Cloud Storage Buzz

Private Encryption Keys

private-property

There was a post on Gigaom on February 2nd that makes the argument that MEGA is unique in its use of client side encryption with private keys where the users actually keep the private key.

 

But Mega is unique in its approach to handling encryption at rest. Rather than encrypting and storing keys for a client’s data within Mega’s infrastructure, Mega pushes their cryptography back to their users. So Mega users encrypt their own data prior to sending it to Mega’s servers, and store keys locally such that even Mega can’t read their data – or be forced to yield it to authorities.

While the author is correct that MEGA states it does client side encryption and does not store the encryption keys. Readers here would know that MEGA is not the first online storage and backup service to offer this and I find it surprising that the author at Gigaom would not have heard of some of the services that offer a private encryption key for safely storing files in the cloud.

SpiderOak – A private encryption key is the default for SpiderOak. They are one of the leaders on private cloud storage. If any one could learn anything about client side encryption and private keys, MEGA could learn from them. This is also true of SpiderOak powered services like AVG Livekive.

Mozy – Mozy, both home and pro, has always offered the option to encrypt your data with a private encryption key. It is not the default but it is available.

Carbonite – Private encryption keys are only available to Windows users only, but it is available.

CrashPlan – Offers several security options including the option of a private encryption key.

IDrive – Allows you to create a private encryption key when you install. You can’t change it after installation, you would need to create a new account according to the FAQ.

AltDrive – Offers the option to use a private encryption key on all systems.

Backblaze – Some people might argue that I should not include Backblaze here. They do offer a private encryption key option, but when you restore files from Backblaze you need to transfer your private encryption key to their servers. This means that there is a small period when they would have your private encryption key.

Bitcasa – I originally left Bitcasa off this list but it does appear that they are using a private encryption key according to this new post by them.

SpiderOak is the only one that defaults to a private encryption key it is not something new to online storage and backup services. These services offer it as a way to help protect their users data, unlike MEGA, who appears to use private encryption keys to protect themselves and not their users. I find it hard to believe the author for Gigaom could have missed all of these services as they were researching the article.

If you would like to protect your files on Dropbox, SkyDrive or Google Drive you can also take a look at some of these options to encrypt them before uploading to those services.

Or you could even take the time to check out TrueCrypt to create encrypted volumes on Windows, Mac and Linux machines. Most online storage and backup services can still copy a TrueCrypt volume to the service.

It is important to remember if you use a private encryption key with any of these services you need to keep a copy of it. If you lose it you will not be able to restore your files in the event your hard drive dies or some other type of data lose happens. Write it down and store in a safe place that only you know. A safety deposit box, a fire proof safe, on an encrypted file system anywhere that

Did I miss your favorite service that offers a private encryption key? Let me know.

Posted

in

by

Cloud Storage Buzz Team

Tags:

Comments

4 responses to “Private Encryption Keys”

  1. J M Ward Avatar
    J M Ward

    Based in the UK, I have little or no confidence in cloud services based in the USA (with one exception); however there is a European provider called Wuala (https://www.wuala.com/), which enables encryption/decryption on the client computer. They claim not to be able to decrypt data on their servers, which are based in Switzerland and the EU (Germany, France), and their software engineering is associated with ETH University, Zurich, which gives me a lot of confidence. So does the fact that they have to comply with the EU data protection laws, which are an order of magnitude stronger than in the US. They have a free 5GB tier, and their prices for more storage are not unreasonable.

    Their Android client clearly decrypts on the tablet, and if you try to stream your data to a Web browser, Wuala will download a version of the client first so that your data is decrypted while streaming. Accordingly, I trust them, and I have 25 GB of storage with them.

    Bitcasa are rather evasive about the possibility of decryption on their servers under subpoena, and as they can provide streaming media to a web application not running any form of extension, I rather doubt their security. Their claim that they only have access to your keys when they need to, and destroy them otherwise, is all very well, but nowhere do they state that they cannot get access to your data under any circumstances. As things stand at the moment, I would not trust them.

    SpiderOak I would trust, because they are very open about their “Zero Knowledge” system and what they do, and because they work with the Electronic Frontier Foundation (www.eff.org – please visit and support them!), and therefore have a reputation to lose. They only have a 2GB free tier, but their prices above that are very reasonable; I am in the process of trying it out.

    For Microsoft SkyDrive (which I wouldn’t trust as far as I can spit) I use BoxCryptor, which is a good cloud encryption tool from a company based in Germany (and therefore trustworthy as far as I am concerned!).

    Viivo seems pretty good; I am just trying it out on my Google Drive at the moment (I trust Google only a little more than I trust Microsoft!).

    CloudFogger looks OK, worked well when I tried it, and is registered in Germany (yes!), but unfortunately neither their website nor their software has been update since December 2012, so I would tend to steer clear.

    Reply
  2. Dheeraj Avatar
    Dheeraj

    Yes, Bitcasa, please!

    Also, do you know what “store keys locally” means?

    Because as far as I can see, Mega is not locked to one computer, and the user has only one key – his password.

    What are these multiple ‘keys’? How are these stored locally if the user go to another computer and also login with only the user name and password?

    Reply
    1. Cloud Storage Buzz Team Avatar
      Cloud Storage Buzz Team

      Bitcasa is a question if you can use or are using a private encryption key. They don’t give you the option when you sign up or install to use a private key, but the docs suggest that they are using a private key by default.

      If you read How secure is Bitcasa? it does not say you are using a private key. Reading the documentation on How do I reset my password? says the password and security questions are encrypted and that if you cannot answer the security questions your account has to be reset, which will remove all your files.

      I will leave them off until I get more information.

      As for the quote from the article “store keys locally” I suspect he is talking about the fact that the encryption keys are created and stored on the local computer and not transmitted to the server. Each service is different how they handle to private encryption key. For example SpiderOak never sends they private encryption key unless you use the web interface then you have to so they can decrypt your file.

      Please note that zero-knowledge applies only when using the SpiderOak client. When logging into the website with your password, you are giving the primary encryption key to our servers. We work hard to ensure that this key is kept safe (for instance, by only keeping it in memory and never writing it to disk), but to maintain absolute privacy, you should use only the client.

      Mozy, if I remember correctly allows you to login and download a zip restore file of your files and then asks you for your private key to decrypt the files so the private key is never sent to Mozy and only stored locally on the persons computer. This might have changed but that is how I remember it working.

      There is some great information on encryption from the Privacy Now podcasts. Check out episode 149 and and 150.

      Reply
    2. Cloud Storage Buzz Team Avatar
      Cloud Storage Buzz Team

      I have added Bitcasa to this list as more information has come out from them.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Share This