The weakest spot of every cloud storage is the lack of physical access to the backup data. Users have to only access it through the web. Actually anyone with an root account password can read or even manipulate your data remotely. That’s why all sensitive backup data that unlikely to be lost or stolen should be encrypted. Commonly cloud storage services support simple server-side encryption (SSE) alongside server encryption with customer provided key (SSE-C). Third-party encryption tools and backup solutions also provide Client-Side Encryption. Below we will explain the specifics of each encryption method listed.
This option doesn’t require any additional user actions. If the server-side encryption is on, the cloud server automatically generates the key and encrypts the backup data right after it gets there. Default encryption algorithm here depends on cloud vendor, so make sure you’ve consulted security confidentials of the storage. This approach has three known vulnerabilities:
Server keeps the encryption key in the cloud. A user can’t control it
User can’t verify if the encryption is implemented
Anyone with your storage account credentials can access the data
So, if you are thinking of using simple server-side encryption to make secure online backup, bear in mind that information still can be hacked or corrupted.
Server-Side Encryption with a Password Provided by a User
This is a more secure option for the server-side encryption method where user can specify a password to encrypt the data. The password becomes an encryption key and the process is similar to the simple SSE method. Although user can specify a password, data is still encrypted in the cloud and the key is might be stored next to the backup data. Moreover, the verification of encryption consistency is still impossible. To solve these problems you can encrypt data locally before offloading to the cloud storage.
Client-side scenario presumes that the encryption tool or backup solution will encrypt the data before it will be sent to the cloud. User specifies the password which serves as an encryption key. Backup application encrypts the data first and then uploads it to the storage. It is strongly recommended to have your password down pat since it won’t be stored anywhere in the cloud or encryption software. On the diagram below you can see how encryption is handled by CloudBerry Backup before uploading to Amazon S3.
Note: If an user loses his password, the backup data will also be lost forever
Most of the backup solutions offer the variety of encrypting algorithms with different key lengths (e.g. 128/192/256-bit AES, 64-bit DES, RC2). Read the whitepaper, if you want to learn more about encryption algorithms supported in CloudBerry Backup.
How to Perform Backup Encryption With CloudBerry Backup
CloudBerry Backup supports client side encryption with Advanced Mode only. Follow these steps of the Backup Wizard to enable it:
If you’re only interested in the server-side encryption only, choose Simple Mode. If you need to encrypt backup files on your side choose Advanced Mode.
Check Enable Encryption, choose the algorithm type and a password. You can use CloudBerry encryption in conjunction with server-side encryption to add another security level to your data. In this case choose whether to use Key Management Service master key or just an Amazon S3 Service master key.
Security Is the King
Security means everything when the data gets to the public cloud storage. This statement once again was proved by the recent data breaches. Therefore users should keep in mind that server side encryption (even if the customer key is provided) can’t achieve the best security level possible. Client side encryption eliminates its disadvantages and helps to protect the essential backup data as long as you remember the password that serves as an encryption key. You can try all three methods with CloudBerry Backup right away and chose the one that satisfy your daily needs.