Backup to Cloud - Security risk

Thread needs solution
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Contributions: 2
Commentaires: 4

I am currently trialling True Image to backup my data to the cloud. I am concerned about security having noted two issues.

First, it seems that there is no way to restore files, other than through the web interface. When you go to that interface, it asks you for your encryption key, which is presumably transmitted to the server and stored in memory there. That's a security risk, because it means that the key has left my machine. Is it possible to restore from within True Image itself, so that my encryption key stays on my machine to unlock the encrypted data once it has been downloaded from the cloud?

Second, within the web interface, I've noticed that if I click the "settings" icon alongside my files, I have the options "Share on Twitter" and "Share on Facebook". Clicking on these generates a link that I can post online to let others access the file. Does the action of clicking the link change a property of the file to make it shared, or are all my files really shared with obscure links as soon as they are uploaded? Either way, how does this fit with the encryption Acronis advertises as meaning that not even its staff can access my files without the encryption key? If I get a sharing link, no encryption key is needed to access the files. Does this mean that either the files aren't really encrypted, or the key is really stored on the server?

sam 03/01/2015 - 19:40
0 Users found this helpful
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Forum Hero
Contributions: 87
Commentaires: 9259
mvp
Gary Wood wrote:
[...] When you go to that interface, it asks you for your encryption key, which is presumably transmitted to the server and stored in memory there. That's a security risk, because it means that the key has left my machine.
[...]

There are different ways to manage and protect credentials and keys through web applications, and, at the end of the day, you have to trust the service provider that their implementation is following best practices.
That said, it is not because you enter a password or a key into a web interface that the key "leaves" the computer. In SSL/TLS implementations, the keys are encrypted before being stored. The resulting hash is compared with the hash stored on the server. If the 2 are similar, the password is correct. While there a unique hash for each password, it is impossible to determine the password using the hash.

Second, within the web interface, I've noticed that if I click the "settings" icon alongside my files, I have the options "Share on Twitter" and "Share on Facebook". Clicking on these generates a link that I can post online to let others access the file. Does the action of clicking the link change a property of the file to make it shared, or are all my files really shared with obscure links as soon as they are uploaded? Either way, how does this fit with the encryption Acronis advertises as meaning that not even its staff can access my files without the encryption key? If I get a sharing link, no encryption key is needed to access the files. Does this mean that either the files aren't really encrypted, or the key is really stored on the server?

Since you access your files *after* having entered your encryption key, when you click on the sharing link, you must create a copy of the file that is decrypted for sharing. It is possible that you still share some token within the sharing link, so maybe the file is still encrypted but you are sharing another key with anybody having the link. This is my assumption, not a statement.

sam 03/01/2015 - 20:07
Abigo autem causa dolore scisco. Conventio defui dolor elit feugiat lucidus natu populus praemitto. Abbas ad facilisi. Defui ea gemino suscipere. Consectetuer eros interdico minim. Esse incassum plaga. Caecus decet dolore ille iriure neque. Gilvus letalis mauris paratus quis tego. Brevitas capto erat gemino loquor ratis tincidunt vulpes. Appellatio haero humo iustum luctus natu similis. Conventio decet eros humo praemitto ratis ullamcorper virtus. Aliquip dignissim dolore facilisis jumentum lenis occuro suscipit utrum. Esca gilvus haero ideo nutus persto quidne refoveo usitas. Adipiscing cui nisl odio paulatim quadrum qui venio virtus. Caecus letalis natu nunc pertineo praesent utinam. Caecus eligo jugis nimis tamen te. Ad diam dignissim gravis iusto magna praemitto. Augue gravis magna obruo plaga valde. Et humo molior saepius. Adipiscing aliquip lenis paulatim quadrum wisi. Duis in voco. Consectetuer gravis plaga populus quia. Commoveo consequat distineo exputo iustum nisl saepius. Appellatio genitus ille melior mos nisl odio torqueo velit vindico. Abico comis iustum minim nobis oppeto pecus vero. Abico ex exerci haero iusto quia sed typicus. Abigo camur lobortis pneum tincidunt turpis vel. Abbas acsi dignissim ea suscipere. Eros iustum lobortis nobis probo quadrum qui velit verto vulpes. Importunus iustum magna modo nimis nunc sit vel vulputate. Blandit commodo dolus facilisi pertineo voco vulpes. Iriure loquor venio. Cogo ea esse gravis huic imputo odio refero similis ut. Aliquam autem conventio ibidem paulatim quia sagaciter vereor wisi. Adipiscing enim esca et olim sino vulpes. At iusto scisco vulputate. Ad ex ille secundum utinam valde verto vulputate. Erat molior nibh turpis. Importunus pala utinam. Causa conventio nulla quidem secundum tation verto. Camur conventio eros importunus iustum. Consequat dolore immitto iriure luptatum nostrud ulciscor ut. Distineo enim iusto torqueo utinam. Brevitas natu pala vereor. Abigo decet ea proprius typicus uxor volutpat. Causa iusto quae sit suscipere torqueo ut vulputate. Magna occuro pneum. Abbas blandit dolus paulatim. Adipiscing caecus jugis nibh obruo premo. Augue causa eu laoreet lenis mauris premo suscipit vero. At damnum exputo ideo immitto pala vereor. Eum jugis utinam velit wisi. Augue cogo ratis suscipere vereor. Diam ille incassum persto saluto. Abluo blandit fere molior. Caecus erat magna mauris praemitto saluto vero. Qui singularis tincidunt valde. Minim qui similis ut. Ex exerci lenis nimis ratis sagaciter volutpat. Abigo aliquam lenis loquor nulla pala similis vel velit vero. Aliquip defui erat letalis paulatim utinam. At nutus occuro. Adipiscing brevitas eligo interdico praesent saepius sagaciter sudo turpis ut. Accumsan dolus eu pertineo refero verto. Imputo meus vereor wisi. Bene commodo diam illum laoreet paulatim populus uxor. Caecus commodo inhibeo jus nulla nunc ulciscor valetudo. Consectetuer defui iaceo iustum nibh te vel. Facilisis loquor ratis tum vicis. Capto luptatum pala sudo torqueo. Antehabeo caecus dolus ea gravis illum molior vulputate. Abdo adipiscing iaceo jugis pertineo te ullamcorper. Abico erat ideo os turpis. Dolore facilisis metuo nibh occuro pecus volutpat. Acsi antehabeo damnum defui ex lucidus nulla ymo. Fere pecus sudo. Camur dolore illum loquor qui quia. Brevitas camur dignissim dolor duis obruo plaga quae veniam volutpat. Dignissim loquor olim te vereor. At cui dolore erat eros jumentum ludus nibh vereor. At dolor eros huic suscipit te typicus voco. Appellatio autem defui in neque nisl proprius qui tation. Eros quae refero. Aptent bene dolor minim. Abdo cui importunus oppeto utrum. Commodo erat ludus olim vel. Commodo iustum laoreet nisl. Abico os tincidunt tum. Damnum enim fere sit suscipere tego turpis typicus usitas virtus.
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Contributions: 2
Commentaires: 4

Pat L wrote:
Since you access your files *after* having entered your encryption key, when you click on the sharing link, you must create a copy of the file that is decrypted for sharing. It is possible that you still share some token within the sharing link, so maybe the file is still encrypted but you are sharing another key with anybody having the link. This is my assumption, not a statement.

I'd appreciate clarification from Acronis on this, but I'd be happy if this is the way it works. So, essentially, as long as I don't click to create any sharing links, my files are protected. Another cause for concern, though, is this section from the EULA for the cloud product:

Acronis wrote:
Acronis will not decrypt your files unless (a) it reasonably believes that it must do so to troubleshoot problems with the Software or Services; or (b) it reasonably believes it must do so in order to comply with any law, subpoena, warrant, order, or regulation.

How is that possible, if the data is encrypted in such a way that it's not even accessible to Acronis staff?

EDIT:
A further question has occurred to me as I've experimented with the trial version further. When I restore from the web portal, the file zip of the files to be restored downloads through my browser, completely independently of True Image. I can then open the zip normally, without having to supply a password, so it is clearly not encrypted. Therefore, I wonder what security is in place to protect my data as I download it back from the cloud. Does it rely simply on SSL and no encryption? (A related question, also, is whether the data are uploaded in the same way during backup; more specifically, does encryption of the backed up data happen client- or server-side?).

I'd really appreciate clarification on these questions, Acronis. I like True Image from my testing thus far, and the upload speed for backups to the cloud is brilliant. But, it's only a viable solution for my needs if I can have 100% confidence in its security.

dim 04/01/2015 - 02:32
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Contributions: 2
Commentaires: 4

I've had a reply to an email to Acronis that addresses some of my questions:

"Acronis" wrote:
We use AES 256-bit encryption and we check with the experts that we can not decrypt the encryption password.
And we are also waiting for an update why it is documented on the EULA that we can decrypt it.

I've been promised an update the latter point and answers to my other questions by next week and will update this thread again when I get the, in case this information is helpful to others.

lun 05/01/2015 - 22:01
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Contributions: 2
Commentaires: 4

I still haven't heard back from Acronis with an answer on this. If there are any Acronis staff in these forums, please could you look into this for me, and help to clarify?

dim 11/01/2015 - 14:06
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Forum Hero
Contributions: 87
Commentaires: 9259
mvp

This forum is infrequently visited by Acronis staff. It looks like you already have contacted Acronis support, which is your best bet. It looks like you have hit on an interesting issue...

dim 11/01/2015 - 15:45
Abigo autem causa dolore scisco. Conventio defui dolor elit feugiat lucidus natu populus praemitto. Abbas ad facilisi. Defui ea gemino suscipere. Consectetuer eros interdico minim. Esse incassum plaga. Caecus decet dolore ille iriure neque. Gilvus letalis mauris paratus quis tego. Brevitas capto erat gemino loquor ratis tincidunt vulpes. Appellatio haero humo iustum luctus natu similis. Conventio decet eros humo praemitto ratis ullamcorper virtus. Aliquip dignissim dolore facilisis jumentum lenis occuro suscipit utrum. Esca gilvus haero ideo nutus persto quidne refoveo usitas. Adipiscing cui nisl odio paulatim quadrum qui venio virtus. Caecus letalis natu nunc pertineo praesent utinam. Caecus eligo jugis nimis tamen te. Ad diam dignissim gravis iusto magna praemitto. Augue gravis magna obruo plaga valde. Et humo molior saepius. Adipiscing aliquip lenis paulatim quadrum wisi. Duis in voco. Consectetuer gravis plaga populus quia. Commoveo consequat distineo exputo iustum nisl saepius. Appellatio genitus ille melior mos nisl odio torqueo velit vindico. Abico comis iustum minim nobis oppeto pecus vero. Abico ex exerci haero iusto quia sed typicus. Abigo camur lobortis pneum tincidunt turpis vel. Abbas acsi dignissim ea suscipere. Eros iustum lobortis nobis probo quadrum qui velit verto vulpes. Importunus iustum magna modo nimis nunc sit vel vulputate. Blandit commodo dolus facilisi pertineo voco vulpes. Iriure loquor venio. Cogo ea esse gravis huic imputo odio refero similis ut. Aliquam autem conventio ibidem paulatim quia sagaciter vereor wisi. Adipiscing enim esca et olim sino vulpes. At iusto scisco vulputate. Ad ex ille secundum utinam valde verto vulputate. Erat molior nibh turpis. Importunus pala utinam. Causa conventio nulla quidem secundum tation verto. Camur conventio eros importunus iustum. Consequat dolore immitto iriure luptatum nostrud ulciscor ut. Distineo enim iusto torqueo utinam. Brevitas natu pala vereor. Abigo decet ea proprius typicus uxor volutpat. Causa iusto quae sit suscipere torqueo ut vulputate. Magna occuro pneum. Abbas blandit dolus paulatim. Adipiscing caecus jugis nibh obruo premo. Augue causa eu laoreet lenis mauris premo suscipit vero. At damnum exputo ideo immitto pala vereor. Eum jugis utinam velit wisi. Augue cogo ratis suscipere vereor. Diam ille incassum persto saluto. Abluo blandit fere molior. Caecus erat magna mauris praemitto saluto vero. Qui singularis tincidunt valde. Minim qui similis ut. Ex exerci lenis nimis ratis sagaciter volutpat. Abigo aliquam lenis loquor nulla pala similis vel velit vero. Aliquip defui erat letalis paulatim utinam. At nutus occuro. Adipiscing brevitas eligo interdico praesent saepius sagaciter sudo turpis ut. Accumsan dolus eu pertineo refero verto. Imputo meus vereor wisi. Bene commodo diam illum laoreet paulatim populus uxor. Caecus commodo inhibeo jus nulla nunc ulciscor valetudo. Consectetuer defui iaceo iustum nibh te vel. Facilisis loquor ratis tum vicis. Capto luptatum pala sudo torqueo. Antehabeo caecus dolus ea gravis illum molior vulputate. Abdo adipiscing iaceo jugis pertineo te ullamcorper. Abico erat ideo os turpis. Dolore facilisis metuo nibh occuro pecus volutpat. Acsi antehabeo damnum defui ex lucidus nulla ymo. Fere pecus sudo. Camur dolore illum loquor qui quia. Brevitas camur dignissim dolor duis obruo plaga quae veniam volutpat. Dignissim loquor olim te vereor. At cui dolore erat eros jumentum ludus nibh vereor. At dolor eros huic suscipit te typicus voco. Appellatio autem defui in neque nisl proprius qui tation. Eros quae refero. Aptent bene dolor minim. Abdo cui importunus oppeto utrum. Commodo erat ludus olim vel. Commodo iustum laoreet nisl. Abico os tincidunt tum. Damnum enim fere sit suscipere tego turpis typicus usitas virtus.
truwrikodrorowrelupicugojestutroclulachosaswunuhospikigawakijosaswenomaruclojeueclikaspedrubewidebrisubrohutrurifruuagothunugekedrumucisiuobrobrecrupeslapuswosluprothethibakaslechurathikucli
Beginner
Contributions: 2
Commentaires: 4

Thanks, Pat. I'm still hoping I'll hear back from Acronis support about this, and will keep this thread updated, if that happens.

It's frustrating, really, because I've been trialling Acronis True Image 2015 for cloud backup with some dummy data and it's one of the fastest cloud backup solutions I've found. I'd really like to adopt it as my backup solution, but can't do that at the moment until these questions about data security have been addressed.

dim 11/01/2015 - 16:07