NordLocker Review

NordLocker

ProPrivacy.com Score 8 out of 10
Visit Site

Summary

NordLocker is a new encryption tool from the highly respected VPN company NordVPN. We found it to be a powerful and easy-to-use product, albeit one that will face stiff competition from the wealth of free and open-source alternatives that are available. In this NordLocker review, we take an in-depth look at pricing, features, how secure it is and more. 

Pricing

A free version of NordLocker is available which limits users to 5 GB of encrypted data. Free users can, however, decrypt files of any size sent to them. 

Premium users can encrypt unlimited amounts of data. Pricing is rather high for a month-by-month plan, although it does get more affordable if you buy longer-term packages.

NordLocker pricing

As with the NordVPN service, you can try 30 days of NordLocker Premium out for free with a no-quibble money-back guarantee.  

It should be noted that a subscription model for the kind of thing which is normally offered as a stand-alone app did raise eyebrows here in the ProPrivacy office, although, there may be good reasons for it. 

Features

NordLocker is not open-source but is based on the excellent open-source gocryptfs per-file encryption app. This means that each file in a volume is encrypted and stored individually, so a change to one file does not mean re-uploading an entire encrypted container when stored online.

The beauty of this system is that if, for example, you open a Word document stored in a NordLocker container, edit and save it, then the changes are seamlessly saved in the encrypted document.  

This makes NordLocker a great choice for storing files securely on otherwise insecure cloud storage services such as Dropbox or Google Drive.  

Master password reset

When you create a new account, you also choose a master password which is used to encrypt your files (see technical security below). NordLocker also generates a recovery key that's only available to you and is best kept offline for added security. This can be used to reset your master password but exercise caution. If you lose both your master password and the recovery key, then you won’t be able to open your files. 

Privacy and security

Jurisdiction

NordVPN is legally based in the Republic of Panama and the NordLocker Terms of Service make it clear that all legal disputes will be resolved in that jurisdiction. Panama has an uncensored Internet and no domestic surveillance we are aware of. 

It is also outside any direct sphere of influence of the United States and its Five Eyes spying partners, although a strong economic presence might allow the US to exert indirect pressure on the Panama government should it wish to. 

NordVPN has admitted to having close links with Lithuanian infrastructure provider Tesonet, but the exact nature of this relationship remains unclear.

Privacy policy

At present, the NordLocker website does not host any trackers, although its privacy policy gives it a great deal of leeway to perform extensive tracking of website visitors in the future.

NordLocker provides client-side encryption, so its developers have no access to your encrypted data, although some aggregated and pseudo-anonymized diagnostics and usage data are sent from its apps to Tefincom. The Windows client has an option to turn such sharing off, although this is sadly not present in macOS just yet.

All data which is collected may be shared with third-party service providers, affiliated companies, and officials in accordance with valid legal demands. European customers’ data is, of course, protected by GDPR.

Technical security

The first thing to note is that NordLocker is a closed-source proprietary software. This means we just have to trust its developers that it is what they say it is, and that it’s not doing anything it shouldn’t. Such is the nature of all closed-source software. 

All files are encrypted client-side, meaning that NordLocker provides end-to-end encryption. You encrypt your files, and only you or other NordLocker users you have chosen to share them with can decrypt them. 

So even if you store them somewhere wildly insecure, such as Dropbox or Google Drive, they are secure.

Data is secured using AES-256-GCM and the encryption keys hashed using Argon2. Both of which are tried and tested cryptographic primitives. Public key cryptography for the generation and authentication of asymmetric key pairs, however, is via Elliptic-curve cryptography (ECC) instead of the more common RSA. 

How NordLocker works

Locker keys never leave your desktop without being encrypted using your secret key and the XChaCha20 cipher with Poly1305 authentication. Your secret key is derived from your master password, which is hashed and salted using the Argon2 key derivation function. 

Concerns about ECC cryptography

Elliptic curve cryptography has the big advantage of requiring much smaller key sizes, but its use is highly controversial. 

Its existing known vulnerability to side-channel attacks and its theoretical known vulnerability to quantum computing attacks are worrying enough, but even more worrying is how easy it is to insert backdoors into the algorithm.

Indeed, ongoing concerns that a backdoor might have been inserted into the Dual_EC_DRBG elliptic curve algorithm appear to be confirmed by internal NSA memos leaked by Edward Snowden. 

Despite such concerns, “the algorithm, as a whole, remains fairly secure” if properly implemented, which is a known problem. As an IASCA report on Elliptic Curve Cryptography notes.

“In a nutshell, a lot of things can go wrong while ECC is being implemented. There are numerous examples of how the failed implementation of ECC algorithms resulted in significant vulnerabilities in the cryptographic software.”

And being closed-source, there is simply no way to know how well ECC cryptography has been implemented in the NordLocker software. In fairness to NordLocker, though, the kind of attacks that ECC is vulnerable are unlikely to be part of most of its customers’ threat models.

Sharing files

Lockers, folders and individual files (which are converted into Lockers) can be shared with other NordLocker users via almost any means – by email, via a shared Dropbox folder, on a USB stick and various other methods. 

dropbox, onedrive, box, and google drive logos

Thanks to asymmetric public-key cryptography (ECC), only the intended recipient, identified by their email address, can unlock the Locker using his or her own private key. 

Due to this, we assume that it requires some form of centralization in order to distribute customers’ public keys to senders. 

Add user access for NordLocker

If this is the case, then it explains why NordLocker works on a subscription model rather than being sold as a stand-alone product. But it also raises questions about whether NordLocker can keep a record regarding who sends files to who. 

Customer Care

The website features a fairly simple FAQ and some troubleshooting guides. 24/7 live chat support is promised but was not available when this review was written. Instead, early adopters will have to rely on email support, which is already in place.

Ease of use

NordLocker is available for Windows and macOS. The Windows app requires the .Net Framework 4.8, which must be installed during setup if it is not already present on your system.

Once opened with your master password, a NordLocker container acts just like a regular folder. Files will be opened by their usual programs and seamlessly re-encrypted when changes are saved. 

NordLocker Folder

To encrypt files, just drag and drop them into an open Locker window. You will be asked if you want to keep the original or move it to the Locker-only. You can add user access for other NordLocker customers, which is particularly useful for sharing Lockers that are stored online. 

To store a Locker online, simply upload it to your cloud service of choice. If you store a Locker in your cloud folder, then any changes made to files to it will be immediately mirrored in your cloud storage.

You can also share files and folders by converting them into new Lockers and then sharing them by whichever means you prefer. As already noted, this feature is still in the works at the time of writing. 

NordLocker folder sharing

In Windows, shared Lockers are simply saved so that you have to share them yourself manually, such as by adding one as an email attachment. The macOS app has slightly better OS integration, allowing to share Lockers using the built-in macOS sharing function automatically.  

Final thoughts

NordLocker is a very polished product. It looks great and provides arguably the easiest way we have seen to encrypt files locally or in the cloud and to share them with others securely. 

We are not convinced that the use of Elliptic curve cryptography is the best choice, but the technical security used to protect your data is otherwise very robust. It’s just a shame that the app is closed-source, so we can’t really see what is going on or how well the security has been implemented. 

Our other big concern is pricing. The encryption app space is already crowded, with plenty of excellent and fully open-source options available. We will say that none of these is as polished or versatile as NordLocker, but they are free and open-source. 

NordLocker is not cheap (especially compared to free), and even as a commercial product its subscription model is a little jarring for what many would think of as a stand-alone product deserving a one-off price tag. But as we have already speculated, there may be reasons for this. 

It would be nice to be able to access encrypted files from mobile devices, but we would be very surprised if iOS and Android apps are not in the works. 

Overall, we think NordLocker is a very good product that offers a unique take on encrypting files locally and in the cloud. But it’s neither free nor open-source. 

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

1 Comment

  1. Peter

    on December 4, 2019
    Reply

    Haven't got the same luck. Tried to install the NordLocker folder on diff. drives (and folders) with the same error msg. Can't not create folder! Even in the \documents folder!! Not available on mobile apps yet. So this thing is *not* ready for prime time yet.

  2. F. Cosov

    on December 2, 2019
    Reply

    I’ve tried the free version of Locker over the last week and had a great experience. I like the encryption speed and simple data sharing solution, and security seems perfect. Especially I’m attracted by the price point which seems very decent. Hope I do not change my opinion and switch to the premium once I reach the limit in the current one.

  3. drowndroning

    on November 20, 2019
    Reply

    Thanks for your review. I’ve never tried file encryption before and your article gave me some knowledge about this matter. Nordlocker seems worth to try and begin my experience in this unknown field as you mentioned that it’s easy to use.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: