Why Encryption is Done by DS-Client
DS-Client (not DS- System) encrypts and decrypts files. This ensures security, because:
o Data can be restored only by the DS-Client that backed it up, or by another DS- Client that was installed using the same encryption types and keys as the DS- Client that backed up the data.
o Someone monitoring data transmitted between DS-Client and DS-System would intercept only encrypted data blocks. Access to confidential file content is not possible.
o Someone who gained full access to DS-System Online Storage would not be able to read the contents of backed- up files, since the data is stored in encrypted format.
Encryption can be either AES (128, 192, 256) or DES (56):
o DES 56-bit - up to 8-character key
o AES 128-bit - up to 16-character key
o AES 192-bit - up to 24-character key
o AES 256-bit - up to 32-character key
Note: The DES is slow and it is weaker than AES. It is strongly recommended that you choose AES encryption.
The following functionality has been certified:
o AES encryption - certificate #968 (see http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html)
o Random number generator - certificate #546 (see http://csrc.nist.gov/groups/STM/cavp/documents/rng/rngval.html)
o Digital signature - certificate #938 (see http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.html)
o HMAC - certificate #541 (see http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html)
The current status of the FIPS 140- 2 certification can be viewed at http://csrc.nist.gov/groups/STM/cmvp/documents/140- 1/1401val2010.htm
Asigra Cloud Backup(TM) uses two encryption keys:
o the private key is provided by the customer at DS- Client installation and used to encrypt all files except common files at the account or public level;
the account key is provided by the customer at DS-Client installation and used to handle common files at the account level.
Note: Customers with multiple DS-Clients under the same customer account MUST have an account key, and all DS-Clients for a customer account must be configured with that same key to be able to connect to DS-System. To set up the account key after DS-Client has been installed, Windows customers can use the DS- Client Setup application, a special re- configuration function installed along with DS-Client or the auto configuration feature (config-update.xml). Linux and MAC users can modify the account key from the DS- User (Setup menu > Configuration), or use the auto configuration feature (configupdate.xml).
Encryption keys cannot be changed after backing up data. If attempting to change the encryption keys for a DS- Client that has already connected to a DS- System, the connection of the DS- Client to the DS- System will be rejected.
If iOS DS- Clients and/or Android DS- Clients need to be installed under the same account with PC DS- Clients, then the account key selected must be type "AES 128", since it is supported by all those types of DS- Clients: Android, iOS and PC DS- Clients. If another account encryption key is selected, then the DS- Clients may need to be configured under different accounts on DS- System.
Encryption Key ValidationTo ensure that DS- Client continues to use the same private key and account key at all times, DS-System verifies key integrity on every connection (using a one-way hash to validate the keys).
DS-Client stores passwords that give access to the source computers in encrypted format in its database. The DS-Client encryption keys are also stored in encrypted format in the DS- Client database. As a result:
o Even a person with legitimate access to the system (such as the administrator) cannot discover the values of the encryption keys.
o If the DS-Client machine is compromised (a hacker gains access to this machine), the passwords that DS-Client uses to access the source computers, and the DS-Client encryption keys, are not compromised.
Helping Customers Manage Encryption KeysSince only the customer knows their unique encryption keys, if they are lost, the customer cannot decrypt their stored data. Customers must make their own arrangements to retain a copy of their encryption keys.
Encryption Key Safeguarding at DS-System
Encryption Key Safeguarding is an additional security provision that can be enabled from the DS- System. Forwarding the DS-Client key(s) will send an encrypted copy of the key(s) for storage in the DS-System’s database.
Enterprise/Service Providers will not be able to read customer Encryption Key(s), but will be able to create a Customer Registration Information (.CRI file) with them embedded for distribution. This means anyone who has the .CRI file can recreate a functioning DS-Client that will be able to perform backups and restores to the corresponding account on the DS-System.
Therefore, customers should determine their own policy on Encryption Key Safeguarding, and consult the Enterprise/Service Provider. If Enterprise/Service Provider enforces mandatory safeguarding, the DS-Client will not be able to connect to DS- System until you enable the option.