18 Oct, 2013 No Comments Bobby Security Software Tutorials

What Is SpiderOak?

SpiderOak Logo

SpiderOak has two functions. First, it’s an online backup service, similar to Carbonite or Crashplan. Second, it does file synchronization much like Dropbox or Google Drive. It will let you save the same files on multiple computers and synchronize all the changes. The best part, however, is the privacy policy. Keep reading to find out why.

Sign up for a free account to give it a try (limited to 2GB storage).

For this tutorial I’ll be using SpiderOak version 5.0.3.

What Makes SpiderOak More Secure?

SpiderOak uses very strong encryption to transmit and store your data. This helps to protect your files from hackers intercepting or stealing them. But this isn’t much different than most synchronization services. So what makes SpiderOak different?

SpiderOak uses a strict “Zero Knowledge” policy in which no one but you has the ability to see your data. Most other services have access to your encryption keys on their servers. This gives their employees the ability to see what files you’re uploading and also gives them the ability to turn over your unencrypted data to law enforcement if they’re ever at the receiving end of a subpoena. What’s more, having access to your keys on their servers also increases the possibility for a hacker to get your stuff if their servers are ever compromised.

SpiderOak is one of very few services that ensures your data is 100% private when you upload it, because it’s encrypted with secret keys on your computer that SpiderOak does not have access to. That, combined with its unique versatility makes it my personal favorite.

Note: This Zero-Knowledge policy does not apply if you access your data through their website or use their mobile app for your phone or tablet.

SpiderOak Features

  • Zero-Knowledge policy
  • This is also called “Trust No One” (TNO) privacy. No one but yourself has the ability to read your data. That includes SpiderOak employees themselves. This is a unique feature for file-sync services to have.

  • Partly open source
  • The developers are working toward being completely open source. Open source means that anyone can crack open the code for their software and see how it works. This is a good thing for privacy and security as it allows for complete accountability. It’s not fully open source yet, but the developers are releasing bits at a time, and have stated their determination in working toward a fully open source platform.

  • HIPAA compliant practices
  • SpiderOak’s Zero-Knowledge environment was specifically created for HIPAA compliance. However, they are not officially HIPAA certified as of this writing, even though they claim that their technical specifications comply with the standards.

  • Ability to connect through a proxy
  • If you like to route your internet traffic through an HTTP proxy, SpiderOak will let you as long as it supports SSL.

  • Cross platform
  • SpiderOak has clients for Windows, Mac and Linux, allowing you to sync the same files across multiple platforms.

  • Limited free data storage
  • SpiderOak allows 2GB free data storage before you have to start paying. Most other services give you more free space than this, but it’s a trivial limitation considering the true privacy and security they’re offering.

SpiderOak Limitations

  • Zero-Knowledge policy does not apply to mobile or their website
  • There are two situations in which it’s possible for SpiderOak employees to gain access to your data. 1) If you use the SpiderOak mobile app on your phone or tablet or 2) if you log into their website to access your data (this includes the sharing feature). In these situations, your encryption keys are temporarily exposed on their servers and SpiderOak employees technically have the ability to see them, even if they choose not to.

    This could be problematic. For instance, if they were ever secretly coerced by the government to hand over access to your data, they would have that ability. I really hate to say it, but unfortunately that is actually happening.

    However, as long as you never log into the website and never use the mobile app, the Zero-Knowledge policy remains in effect. If you have used the mobile app or website in the past and you decide to go back to Zero-Knowledge usage, just change your password in the SpiderOak client installed on your computer. As long as you never type that new password into their website or into the mobile app, they will not have access to your keys anymore. However, if for some reason they stored the encryption keys to files you’ve already uploaded, then they may still have those even after you change your password. If you want to retain complete privacy, I would just recommend never logging into the website or mobile apps to get your data.

  • Password cannot be recovered
  • As a side-effect of Zero-Knowledge, your password can never be recovered if you lose it. This is a problem inherent to complete privacy. So make sure you don’t lose your password or else the data on their servers will be lost to you forever. SpiderOak does provide the ability to create a password hint in case you forget. But as a purist, I would recommend avoiding that feature.

  • Not fully open source
  • While the developers are working toward a fully open source platform, it has not happened yet as of this writing. However, considering their determination to make it so and their openness and transparency thus far, I feel safe trusting that their product is as private and secure as they tout.

SpiderOak Technical Specifications

  • AES256 and HMAC-SHA256 used for encryption
  • Nested key scopes – uses different encryption keys on a per folder and file version basis to allow secure sharing of individual files/folders
  • Your encryption keys are themselves encrypted with your password and a 32-byte salt while stored on their servers
  • Includes 3072-bit public/private RSA encryption key pair for new anticipated features – not currently being used as of this writing
  • Uses port 443 for internet traffic

How To Install SpiderOak

1. Sign Up and Download SpiderOak

Visit the SpiderOak signup page. Fill out the signup form and click Sign Up.

If you have JavaScript disabled, the signup page may not have all the necessary fields. Enable scripts for the site temporarily if you have issues.

2. Run the installer

Run the file that downloaded if it did not start automatically. Yours may have a different version number than you see here. Then follow the installation steps.

SpiderOak image

When you see this window, you may deselect the Shell Integration if you wish but I would recommend leaving it default. The Shell Integration puts SpiderOak options in the right click context menu. It can be very helpful.

SpiderOak image

If you see this window, leave the default option selected and click OK. Your desktop will disappear for a minute but should come back soon.

SpiderOak image

Enter your username and password that you created during the signup process then click Next. It will then go through a process of installing itself on your first device. It may take a few minutes.

SpiderOak image

When it’s done, the SpiderOak window should appear and the icon should now be visible in the system tray in the bottom right corner of your screen. That means SpiderOak is running.

SpiderOak image

3. Install SpiderOak on your other computers

On your other computers, go to the SpiderOak webpage and click on the Downloads link. You do not need to go through the sign up process again.

SpiderOak image

Click the link for your operating system to download the client. If you’re unsure then it’s probably Windows.

SpiderOak image

Run the installer like you did on the first computer. But this time, after logging into the client select Adding a new device to my SpiderOak account and click Next.

SpiderOak image

Type a descriptive name for the new computer and click Next. It will then finish setting up your new computer. Do this for each device on which you want to sync your files.

SpiderOak image

How To Use the SpiderOak Hive

SpiderOak image

SpiderOak creates what it calls a “Hive” on your computer. This is just a fancy name for the default folder that you put files in to synchronize between computers. The Hive is the easiest way to use SpiderOak because it does not require any extra configuration at all. Just place any files or folders into the Hive and it will automatically replicate them to all your other computers that have SpiderOak installed. That includes any computers that you add in the future.

The Hive folder is located in the Documents folder. You should see a shortcut to the Hive on your desktop and in the favorites menu on the left side of your explorer windows.

Create Your Own “Sync” with SpiderOak

The Hive is by far the easiest way to use SpiderOak. But if you have your own folders you want to sync without placing them in the Hive, you can do that as well. Such as your Documents folder or even a specific folder you created. The process is a lot more involved than other services like Dropbox or Cubby because it takes some extra steps to set up. But if you like a lot of customizability in your programs then you’ll probably appreciate it.

1. Add the folder to SpiderOak’s backup

Any custom folder you want to sync will have to be added to the backup first. You’ll need to do this on every computer. For instance, if you want to sync all your Documents folders, then you’ll have to add the Documents folder on each computer to the backup.

Open SpiderOak and click on the BACK UP tab. You’ll see a list of pre-defined options you can select. Check any of the boxes to add that folder to the backup then click Save Selection.

SpiderOak image

If you want to add a custom folder that’s not on the list, then select Advanced in the upper right corner.

SpiderOak image

Drill down to the folders you want to add, then check their boxes. The storage bar at the bottom will indicate how much space your selections will use. Remember, you have limited space available. Make sure you’re not going over your limit, then select Save at the top. It will automatically start uploading your selections.

SpiderOak image

OR, if you opted to include the Shell Extension when you installed SpiderOak, you can add a folder to the backup just by right clicking on it, opening SpiderOak, then choosing Add to backup. This will do the same thing we just did manually through the program.

SpiderOak image

2. Create your custom “Sync”

Once you have all your folders added to the backup, we need to tell SpiderOak which ones to sync to which computers.

Open SpiderOak and click on the SYNC tab. You can see that the Hive sync is there by default, but we’re going to add our own so click New.

SpiderOak image

Type a descriptive name for the sync and fill out the description box if you’d like, then click Next. I’m calling mine “Work” because it’s going to synchronize my Work folder between my laptop and desktop.

SpiderOak image

Click Browse next to the first field.

Find the folder you want to synchronize on one of your computers. Highlight the folder and click Select.

SpiderOak image

Repeat the process for the second entry. You can add another computer by clicking the [+] button underneath. Likewise, to remove a computer, click the corresponding [-] button. Click Next when you’re done adding folders. The folder names do not have to match.

SpiderOak image

You do not need to enter anything here unless you want to prevent certain types of files from being synchronized, specified by file extension. For instance, if you have some large ISO files in the folder that don’t need to be synced between computers, you can add “*.iso” and it will ignore them. You will most likely be leaving this option blank. Click Next when you’re done.

SpiderOak image

Verify the settings are correct then click Start Sync.

SpiderOak image

You’ll now see your custom Sync in the list and it will begin synchronizing right away. To edit the Sync, click the Edit button. To delete the Sync, click the Delete button.

SpiderOak image

Note: Deleting the Sync will not delete your files from the SpiderOak server or any of your computers. It only stops the computers from synchronizing.

How To Delete Files from SpiderOak

If you find yourself running out of space, or you just don’t want your files backed up anymore, you’ll need to manually delete them from their servers. Just deleting the Sync you created will not delete the files from SpiderOak.

First, you should delete or modify any Syncs that are using the files you want to delete. Click the SYNC tab and select the correct Sync, then Delete or Edit.

SpiderOak image

Click the VIEW tab. Drill down the the folder you want to delete from the SpiderOak servers. Highlight the folder and click the red X at the top (“Remove”).

SpiderOak image

Note: You can only delete folders from the computer that created the backup. If the X button is grayed out it’s because you’re trying to delete it from the wrong computer.

Click Remove. The files will then be removed from SpiderOak’s servers. Make sure that No longer include in future backups is checked or else making a change to that folder will cause it to be backed up again.

SpiderOak image

You’ll need to repeat this for every computer that was syncing those folders. Because when you remove them from the server on one computer, they will still get automatically backed up on the other computers. The space will not be freed up until you tell every computer to stop backing up that folder.

Note: Removing the files from SpiderOak will not delete the files on any of your computers.

How To Remove a Device from SpiderOak

First, uninstall SpiderOak from the device you want to remove. You cannot remove the device if it’s still running SpiderOak.

Open SpiderOak on one of the other devices in your SpiderOak network. Select the VIEW tab, highlight the device you want to remove, then click the red X.

Click Next to remove the device.

SpiderOak image

Click Finish and the device will be removed shortly. This will also delete all that computer’s backed up data on the SpiderOak servers.

SpiderOak image

Note: If you did not uninstall SpiderOak on the device you removed, it will not be able to connect to the SpiderOak servers it you start it up again. If you’re removing the device to add it to a different SpiderOak account, see the this section.

Sharing Files with SpiderOak

SpiderOak provides a sharing feature so you can let others see and download your files. But the process is different depending on whether you want to share an entire folder or just individual files. The people you share with do not have to have a SpiderOak account.

How to share folders with SpiderOak

First, make sure the folder(s) you want to share are backed up to SpiderOak in the BACKUP tab.

When you’re ready to share a folder, click on the SHARE tab. It will prompt you for a ShareID. This will be unique to you, no one else using SpiderOak can have the same ShareID. When you’re done, click Next.

SpiderOak image

Security Note: Do not use your SpiderOak account name as your ShareID. Anyone will be able to see your ShareID so it’s best if it’s not a piece of information that can be used to hack your account. If you want to change your ShareID, click Account in the upper right corner then select Edit next to “Current ShareID”.

Click New to create a new share.

SpiderOak image

I’m going to create a share for my friend Barney. In the first box, enter a name for the new ShareRoom (for your use only). In the second box, create a RoomKey (used to gain access to the ShareRoom). In the third box, create a strong password. Then click Next.

SpiderOak image

The RoomKey is not a real password – it’s actually shown plainly in the URL (address) of the ShareRoom. Adding an actual password is the only way to protect the share from hackers and snoopers.

Type an optional description for the ShareRoom and click Next.

SpiderOak image

Click Browse to find the folder you want to share.

SpiderOak image

Find the folder you want to share then highlight it and click Select.

SpiderOak image

If you want to add another folder to the ShareRoom, click the [+] button, or else click Next.

SpiderOak image

Make sure the configuration is correct then click Start Share.

SpiderOak image

Your new ShareRoom will now appear in the list. You can modify or delete it by clicking on the ShareRoom then using the buttons at the top.

SpiderOak image

How to access the ShareRoom in a browser

The easiest way to give someone access to the ShareRoom is by giving them the direct web address. The address is shown in the left pane when you highlight the ShareRoom. Copy/paste the address and give it to whoever you want to have access. If there is no password specified on the account, it will take you directly to the ShareRoom. If there is a password, it will prompt you for it.

SpiderOak image

The other way is to go through the SpiderOak website. Go to https://spideroak.com then click Login.

SpiderOak image

Scroll down and click ACCESS A SHAREROOM.

SpiderOak image

Type in the ShareID and RoomKey then click Login. If there’s a password on the ShareRoom, it will prompt for it before proceeding.

SpiderOak image

You will then see the list of folders that are being shared. To download a file, open one of the folders then click on the file.

SpiderOak image

How to share individual files with SpiderOak

Select the VIEW tab, drill down to the file you want to share, then click the WWW button.

SpiderOak image

A window will appear that shows you the new web address to that file. Copy/paste the entire address (all the gibberish, too) and send it to whoever you want to have it. When they go to that address, it will prompt them to download the file.

SpiderOak image

Note: The link it generates will only be good for three days. Make sure the recipient of the file knows that.

How To Change Your SpiderOak Account

As far as I can see, SpiderOak does not provide a way to change the account your computer is using once you set it up. Even if you uninstall/reinstall SpiderOak it will use the same account you used before. Here is the only solution I’ve found.

First, uninstall SpiderOak. Then navigate to the following directory in Windows 7 and 8:

C:\Users\%username%\AppData\Roaming\

Delete the “SpiderOak” folder inside, then reinstall SpiderOak. It should now prompt for the account login.

SpiderOak Tips

  • You can use SpiderOak’s backup feature by itself and it works well as an offline backup solution, even if you never create your own Sync

Free SpiderOak Account

Sign up for a free account to give it a try (limited to 2GB storage).