Secure documents in the Cloud

Here is a good way you can secure your documents in the cloud using Windows 7 and Windows 8. I’d like to note there is one alternative (among many) which I also use, which is TrueCrypt. The method described here relies on SkyDrive, VHD and BitLocker. Some if the tips does apply to the use of TrueCrypt.

Get Cloud Storage

Recently all the major cloud storage system have released a rich client for the Windows and Mac desktop OSes where you can sync a local folder, with your cloud storage. There are many smaller and bigger competitors in this space, the big players are Google, Microsoft and DropBox.

I’m using all of these three alternatives, with SkyDrive being my primary platform. Make sure you download the software for your cloud storage provider and setup the sync between cloud and your computer.

Create the Virtual Hard Disk

Next step is to launch the Computer Management console on your Windows computer. On Windows 8, open the File Explorer then choose the “Manage” button on the ribbon bar. This should open the Computer Management.

Navigate into Storage/Disk Management. Right Click on the Disk Management and choose the Create VHD option.

In the Location field, locate your synced cloud storage folder and type the name of your VHD file. For example “Documents.vhd”. I choose the option VHD and not the VHDX, to ensure the file is compatible with Windows 7. Pick whatever file size you want the virtual hard disk to be.

I choose the disk type to be dynamically expanding. It’s important to note that SkyDrive sync is intelligent and it won’t sync the whole huge file every time there is a change, it intelligently figures out the changes and only syncs those parts of the file.

After the disk has been created, you should run the Initialize Disk option. After Initialize, you have to right click on the partition and choose “New Simple Volume”. Assign the disk to a drive volume and perform a format from the wizard.

Turn on Encryption

The next step is important to ensure your file are stored encrypted and securely in the cloud. Here is one important step: You have to choose what encryption technology to use.

Microsoft have a table sheet that shows the differences between BitLocker and EFS.

For my own needs, I’ve chosen BitLocker. On Windows 8, all you have to do is open the mounted drive, in my example here, the X: drive and choose the Manage tab from the ribbon bar on the top.

Choose the Turn on BitLocker option and complete the wizard that appears. Make sure you enter a strong (long) password. A very long sentence that you remember, is a lot better than some small amount of random characters.

One of the new options on Windows 8, is to store the recovery key for BitLocker with your Microsoft account. This will somewhat defeat the purpose of storing your virtual hard disk encrypted on SkyDrive, as you are giving away the key to unlock the drive. Print out the recovery key and store it on external USB drive.

Mount and Eject

To mount the virtual hard disk on any of your computers, just right click on the vhd file and choose Mount.

When you do this operation, you might see the following error message appear:

“Sorry, there was a problem mounting the file.”

You might at this point have discovered that the mounting actually worked just fine, the drive appears on your File Explorer, but there is one final step you need to complete. You need to unlock you drive.

Right-click on the drive from the File Explorer and choose the Unlock Drive… option. Enter your password and then you should have fully unlocked your secure and encrypted cloud storage drive.


As long as your VHD is stored in the cloud, you should ensure that it is encrypted with BitLocker. Additionally you should make sure that the password used for BitLocker is NOT the same as your Microsoft account.

If someone steals or guesses your Microsoft account password, they still won’t be able to look into your documents and files.

Make sure you take backup of your VHD files once in a while to a local hard disk. My suggestion here, is to copy the .vhd off the SkyDrive folder, then mounting that to a separate drive and finally run the operation to remote BitLocker from that copy of the VHD file. That way, you will have a backup of the VHD which is not encrypted in case of emergency.

1 comment. Leave a Reply

  1. CB

    Interesting article.
    Is it possible to encrypt only part of my sync’d storage?
    Two options come to mind, I don’t know if either will work:
    1. SkyDrive syncs with two locations on my local machine, one encrypted, one not
    2. The encrypted dir is a subdirectory of the the sync’d dir.

    Also, what happens when another computer is linked to the encrypted SkyDrive folder?
    Thanks for any information…

Leave a Reply

Your email is never published nor shared.

You may use these HTML tags and attributes:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>