At first glance, Tresorit’s end-to-end file sharing service looks like it might be able to overcome its proprietary nature and win favor with some Linux users. Unfortunately, the service comes with another issue that might be an insurmountable deal breaker for some.
The FOSS Force Review
On Thursday I received an email from Eszter Szilva, a PR manager at Tresorit, which is an “end-to-end encrypted file sharing service.” She was offering an invitation to take a peek at the company’s just released client for GNU/Linux. I must admit I was a little excited by this, despite the fact that I already figured the service was also end-to-end proprietary. I was willing to ignore that, thinking it’s about time for companies to start treating Linux users with the same respect given to users of other operating systems.
A quick gander at the company website told me the service encrypts files client-side before uploading using AES, the Advanced Encryption Standard established by the U.S. National Institute of Standards and Technology. The company uses servers located in Ireland and the Netherlands, which is an important plus for those trying to stay out of the long reach of the US government. The company is headquartered in Switzerland and user data is protected under Swiss privacy laws, which offer more protection than in the US or even the EU.
The company has gone to great lengths to keep their service as unhackable as possible. In 2013 and 2014, Tresorit sponsored a hacking contest, at first offering $10,000 to anyone who could hack its data encryption system and gain access to the servers. The amount of the award was incrementally raised to a final figure of $50,000, with hackers from institutions such as Harvard, Stanford and MIT competing for the prize. After 468 days the contest was ended with no hackers breaking Tresorit’s encryption.
Users of the service can access their “tresors” (German for “vaults”) through web browsers or by client apps that are available for both desktop and mobile operating systems. Since the company recommends installing and using the client instead of a browser on the “home” computer, I wondered if there was a difference in the security levels between the two, and asked Szilva by email, “What is the advantage of using the desktop client rather than accessing through a browser?”
Her reply was that the client added functionality, but that both methods were equally as secure.
“The most important advantage of the desktop client to the browser is that it allows you to sync your files automatically to your local computer (although you can switch this off, and you can also restrict which folders you want to sync automatically within a tresor). …the browser version needs manual uploads to make updates for files available. …the desktop client has several usability advantages,like drag and drop file usage, which makes the usage more native and easy. It is important though that the desktop client and web version both have the highest standard of security, based on zero-knowledge end-to-end encryption.”
The Linux client is downloaded from Tresorit’s website and installs without needing root privileges (in fact, for security reasons, the user is cautioned not to install as root). After installation, I found the interface to be simple and easy to understand, with files uploading and downloading quickly. As expected, uploaded files were immediately available on other computers logged on to my account and connected via a browser. Files can, of course, be shared, even with people having no Tresorit account.
Pricing is okay, but not particularly cheap. A small business account for 2-9 users will set you back $25 per user a month, or $15 per user for ten or more users. Single user accounts are $30 monthly. Those interested in trying the service on for size can sign up for a fourteen day free trial.
Besides price, there are two deal breakers for many Linux users. The first is the proprietary nature of the software. Personally, I don’t have much of a problem with that, although I’d prefer an open source solution. The second, however, kills the deal for me, and I imagine will also be problematic for most FOSS advocates. Tresorit is served by way of Microsoft Azure servers.
I asked Szilva about this. “I notice you’re using Microsoft Azure, which might be a deal breaker for many open source users for a variety of reasons. Do you have any plans to move away from Microsoft’s service or to offer your service on servers not connected to Microsoft?”
As expected, the answer was negative to both questions, although she tried to put the best face possible on her answer. “Yes, we are using Microsoft Azure and changing to another provider is not on our road map at the moment. Our service uses strictly EU-based data centers (Ireland, Netherlands) that comply with the highest security standards (ISO27001, ISO27018). For enterprise clients though, we are open to support custom server setups.”
That’s too bad. I think the service the company offers would be useful to some Linux users, and I find the fact that it’s offering a Linux client refreshing. But I can’t get beyond the fact that a few pennies out of every dime I would spend with them would go into Redmond’s coffers. Maybe they’ll give me a call if and when they spin their service up on Red Hat’s cloud. I’ll give them a thumbs-up when they do. Until then, I don’t like the company they’re keeping.