, you should still have a look at the fine print. There is a big difference between encryption at rest and end-to-end encryption, for example. With this article we explain the most important terms that help you make an informed decision about the security of your data. Afterwards, you can decide for yourself which level of security you want to employ for your cloud. You will notice that even though encryption is a complex system, it is understandable for everyone, especially when explained with Game of Thrones.

End-to-end Encryption – Your Message Will Survive Everything, Even 7 Seasons of Game of Thrones

End-to-end encryption means that a message is secure from the moment it leaves one realm until it reaches its destination. Imagine Tyrion Lannister delivering your message. He has guards and companions that protect him on the journey from one realm to the other. This protection is not penetrable by any threats known today. Nothing that lingers on the roadside between origin and destination can defeat him. When he reaches the castle, the message stays protected as well, Tyrion and his companions do not abandon it until it is brought to the one true intended receiver.

2-1 GoT End2End

Since Tyrion survived all seasons of Game of Thrones so far – which in itself is a great achievement – he is impossible to break in the world as we know it today, just as the very secure end-to-end encryption. Well, how is the threat level here? It is actually very low. If your messenger uses end-to-end encryption you can rest assured that no one can read along, not even the provider of the service. WhatsApp and many other messengers, such as Threema, Signal or Wire, offer end-to-end encryption for messages. However, the commonly known cloud providers – Dropbox, OneDrive, Google Drive or iCloud Drive – use other encryption types. If you share data via link in your cloud, it is not end-to-end encrypted either.

A cloud-based option to share data in Dropbox, OneDrive or Google Drive with end-to-end encryption is Whisply. It adds your very own Tyrion to your cloud links, thus making them more secure.

Encryption at Rest – You Are Secure in Kings Landing, as Long as Cersei is on Your Side

Encryption at rest is what most cloud providers offer their clients per default, even for private and free cloud storages. It means that the cloud provider encrypts your data as soon as it reaches your cloud and their servers.

Imagine it like a vault where Daenerys hides her precious dragon eggs from someone who tries to steal them. The problem with encryption at rest is that Daenerys rents this vault from someone else, let’s say the Iron Bank of Braavos. The provider of this vault, The Iron Bank, is offering her encryption. Thanks to the Iron Bank, a third party with an interest in harming or stealing the eggs would not be able to access this vault, only if he or she managed to steal the key (the password) from Daenerys herself.

However, Daenerys is not the only one with a key to this vault. The Iron Bank that rent her this vault has a key, too. Its employees could go into the vault and take a look at the eggs, if they liked. And when someone with more power came knocking, the Iron Bank could be forced to hand out the key.

2-1 GoT Encryption@Rest

In reality, this could be authorities in the USA that refer to the PATRIOT Act. In the series, the dragon eggs symbolize Daenerys’ power and authority. In our digitalized and globalized world, data is power, too. Whoever controls the data is in charge. Daenerys fights to preserve her power and we, the users, should too.

Encryption in Transit: Your Data is Secure During Travel Time

Tyrion Lannister is again delivering your message or your data, and nothing can hurt him during travels from one realm to the other. However, you do not really know what happens to your data once it reaches its destination. Tyrion just hands it over to somebody else.

This means that combining encryption at rest and encryption in transit does not give you end-to-end encryption or zero knowledge encryption, because there can be a weak point between arrival of the data and encryption at its destination. Tyrion delivers your message securely to its destination, let’s say the Iron Bank of Braavos. Here, a guard takes over and puts the message into the vault. However, at this point, he theoretically could read the message, copy it, or make a copy of the key that locks the data away so he can access it whenever he wants. This would also be a great moment to let governments and authorities have a peek if they requested it.

Zero Knowledge Encryption – Or Bring Your Own Dragon

Zero knowledge encryption resembles end-to-end encryption in terms of security. If you have end-to-end encryption for your messages and shared cloud links, as well as zero knowledge encryption for your cloud, it becomes very unlikely that something happens to your data. Imagine Tyrion Lannister with his companions as well as Daenerys and her dragons watching out for your data. All good, right?

Let’s go back to Daenerys protecting the vault. By now, her dragons have hatched and they are her superpower. Since she does not want to trust the Iron Bank to never betray her, she brings in her own dragons that let nobody but her into the vault. Those dragons only listen to their Mum Daenerys, right? The same scenario applies to zero knowledge encryption. It gives you the power of full control. No one but you can access the vault, because you bring your own protection. Everything is encrypted at every point in time and nobody but you knows your password, because it is hashed before it even leaves your device.

2-1 GoT Zero Knowledge

Maybe you guessed it by now. Boxcryptor protects your vault at the Iron Bank of Braavos like Daenerys’ dragons would guard what is most precious to her. So, if you have dragons at hand to protect your data and your right to privacy – why not use it?

By the way: The existence of undead dragons will be blocked out of this comparison. Because that is a whole other story.

A Breach is Coming. Comparison of the Encryption of the Popular Clouds

We do not want to keep you much longer. Here is a short comparison of which cloud provider uses what kind of encryption. If you already know all that, feel free to scroll down to the end of the page right away.

Support us by sharing this article. Help us spread the knowledge and help others to understand encryption so that data security and privacy in the cloud and in communication become the norm one day.

Dropbox

Encryption at rest aka the Iron Bank of Braavos. But without the dragons.
Encryption in transit with SSL/TLS.

Google Drive personal accounts

Encryption in transit: “All transmissions to and from your device using HTTPS and TLS.”
Encryption at rest: apparently not. So better encrypt your Google Drive data yourself and add some dragons.

Google Drive for Business

Encryption at rest just as in the Iron Bank of Braavos. But better bring your own dragons, especially if you operate with business data in Europe.

OneDrive

“We have implemented and will maintain appropriate technical and organizational measures intended to protect your information against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction.” (Privacy Statement for Online Services). Either have trust that what Microsoft deems appropriate is good for you too, or bring your own security.
OneDrive Business: Encryption at rest and in transit.

Amazon Drive and Prime Photos

“You are responsible for maintaining appropriate security and protection of Your Files.” (Terms of Use). Ok, got it. I’ll bring my own dragons.

iCloud Drive

Encryption at rest aka the Iron Bank of Braavos. But definitely without the dragons.
Encryption in transit with SSL/TLS.