Backup forum

I've not heard this myself.

IDrive's official line is:

"Should you choose to use a user defined private key for encrypting your data, IDrive personnel will not have access to this key and it will not be stored on the IDrive servers. It is very important that you store your user defined private key in a safe place and maintain this key in printed form for reference. Any data backed up using the Services can only be retrieved using your key and if you forget or misplace this key then your data may not be retrievable. IDrive is NOT responsible for loss of data arising as a result of such cases."

There's a bit more info here:

How does the private encryption key work? Is it stored on IDrive servers?
- A sample value is encrypted using a one-way encryption mechanism when you provide the key during the first login via IDrive desktop application.

- This encrypted sample value is sent to the server using dynamically salted AES 256-bit encryption.

- The encryption key that you set on your local machine will be further used to encrypt data using industry standard AES 256-bit on the client before it is transmitted to the server.

- The personal key can be decrypted only by the IDrive application. This encrypted sample value on the server is used for validation for future logins.

So while IDrive does not store the encryption key, a sample one-way encryption value is stored to validate future logins. Only the sample encrypted value is transmitted and at no time the key is transmitted to the servers. You can not deduce the key from encryption value as it is a one-way encryption.

Note:IDrive decrypts the file locally; the decryption happens on local clients and not on servers while using Desktop Apps. Now, on the Web or the web based interface situation is slightly different. The process is exactly the same, except that the 'client' here is an 'intermediate processor' and not the desktop. The data is not decrypted on the actual servers that host the data, but on the 'intermediate processor' on the fly and then brought to the browser interface via SSL interface. The 'intermediate' processors are segregated from the servers that host the encrypted data. This is a slight compromise for ease of use. You can avoid accessing private key enabled accounts via the web to avoid this entire process that involves intermediate processors.

So their "intermediate processors" are able to decrypt your data, so your private key must be transmitted to them. If that's over SSL, there's a theoretical possibility that the key could be sniffed, for example on a corporate network where the company uses its own CA to allow https content inspection.

Zeke wrote:

Do you think this is a typical scenario for most backup services, or unique to just a few, like IDrive? And how much do you think one should worry about this, if at all?

Well I moved from Tape Streamers to IDrive and I haven't strayed, so I don't know how the other services do it!

As to whether one should worry - I guess it depends on the value or sensitivity of one's data.

Anything that needs an extra layer of protection could be stored in an encrypted ZIP file (don't store the key for that on your computer!)

IDrive support got back to me, and this is what they said:

"We understand your concern. In this case, for more secure access with your private encryption key accounts, you may use the IDrive desktop application for backup and restore of the data."