World-First Quantum-Safe Cryptography protected backups available with Underscore Backup 3.0!

Revolutionizing Cloud Backup Security with Cutting-Edge Encryption Technology

Newport Beach, California, July 11, 2024 - Underscore Backup, is proud to announce the launch of Underscore Backup 3.0. This latest version introduces a groundbreaking feature: Quantum-Safe Cryptography, a world-first in the realm of cloud backup solutions.

In an era where data security and privacy is paramount, Underscore Backup 3.0 sets a new standard by integrating Quantum-Safe Cryptography. This advanced cryptographic technique is designed to safeguard data against the potential threats posed by quantum computing, ensuring that private and secure backups remain invulnerable to future technological advancements.

Henrik Johnson, Founder, CEO of Underscore Backup, expressed his enthusiasm for this pioneering development:

"With the introduction of Quantum Safe Cryptography in Underscore Backup 3.0, we are not just keeping pace with technological advancements, we are leading the charge. Our commitment to providing private, secure backups in the cloud of any size with minimal resource usage remains unwavering. This innovation underscores our dedication to delivering exactly what our customers need, now and in the future."

Underscore Backup 3.0 continues to offer the same reliable and efficient cloud backup services that users have come to trust. The integration of Quantum Safe Cryptography ensures that data is protected with the highest level of security, keeping your data secure now and tomorrow, making it an indispensable tool for businesses and individuals alike.

In addition to its enhanced security features, Underscore Backup 3.0 maintains its user-friendly interface, multi-platform support, and seamless performance. Users can easily manage their backups with different schedules, configurable retention policies, and point-in-time recovery.

We also continue our ongoing commitment to openness and transparency. Our client code is available as an open-source project on GitHub, we have published a public threat model, and detailed documentation of how encryption is implemented.

Henrik Johnson adds “As the digital landscape evolves, Underscore Backup is committed to staying at the forefront of innovation, continually adapting to meet the needs of its users. The introduction of Quantum Safe Cryptography in Underscore Backup 3.0 is a testament to the company's commitment to providing cutting-edge solutions prioritizing security, privacy, and efficiency."

Secure Your Cloud Backups with Post Quantum Encryption

Introduction

Quantum Safe Illustration

In today's digital economy, cloud backups have become essential for protecting data. By storing copies of important information in remote servers, businesses and individuals ensure continuity and defense against data loss situations like hardware failure, cyber-attacks, or natural disasters. Despite its many benefits, cloud backup systems are vulnerable to security breaches, making it crucial to implement strong security measures.

Post Quantum Crypto (PQC) or quantum-safe crypto is an innovative encryption technology created to address future quantum threats. With quantum computers on the horizon, traditional encryption methods are at risk of becoming outdated. This is where PQC comes in, offering improved security designed to withstand the computational power of quantum machines.

Recently, Underscore Backup has taken a significant step forward by adding support for quantum-safe encryption. This advancement is a major move towards ensuring data remains secure against both current and future threats. As quantum computing continues to advance, adopting such advanced encryption methods becomes essential to protect the confidentiality and integrity of cloud-stored data.

Key Takeaway: Incorporating Post Quantum Crypto into cloud backups is not just a trend but a necessity for future-proofing data security. Discover how Underscore Backup's latest features can safeguard your valuable information against emerging threats.

Understanding Post-Quantum Cryptography

Post-quantum cryptography is an evolving field designed to protect against the potential threats posed by quantum computers. Unlike classical computers, quantum computers leverage principles of quantum mechanics to perform complex calculations at unprecedented speeds. This capability poses a significant risk to current cryptographic systems, which primarily rely on the difficulty of certain mathematical problems.

The advent of quantum computing could render traditional encryption methods, such as RSA and ECC, vulnerable to attacks. Post-quantum cryptography aims to develop new cryptographic algorithms that are secure against both classical and quantum computing attacks.

Kyber is an encryption method gradually becoming an industry standard for asymmetric key post-quantum encryption. This innovative approach is designed to withstand the computational power of quantum computers, ensuring long-term security.

Key Features of Kyber:

  • Robust Security: Built to resist attacks from both classical and quantum computers.
  • Scalability: Suitable for various applications, from small-scale personal data protection to large enterprise solutions.
  • Efficiency: Optimized for performance, maintaining high speeds without compromising security.
"The rise of quantum computing necessitates robust encryption solutions. Kyber provides a proactive defense against these emerging threats."

By integrating Kyber into your security framework, you are taking a crucial step towards safeguarding your data in the quantum era.

Using Post Quantum Encryption with Underscore Backup

Advantages and Considerations of Implementing Post-Quantum Encryption for Securing Cloud Backups

The world of cybersecurity is changing quickly, and the rise of quantum computing brings new opportunities and challenges. One proactive way to tackle these emerging threats is by using post-quantum encryption for cloud backups. Here are some important points to know:

Advantages:

  • Enhanced Security: Post-quantum encryption algorithms are designed to withstand attacks from quantum computers, ensuring that sensitive data remains secure. This is crucial for industries that handle highly confidential information, such as finance, healthcare, and government sectors.
  • Future-Proof Data Protection: As quantum computing technology advances, traditional cryptographic methods may become obsolete. Adopting post-quantum encryption now safeguards data against future vulnerabilities.
  • Interoperability: Ensuring that post-quantum cryptographic systems can seamlessly integrate with existing communication protocols and networks is essential for widespread adoption.

Considerations:

  • Key Management Protocols: Effective key management is vital in maintaining the integrity and confidentiality of encrypted data. The Underscore Backup makes key handling including sharing trivial.
  • Performance Tradeoffs: While post-quantum algorithms offer enhanced security, they often require larger key sizes and more computational resources. Organizations must balance the need for security with potential impacts on system performance.

Overview of Underscore Backup's Solution

Underscore Backup has positioned itself at the forefront of cybersecurity innovation by incorporating post-quantum cryptography into its suite of cloud backup solutions. Their approach addresses several critical aspects:

  1. Integration of Leading Algorithms: Underscore Backup utilizes a combination of Elliptic Curve Crypto, Kyber, and symmetric key quantum-resistant algorithms to provide robust security. This multi-faceted approach ensures comprehensive protection against a variety of quantum threats.
  2. Scalability and Efficiency: Despite the inherent tradeoffs associated with post-quantum encryption (e.g., larger ciphertexts), Underscore Backup has optimized its system to minimize performance impacts. This ensures that users can benefit from enhanced security without compromising on efficiency or scalability.
  3. User-Friendly Interface: Recognizing that ease of use is crucial for wide adoption, Underscore Backup offers an intuitive interface that provides post-quantum encryption security with no additional complexity required from the end user. Users can easily configure settings and manage encrypted backups without needing specialized knowledge in cryptography.
  4. Comprehensive Documentation: The Underscore Backup application is Open Source, which means its source code is publicly available for anyone to view, modify, and distribute. This transparency allows users to verify that the encryption methods used in the application are implemented correctly and securely. We also provide a threat model and detailed descriptions of how encryption is implemented.

Embracing Quantum Security

Incorporating quantum-safe encryption into cloud backup solutions like those offered by Underscore Backup represents a significant step towards securing digital assets in an era where quantum computing threats loom large. By addressing both current and future security challenges through innovative approaches and robust key management protocols, organizations can confidently protect their data against potential breaches while maintaining operational efficiency.

The transition towards a quantum-secure future requires not only advanced technological solutions but also a commitment to staying informed about ongoing developments in this dynamic field.

Conclusion

Securing cloud backups is no longer optional; it's a critical necessity. Advanced encryption mechanisms, particularly post-quantum cryptography, offer robust protection against emerging quantum threats. As quantum computing evolves, traditional encryption methods may become obsolete, making it imperative to adopt more advanced security measures.

Underscore Backup provides a cutting-edge solution that incorporates post-quantum cryptography, ensuring your data remains secure even in the quantum era. By leveraging their innovative approach, you can safeguard your cloud backups against future risks.

Ready to enhance your data protection? Try out Underscore Backup's state-of-the-art solution today for ultimate security.

Stay ahead in the quantum race — Sign up now.

Don't wait until it's too late to secure your valuable data. With the rise of quantum computing, traditional encryption methods are becoming vulnerable. Stay one step ahead with Underscore Backup's. Subscribe now and enjoy the peace of mind that comes with knowing your data is protected in the age of quantum computing.

Service and client encryption details

This section is fairly technical and serves as a walk through of how encryption is used in the product and is intended for somebody well versed with basic encryption primitives. For the uninitiated you might do well with just knowing that all data is encrypted on the client using a combination of state of the art post quantum cryptography and elliptic curve crypto. At no point is your data or your unencrypted private keys ever uploaded to either the service or your backup destinations.

What cryptographic primitives are used by the service?

The application uses several different cryptographic primitives. Master passwords are hashed using the Argon2 algorithm. This is true both for service passwords as well as backup passwords. In addition, the service extensively uses both SHA256 as well as SHA3 hashes during the backup.

The services use 2 separate asymmetric encryption algorithms for encrypting customer data. Before version 3 of the service only used a X25519 key exchange (X25519). Version 3 and later also adds support for using a Kyber key encapsulation mechanism (Kyber) which is a Quantum safe algorithm. Kyber is always used in the Kyber-1024 variant.

For symmetrical encryption, AES-256 is used universally using GCM encoding which also includes signing of the encrypted data.

How is the master password used?

The backup master password is hashed using Argon2 where the resulting 256-bit hash is then combined with a 256-bit random nonce using XOR. The resulting 256 bit value is used as the key for encrypting any private key material in the backup key. Each encrypted value is stored prepended with a unique 96-bit Initialization Vector (IV).

How are backup blocks encrypted?

You can choose how you wish to encrypt your data. The first option is to not encrypt data at all, secondly, you can encrypt it using X25519 key exchange only, and finally by default you can encrypt it using both X25519 and Kyber.

The way each key is generated is that we generate a new key pair for the respective encryption method. This key is then combined with the stored public key for the backup to create a unique 256-bit key for each block. The newly created keys private key is then discarded, but the public key is stored with the metadata of the block. This means that the key can now only be restored by combining it with the private key of the backup instead of the public key used to store the data. When using multiple encryption methods each method will generate a 256-bit key which will be XOR:ed together to generate a combined key.

Once the encryption key is created the behavior changes depending on if you have set the crossSourceDedupe property to false or not. If you have not done so an SHA3 hash of the plaintext block will be created and an XOR key mask will be stored with the block metadata that allows you to get to the SHA3 value of the block from the encryption key of the previous step. The block itself is then encrypted using AES256 with an IV of 0. This is safe because every single block is encrypted using a different encryption key (Otherwise AES-256 with GCM encoding has issues when encrypting different data using the same key and IV).

If the crossSourceDedupe property is set to false a random 256-bit set of key data is generated which is then combined with the combined key. The block is then encrypted using this combined key and using a random IV for each block. The IV is then stored with the encrypted blob.

Deduplication is done at the block level for large files. Blocks are labeled by their SHA256 hash. However, to ensure that the same data does not have the same block label on different backups each backup source generates a 256-bit block salt which is just a fixed nonce that is appended to any blocks contents when calculating the block hash. This salt is also stored with the encryption key.

How are backup logs and configuration encrypted?

Backup logs and configuration data is encrypted in the same way as when you are encrypting backup blocks with the exception that no key data is used to modify the combined key. So with these keys, the encryption key is always the same as the combined key. The advantage with this approach is that you do not need any additional metadata apart from your private keys to decrypt this kind of file. However, you also need to rewrite all this data when you generate new private keys while as your backup blocks can be re-keyed by only rewriting the metadata and updating the key mask for each block. This is why when you regenerate your private keys the logs have to be rewritten, but your backed-up data does not need to be updated.

How are small files encrypted?

Large files are generally stored in 1 or more blocks by themselves. However, for small files (Less than 8 MB in size by default) there is a more efficient way of storing the data where many files can be stored in a single block. However because you might want to share some of the smaller files in one block, but not some other small files are additionally encrypted where the contents of each file inside the block are encrypted using the SHA-256 hash of its contents using AES-256 with CBC encoding and with an empty IV (Again safe since each key is a unique SHA256 hash). This way the block can be shared along with the individual SHA256 hash of its contained files you wish to share (And any file in the block you do not wish to share you can render unreadable by simply not sharing the needed decryption key).

How are encryption keys stored?

Depending on where the key is stored different parts of it are encrypted or in plain text and sometimes not even included as shown in the table below.

Key content On host Source definition Source storage Share key
Argon 2 hash Included Included Included Not included
Public keys Plaintext Encrypted Encrypted Encrypted
Private keys Encrypted Encrypted Encrypted Encrypted
Sharing key Included Not included Included Not applicable
Additional keys Included Not included Included Not applicable
Block salt Plaintext Encrypted Encrypted Not applicable

The additional keys and sharing keys are additional sets of encryption keys that are used when sharing and will be described in detail in a separate section below.

As we always need to specify the backup master password to restore data everything can be encrypted whenever the key metadata is stored remotely. However, we do need access to the public keys as well as the block salt when we are running a backup without having access to the private keys.

How does sharing work?

The way sharing works in the general sense is that the sharing client needs the public keys of a key pair and the client receiving the share has the private key. When doing this without the Underscore Backup service the public key would need to be shared out of band. When a share is activated all existing blocks are gone through and their encryption key is determined (Using the master backup password to decrypt the main private keys). And then as if a new block was being created we do the exact same thing as when we encrypt a block and storing the public keys of the newly generated and discarded key pairs in the new block. Critically though the key mask is then created as the XOR between the original encryption key to the new key generated. This new block is then stored in the log needed to access the share. All the logs needed to create the share is generally encrypted as if this was a normal backup using the share public key.

How are keys exchanged when sharing through the Underscore Backup Service?

When using the Underscore Backup service every source will upload a set of public keys for every client. These are stored in the service and when a share is created these keys can be downloaded by the sharer. The sharer then uses these public keys to encrypt the private key to access the share for each of the public keys provided. These are then sent to the service. Each client of the recipient can then download the private key encrypted using its public key from the service and from that decrypt the private keys required to access the shares. The private keys are each encrypted as if they were a configuration file in the service (See above for details).

How to Implement the 3-2-1 backup strategy or better using only Underscore Backup

A close-up of a locked safe with an ornate key next to it, symbolizing secure offsite data storage.

Data loss is a big problem for both individuals and businesses. There are many ways it can happen, like when your computer crashes or gets hacked. That's why it's so important to have a good backup plan in place.

The 3-2-1 backup strategy is one of the best ways to protect your data. It's simple but effective:

  1. Make three copies of your data.
  2. Store those copies on two different types of storage media (like an external hard drive and a cloud service).
  3. Keep one copy somewhere offsite (For instance a cloud service).

Following this strategy helps ensure that even if something bad happens to one copy of your data, you'll still have other copies that you can access easily.

Underscore Backup is a great tool for implementing the 3-2-1 strategy. It works well with this approach and gives you reliable options for storing and recovering your data. With Underscore Backup, you can feel confident knowing that your information is safe and secure.

Understanding the 3-2-1 backup strategy

The 3-2-1 backup strategy is a proven method for keeping your data safe. Here's what it involves:

  1. Three copies of your data: You should have one main copy of your data and two backups.
  2. Two different storage devices: Use different types of storage, such as internal hard drives, external drives, or cloud services.
  3. One offsite location: Keep at least one backup offsite, away from your main location.

Implementing this strategy ensures that even if one or two copies are compromised, you still have another reliable backup available.

Advantages of the 3-2-1 approach

Following the 3-2-1 rule offers several benefits when it comes to protecting your data:

  • Data Integrity: Having multiple copies on different types of storage reduces the chances of all copies getting corrupted at once.
  • Resilience: An offsite backup provides a safety net in case something happens to your main location, like a fire or theft.
  • Versatility: This strategy can be used in various settings, whether you're an individual user or a large organization.

These advantages make the 3-2-1 backup strategy essential for maintaining strong data protection.

Mitigating risks with the 3-2-1 strategy

The 3-2-1 backup strategy effectively helps minimize several risks:

  • Hardware Failure: If one storage device fails, you still have other copies to rely on.
  • Human Error: Accidentally deleting a file is less disastrous when you have multiple backups.
  • Cyber Threats: Ransomware attacks often target local files first. By having an offsite backup, you can restore clean versions of your data.

By addressing these risks, the 3-2-1 strategy offers comprehensive protection against a wide range of potential data loss scenarios.

To make the most of this reliable backup method, consider using advanced solutions like Underscore Backup for added security and convenience.

The Role of cloud backups in a robust strategy

Leveraging cloud technology for offsite backups is crucial within the 3-2-1 strategy. Cloud storage offers a convenient and scalable backup solution that ensures your data is stored securely away from your primary location. This offsite approach safeguards against physical damage to on-site data caused by natural disasters, theft, or hardware failures. Integrating cloud backups into your strategy provides an additional layer of protection, ensuring that even if local backups are compromised, your critical data remains accessible and intact.

Benefits of cloud backups

Top cloud backup services bring numerous benefits for both individuals and businesses:

  • Data Accessibility: Access your backups from any location with an internet connection, providing flexibility and convenience.
  • Scalability: Easily adjust storage capacity based on your needs without investing in additional hardware.
  • Automation: Schedule regular backups, reducing the risk of human error and ensuring consistent data protection.
  • Security: Advanced encryption techniques protect your data both during transfer and while stored in the cloud.

Cost Efficiency: Pay-as-you-go models eliminate the need for substantial upfront investments in physical storage solutions.

Introducing Underscore Backup: Your comprehensive data protection solution

Underscore Backup is a versatile and powerful backup software that perfectly complements the 3-2-1 backup strategy. Here's why it's the ideal choice for your data protection needs:

Key features

  • Multiple Storage Options: Supports local, network, and cloud backups and multiple destinations.
  • Continuous and scheduled backups: Effortlessly schedule backups while at the same time continuously tracking file changes in near real time.
  • Public Key Encryption: Ensures data security with public key encryption protocols.
  • Multi Region Support: Reduce latency and keep on top of data governance of your backed-up data by storing your data either in the USA, European Union, or South-East Asia (Singapore).

Underscore Backup ensures seamless operations through its advanced technology. The software employs:

  • Incremental Backups: Only back up changed data, saving time and storage space.
  • Deduplication and Compression: Minimize storage usage by eliminating duplicate copies of data and compressing files.
  • Snapshot Technology: Captures the state of your system at specific points in time and allows restoring exactly to that point in time.

This sophisticated approach minimizes downtime, ensuring swift recovery from data loss incidents.

Despite its advanced capabilities, Underscore Backup remains user-friendly:

  • Intuitive Dashboard: A centralized interface for managing all backup activities.
  • Wizard-Based Configuration: Simplifies setup with step-by-step guidance.

By extending the principles of the 3-2-1 backup strategy, Underscore Backup provides a robust, scalable, and secure solution for modern data protection needs.

How to implement a 3-2-1 backup strategy in Underscore Backup

You can easily achieve a 3-2-1 backup strategy using nothing but Underscore Backup by using 2 backup destinations in Underscore Backup. By using first the default backup destination of the Underscore Backup service and at the same time adding another backup destination to another local computer or NAS on your network you will have 3 copies of your data on at least 2 different kinds of media and one of them is offsite.

Conclusion

Adopting a strong backup strategy like the 3-2-1 approach is crucial for protecting your data against cyberattacks and reducing the chances of losing important information from hardware failures or natural disasters. This method ensures that you always have multiple copies of your data stored on different types of storage devices, with at least one copy stored offsite. By following this strategy, you can prevent the potential consequences of hardware failure, human mistakes, and online threats.

Underscore Backup makes it easy and effective to implement the 3-2-1 strategy. Its advanced technology allows for seamless backup and restore operations, ensuring that you can quickly recover from any incidents of data loss.

Taking action now to sign up for Underscore Backup means investing in comprehensive, hassle-free data protection. Don't leave your important information exposed—safeguard it with a proven solution designed to meet the highest standards of data integrity and resilience.

Subscribe to Underscore Backup today and enjoy the peace of mind of knowing your data is fully protected.

With regular backups, you can restore your data quickly and efficiently in the event of a breach or system failure. By subscribing to Underscore Backup, you're not just acquiring a service – you're gaining an essential tool that will keep your business running smoothly even in the face of adversity. Don't wait until disaster strikes; secure your data now and ensure uninterrupted operations for your organization.

Google Drive issues provide a reminder that file syncing services are not backup replacements

A lot of people use file syncing services such as Google Drive, Dropbox, or Box and assume that this is sufficient protection from data loss. Although they do protect against a certain amount of protection for things like a broken computer or stolen laptop they are in general not a replacement for a real backup solution.

This point has unfortunately recently been made evident to a group of Google Drive users where some users have lost access to their data stored in the cloud syncing service.

The problem with syncing software in general is that if a file is removed on one computer all local copies are also immediately removed. In the case of the problem with Google Drive mentioned above it seems like an issue in the cloud service causing files to disappear and also removing the local copies of the files.

You want to make sure that any backup strategy you have is not vulnerable to a single point of failure and the file syncing services do simply not provide that. Using Underscore Backup you can set it up to create both a local backup as well as a cloud backup to be sure that no matter what happens there will never be any data loss with no single point of failure neither with your computers nor there would be a catastrophic event with the backup service.

Photo by LARAM on Unsplash

New release with improved directory handling

A new release is available for download now supporting the restoration of directory permissions and also better handles recording deleted directories in restore operations. Previously only the files had their permissions restored.

This follows the previous release that includes moving most previously command line only functionality into the UI and optionally collecting backup statistics to the service.

Get it now from the downloads page.

Image by Ludmila Uleva from Pixabay