If key recovery is enabled the private key of your backup source is
encrypted using your account email as the password using the same Argon2 algorithm
as is used for other passwords. This operation happens in the client so the private key is never directly transferred to the service before hashing.
The resulting data is then encrypted using a KMS key before stored in the service.
You also have an option of what region you wish this data to be stored in to further give you full control over the data sovereignty of this very critical piece of information.
To further protect your data, the email of your account is not stored
anywhere in the system except for the billing system and only if you have email billing enabled.
In all other cases only a hash of an email is stored or transmitted to the service (With a few
notable denoted below). In the unlikely event of a system compromise both the backup storage
service and the external billing system (Stripe) would need to be compromised for any risk of
customer data being accessed. The only other times when the email is transmitted in clear text
in the service (but not stored) to the service is when you sign up,
reset your password or change your account email. You can change your email billing setting under you account
settings page.
You always have the option to disable the private key recovery feature if this risk is
unacceptable.
How does private key recovery work?
Private key recovery can only be started during initial application setup when adopting an existing source. At this point choose the "Private Key Recovery" option on the password page of the setup wizard. You will be prompted for a new password to apply once the private key has been recovered and then redirected to the Underscore Backup service where you will be prompted for your credentials before the stored encrypted private key is returned to the application where they can be decrypted using your account email address.
How is this handled when changing account email?
As described above the email is the key with which the private key is encrypted with which causes a problem when you are changing your account email. What happens in this case is that the old email and new email is kept in the browser when verifying the email change. The encrypted source private keys are then downloaded to your browser, decrypted with the old email, re-encrypted with the new email and uploaded back up to the service. Only after all private keys have been stored encrypted with the new email will the account email actually be changed. It is important to not that at no point during this operation is either the old email, the new email or any of the private keys handled in clear text by the service.
The only exception is the initiation of the email change at which point the email is sent to the service, although this email is never stored anywhere but is only used to send the password validation email.