Hacker News new | past | comments | ask | show | jobs | submit login

I stopped using backblaze when I learned that they require you to TRANSMIT YOUR PRIVATE KEY TO THEIR SERVER in order to restore your files from backup.

Brian from Backblaze here. To be clear, there are two levels of security/encryption at Backblaze:

1) The friendliest way we could design for people to restore their files was to allow customers to sign into a website with a username/password and recover one or more files. This is the default situation.

2) You can optionally turn on a "private encryption key" but if you do that, understand you MUST write down that key because if you lose it, you can never recover it, and Backblaze (nor any government organization) will EVER be able to recover your files. NEVER. LOSE THAT PASSWORD AND THEY ARE GONE GONE GONE!

In the case of #2, as long as you don't need to recover from a crash, you don't enter your private encryption key and nobody will ever have access to your files, period. However, if you lose a file, you have to sign into the Backblaze website and provide your passphrase which is ONLY STORED IN RAM for a few seconds and your file is decrypted. Yes, you are now in a "vulnerable state" until you download then "delete" the restore at which point you are back to a secure state.

If you are even more worried about the privacy of your data, we highly recommend you encrypt it EVEN BEFORE BACKBLAZE READS IT on your laptop! Use TrueCrypt. Backblaze backs up the TrueCrypt encrypted bundle having no idea at all what is in it (thank goodness) and you restore the TrueCrypted bundle to yourself later.

I was considering signing up and just noticed this on their site... Definitely odd. I understand they want to be easy to use and feel seamless, but it defeats the purpose of the password protected private key.


> To decrypt your data, you are required to enter your passphrase on our secure website. When you do so, it is passed over an encrypted connection to our datacenter where it is used to decrypt your private key, which in turn is used to decrypt your data. Your passphrase is never saved on disk and it is discarded once it is used. As before, once we decrypt your data on our secure restore servers we then zip it and send it over an encrypted SSL connection to your computer. Once it arrives on your computer, you can unzip it and you have your data back.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact