Most competitors in the cloud backup space often claim "military-grade" encryption. This is a completely meaningless phrase and should not comfort anybody. DES and 3DES were "military-grade" and are today trivially cracked. The only reason you should trust anybody's assertions about data security is if they at least publish a white-paper on how their data security works. Even better is if the entire source code is made public that allows anybody to verify the assertions of encryption.
Additionally, encryption is an evolving subject and you need to stay on top of the subject and be prepared to always re-evaluate your assumptions of what is the best-of-breed solution for any given requirement. This is why during its relatively short history Underscore Backup for instance has upgraded its password hashing algorithm from PBKDF2 to Argon2 and it has moved from CBC to GCM encoding of the AES encryption.
There are a few tell-tale signs that most cloud backup solutions probably do have access to your data and I just thought I would point them out. If either of these two are true it is unlikely that your data could not be accessed by your cloud backup provider without your expressed consent.
- If they provide a web interface to access your backup that most likely means that your data can be accessed by the provider's back-end systems since unpacking an entire backup is unlikely.
- Unless you can and are managing your own encryption keys or are using public key encryption that means that the service itself will manage your encryption keys.
Given the Open Source nature of Underscore Backup and the publication of its threat model you should feel safe to trust the data in Underscore Backup is available only to you.
Photo by Towfiqu barbhuiya on Unsplash
0 comments:
Post a Comment