Hello Guys,


Just have some questions and thank you in advance for the enlightenment.

I want to subscribe to an Online Backup provider (e.g. IBackup). However, I always have hesitation due to security concern. I'm currently doing backup with my portable drive but I want to have a secondary offsite backup for my desktop and notebook files. These are my questions...

1. If you're currently subscribe to this type of service, what are the files that you backup with your provider?

2. I know that most of them claims that they use AES-256 encryption but are you comfortable with this or you have extra layer of protection? If yes, can you share it or do you have suggestion?

3. Since most of them claims that they have encryption, is there anyway for you to confirm this?

----------------------------

I'm thinking of using WinRAR and put some password on the process but I find this a hassle if I need the file somewhere I still have to uncompressed. Looking forward to your suggestions. Thanks again.

I like your approach for having backup as your top priority. :D

Your data is usually transfer via secure & encrypted connection.
However, your data on the remote server isn't further encrypted unless you go to password protect your data before sending them over..

If the provider who strictly used sftp or rsync as the mode of transfer, your data is confirm to be send via an encryption connection.

Hope it helps.

-joseph

I like your approach for having backup as your top priority. :D

Your data is usually transfer via secure & encrypted connection.
However, your data on the remote server isn't further encrypted unless you go to password protect your data before sending them over..

If the provider who strictly used sftp or rsync as the mode of transfer, your data is confirm to be send via an encryption connection.

Hope it helps.

-joseph

Yeah I guess adding some document password is the best option.
Thanks for the insight :)

You might also want to take into consideration the security of the whole backup process. I mean there's a thread somewhere on this forum started by a guy who had his server hacked and the attacker has not only deleted ALL his data on his server, but also deleted all his backups, which were hosted on another server.

So if you subscribe for a backup plan, be sure to make sure they have some kind of pull-based solution (where the backup server "pulls" the backup data from your server). These usually mean that no password data leading to the backup server are stored on your data server. It goes without saying that you should use a different password to access your backup server too.

The interesting issues with backup encryption (beyond the SSL connection) is key management rather than encryption strength.

The main reason, someone wants encryption is the fear that either the host or a hacker will access the data. If the key is stored on the server than the encryption is for nothing, as presumable someone who has root access to the server can also find the key.

So that means the key has to stay on the original machine OR in the owners head. Owners head means no automated backups, which is a big no-no in the backup area.

A fairly good policy is a double key system, backup service pulls data from your server via an extremely restricted account. All outgoing data from this account is encrypted via your key, so no data leaves your machine without encryption, once it reaches the server its then encrypted via their key.
That way the only way to decrypt is to obtain both keys, which means two machine hacks.

Obviously this basically amounts to manual encryption into a archive and then storing it on the backup host when the backup host uses encryption. It just automation is the prime key in backup, so anything manual is bad imho

Most of the good backup guys will be able to come up with a plan that suits you.

I highly recommend Carbonite (http://www.carbonite.co.uk), I have been using them for around 3 years now and they are fast, secure and un-obtrusive.

secure and un-obtrusive.

There really would be nothing you could do to prove this other than perhaps as far as you know your data hasn't been taken by someone else.

The company we deal with for backups does it in a FreeBSD jail so unless the intruder was able to get root there isn't much of a way for anything bad to happen.

We trust the company not to access the content simply because they would be ruining any reputation they might of had by doing so.

I would never trust those bigname companies. I pay almost more in a month then those big name companies charge for a year but at the end of the day you know what would happen if they had a security break.

They would have PR people doing damage control and at the end of the day you get what you pay for.

There really would be nothing you could do to prove this other than perhaps as far as you know your data hasn't been taken by someone else.

The company we deal with for backups does it in a FreeBSD jail so unless the intruder was able to get root there isn't much of a way for anything bad to happen.

We trust the company not to access the content simply because they would be ruining any reputation they might of had by doing so.

I would never trust those bigname companies. I pay almost more in a month then those big name companies charge for a year but at the end of the day you know what would happen if they had a security break.

They would have PR people doing damage control and at the end of the day you get what you pay for.

The same reputational risk that you speak of matters to these big companies. I think you are not hearing about issues even with a spin from the PR guys because they are not happening.

Trusting Freebsd to save the day seems a bit naive as it is only as good as the procedures that the company puts around it.

What happens when an employee leaves for instance. I am not saying that your provider shouldnt be trusted as I am using BQBackup for much of my backups but no reason not to trust the big guys just because they are big. Sounds a lot like spreading FUD.