• JoeyDumont

    Can you share in more detail your procedure to generate the client-side encryption key from the passphrase? I would like to be able to demonstrate that I can retrieve the data stored in S3 in an unencrypted form even if CloudBerry were to go disappear for any reason.

  • Matt
    It's not possible, you need our software to restore data that was encrypted by it.
  • JoeyDumont
    Why is not possible? I don't see any technical limitation. I just need to be able to use the PBKDF with the same salt and I should be able to generate the AES256 key that was used to encrypt the data.
  • David Gugick
    Joey, that's not information we share in any way as it pertains to internal encryption methodologies. If you need to decrypt an encrypted backup outside of CloudBerry, then you may want to look into AWS KMS encryption which is managed by AWS and controlled by you. There is KMS encryption support in standalone CloudBerry Backup.
  • JoeyDumont

    Making internal encryption methodologies public does not make them less secure, though.
  • JoeyDumont
    I just caught the "standalone" before CloudBerry Backup. I am working with CloudBerry Managed Backup, as we plan to offer a backup service internally.

    I hope you can revisit your decision not to share these details, as the solution might not meet Government of Canada's security requirements as it is, and we have might have to move to another solution for backup/archiving data.

    Thank you for always answering my questions!
  • David Gugick
    Would you mind explaining in a bit more detail why the Canadian Government needs to be able to decrypt files outside the software / services that encrypt them? Is there a Canadian regulation driving this? Any information would be helpful when I bring this requirement to the team. KMS Support for Managed Backup is currently under discussion.

    In the meantime, you have our Client-Side Encryption (AWS-256 which requires CloudBerry to decrypt) as well as Server-Side Encryption options offered on may cloud services (encryption-at-rest).

    I look forward to your reply.

  • JoeyDumont
    There are two related issues at play here. The first deals with end-of-service/disaster data recovery. In the event that we choose to stop using CloudBerry, then repatriating the data is simple: we use the client. However, if, for any reason, the CloudBerry servers themselves become unavailable, it is impossible for us to repatriate the data, even though it stills exists in the cloud storage.

    Second, we require control of the client-side encryption keys, which CloudBerry does not at this moment provide. We do control the passphrase used to generate the key, but we have no way of generating the encryption key ourselves.

    That is indeed what we are using in the meantime.

    Thanks for responding,
Add a Comment

Welcome to CloudBerry Lab Forum!

Thank you for visiting! Please take a moment to register so that you can participate in the discussions!