| When looking at online backup solutions, it is | | | | should also be checked using PKI. (If your provider |
| paramount to consider how secure your data is with | | | | does not perform this step then you may be open |
| your chosen provider. | | | | to a man-in-the-middle attack.) |
| Statements from providers that you should discard; | | | | - The transport layer should also be encrypted. (If |
| - We use a really secure password to protect your | | | | the transport layer is not encrypted, your data can |
| data. (How do you know the password is secure and | | | | be read in transit.) Ben Summers is the orginal author |
| who has access to this password? It is a bit like | | | | of Box Backup which is an open source, completely |
| giving your front door keys to a stranger and hoping | | | | automatic on-line backup system for Linux and BSD |
| that nothing gets stolen. ) | | | | with client side support for other operating systems. |
| - We are using our own proprietary software that no | | | | Box Backup has solved the above issues in a way |
| third party has audited. (Without the benefit of a | | | | that does not impact the user. Transport Layer |
| third party code review, it is impossible to know | | | | Security is used to encrypt connections, and more |
| whether the software is actually doing what the | | | | importantly, to authenticate servers and clients with |
| marketing speak tells you on their site.) | | | | both server and client side certificates. Your data's |
| - All data is encrypted but you can access it via any | | | | security is guaranteed by the raw key that is |
| web browser with a user name and password. (If I | | | | created on your machine. Stored files are encrypted |
| can access the data through a web browser then | | | | using AES for file data and Blowfish for metadata. |
| are we really sure my data is safe?) | | | | There is a down side to this approach inasmuch you |
| - We recommend you encrypt your data with our | | | | must backup the raw key. This down side is easily |
| default key. (Some providers want you to use a | | | | fixed with removable media like USB sticks or cd-rom |
| generic key to store your data, well there is no real | | | | which should be stored somewhere off site. You |
| point to the encryption.) What you should be looking | | | | could even use something like GPG or Password Safe |
| for; | | | | to keep your key encrypted. When assessing an |
| - The key that encrypts the data should be in your | | | | online backup provider, it may be helpful to use Box |
| possession and controlled by you and only you. (This | | | | Backup's approach to security as a guide to how well |
| means no one except you can view your data.) | | | | your chosen provider is securing your data. |
| - Ideally, authentication should only be possible using | | | | There are secure free alternatives to Box Backup, |
| Public Key Infrastructure. (Using PKI ensures that you | | | | such as Encrypted Backups For Paranoiacs which |
| are the only remote user who can access your data.) | | | | may also serve to guide you in your assessment of |
| - The authenticity of the server you connect to | | | | commercial backup providers. |