«

»

It’s not about the encryption. It’s about the encryption keys

By

October 16th, 2014

There’s a lot of talk on the interwebs about encryption. Encryption is a necessary but not sufficient condition for maintaining control of your data. Controlling access to the encryption key is just as important.

Lots of articles that reference encryption fail to mention this, and that’s confusing for people who are not crypto experts. For example, a recent TechCrunch article about Edward Snowden and Dropbox paraphrases Snowden recommending SpiderOak because Dropbox “doesn’t support encryption.” In the very next paragraph it quotes Dropbox saying all files “are encrypted while traveling and at rest on Dropbox’s servers.” Then it says the difference between SpiderOak and Dropbox is that SpiderOak “encrypts the data while it’s on your computer, as opposed to only encrypting it ‘in transit’ and on the company’s servers.” It circles around the key issue but never says it explicitly.

When you read things like, “All files sent and retrieved from Dropbox are encrypted while traveling between you and our servers”, that’s good and it guards against eavesdropping in transmit, but it misses the point. “Encrypted” is meaningless if it can be decrypted.

It’s about who controls the keys. It’s about giving keys/control to a third party who can then be compelled to give control to a government agency. If you give your unencrypted content to a third party, you’ve lost control of the content, and that’s irreversible. But if you give your content to a third party in encrypted form and also give the third party the keys (as in the case of Dropbox), you’ve still irreversibly lost control of the content.

Keep the Keys to Yourself

Encrypt your data with a key that only you know. Then send your encrypted bits to the third party. The third party only has unreadable random noise (the encrypted data) and no way to turn it into files (decrypt it).

Arq (our backup app) has been designed from day one to make sure you keep the encryption key. It asks you at setup time for an encryption key, stores it securely in your computer’s keychain, and never transmits it anywhere. To restore files to a new computer, you’ll need to use the Arq app to decrypt and you’ll need to supply it with that encryption key, or else it can’t decrypt the data.

When you read about products that include encryption, always ask yourself who has the keys.

Tags:

We make Arq, a trustworthy backup app, since 2009. Arq backs up your files to your own cloud accounts (Amazon Web Services, Google Drive, Google Cloud Storage, Dropbox, SFTP) and encrypts everything for you before sending so that those cloud providers don't have access to your files. Give it a try!