Why Encryption is Done by DS-Client

DS?EUR Client (not DS?EUR System) encrypts and decrypts files. This ensures security, because:
o Data can be restored only by the DS?EUR Client that backed it up, or by another DS?EUR Client that was installed using the same encryption types and keys as the DS?EUR Client that backed up the data.
o Someone monitoring data transmitted between DS?EUR Client and DS?EUR System would intercept only encrypted data blocks. Access to confidential file content is not possible.
o Someone who gained full access to DS?EUR System Online Storage would not be able to read the contents of backed?EUR up files, since the data is stored in encrypted format.

Encryption Types

Encryption can be either AES (128, 192, 256) or DES (56):
o DES 56?EUR bit ?EUR up to 8?EUR character key
o AES 128?EUR bit ?EUR up to 16?EUR character key
o AES 192?EUR bit ?EUR up to 24?EUR character key
o AES 256?EUR bit ?EUR up to 32?EUR character key

Note: The DES is slow and it is weaker than AES. It is strongly recommended that you choose AES encryption.

Encryption Certifications

The following functionality has been certified:
o AES encryption ?EUR certificate #968 (see http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html)
o Random number generator ?EUR certificate #546 (see http://csrc.nist.gov/groups/STM/cavp/documents/rng/rngval.html)
o Digital signature ?EUR certificate #938 (see http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.html)
o HMAC ?EUR certificate #541 (see http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html)

The current status of the FIPS 140?EUR 2 certification can be viewed at http://csrc.nist.gov/groups/STM/cmvp/documents/140?EUR 1/1401val2010.htm

Encryption Key

Asigra Cloud Backup(TM) uses two encryption keys:
o the private key is provided by the customer at DS?EUR Client installation and used to encrypt all files except common files at the account or public level;
o the account key is provided by the customer at DS?EUR Client installation and used to handle common files at the account level.

Note: Customers with multiple DS?EUR Clients under the same customer account MUST have an account key, and all DS?EUR Clients for a customer account must be configured with that same key to be able to connect to DS-System. To set up the account key after DS?EUR Client has been installed, Windows customers can use the DS?EUR Client Setup application, a special re?EUR configuration function installed along with DS?EUR Client or the auto configuration feature (config?EUR update.xml). Linux and MAC users can modify the account key from the DS?EUR User (Setup menu > Configuration), or use the auto configuration feature (configupdate.xml).

Encryption keys cannot be changed after backing up data. If attempting to change the encryption keys for a DS?EUR Client that has already connected to a DS?EUR System, the connection of the DS?EUR Client to the DS?EUR System will be rejected.
If iOS DS?EUR Clients and/or Android DS?EUR Clients need to be installed under the same account with PC DS?EUR Clients, then the account key selected must be type "AES 128", since it is supported by all those types of DS?EUR Clients: Android, iOS and PC DS?EUR Clients. If another account encryption key is selected, then the DS?EUR Clients may need to be configured under different accounts on DS?EUR System.

Encryption Key Validation

To ensure that DS?EUR Client continues to use the same private key and account key at all times, DS?EUR System verifies key integrity on every connection (using a one?EUR way hash to validate the keys).

Encryption Security

DS?EUR Client stores passwords that give access to the source computers in encrypted format in its database. The DS?EUR Client encryption keys are also stored in encrypted format in the DS?EUR Client database. As a result:
o Even a person with legitimate access to the system (such as the administrator) cannot discover the values of the encryption keys.
o If the DS?EUR Client machine is compromised (a hacker gains access to this machine), the passwords that DS?EUR Client uses to access the source computers, and the DS?EUR Client encryption keys, are not compromised.

Helping Customers Manage Encryption Keys

Since only the customer knows their unique encryption keys, if they are lost, the customer cannot decrypt their stored data. Customers must make their own arrangements to retain a copy of their encryption keys.

Encryption Key Safeguarding at DS-System

Encryption Key Safeguarding is an additional security provision that can be enabled from the DS?EUR System. Forwarding the DS?EUR Client key(s) will send an encrypted copy of the key(s) for storage in the DS?EUR System??s database.
Enterprise/Service Providers will not be able to read customer Encryption Key(s), but will be able to create a Customer Registration Information (.CRI file) with them embedded for distribution. This means anyone who has the .CRI file can recreate a functioning DS-Client that will be able to perform backups and restores to the corresponding account on the DS?EUR System.
Therefore, customers should determine their own policy on Encryption Key Safeguarding, and consult the Enterprise/Service Provider. If Enterprise/Service Provider enforces mandatory safeguarding, the DS?EUR Client will not be able to connect to DS?EUR System until you enable the option.