Link to home
Start Free TrialLog in
Avatar of Alan
AlanFlag for New Zealand

asked on

Best encryption option for cloud based backups

Hi All,

I was asked a question today, and whilst I have some ideas, I figured it would be good to see what others think in case I am out of date or missing something.

I was asked what encryption option to use for storing confidential information on a cloud storage site.

The site allows encryption of whatever is uploaded, and they *claim* that they don't have the keys (and I believe them).  If we (the client) loses the keys, then the storage site cannot help them.  We have a good system for backing up the keys, and I will also have a copy that I will hold for them, and I am comfortable that this aspect is well covered and secure, both at their end and mine.

This is a secondary backup in case something happens to the office site drive backups they already have in place each day.

The backups include staff records and payroll date, so the client wants to pre-encrypt their bulk data backups prior to storing in the cloud site, which I am all for too.

They want to take the backups, combine them into a single file for a given date (the size of the backups makes this viable), and store that single encrypted file on the cloud site.

They were proposing to zip the backup  using 7-zip and apply the AES option with a password that is 23 random characters, followed by the date (so today would end in 20180814).  That way the password is really 23 characters, but all the passwords are different.

I am okay with that, but perhaps there are better options.  When asked, I said we could consider generating a VeraCrypt volume (file based) for each backup, and use the same approach for the key as above, but I'm not sure whether that is better, worse, or no different than the 7-zip AES option.  Creating the volume is not difficult (it can be created each day and be ready to receive the backups that run overnight - its all scripted and scheduled, and I am confident that we can do it all efficiently and automatically either way).

To be clear - the client's primary concern is that even if someone malicious had access to the cloud storage site (internal or external hack), they would not be able to get into any of the backups.

This can run on either Windows (7 or 10) or Linux (Ubuntu 16.04 LTS currently, but I guess we could go back to 14.04 LTS or forward to 18.04 LTS if required).

Please - No posts that they shouldn't store confidential information in the cloud, they understand the risks, and this is the way they want to go.


Question:

What encryption software / option would you suggest they use?



Thanks,

Alan.
Avatar of Arana (G.P.)
Arana (G.P.)

7zip AES256 is as secure as veracrypt if correctly implemented, but veracrypt was done with encryption in mind by cryptogrtaphers , 7-Zip uses key extension to increase the time to brute-force, I would say if you plan on sending the files then 7zip will be easier, with the hassle of unpacking the individual registry you want, while with veracrypt you do it all transparently (which may or may not be better for your needs)

they are similar, evracrypt uses SHA512 for key stretching , 7zip sha256, but in the end they both use aes256 for the data.
if you use 7zip in an unencrypted desktop, there is a goodchance that some forensic tool could find unencrypted data in some empty space in your disk (not a fact just a hunch, maybe if 7zip deletes the temp data and overwrites with a good algorithm this would not happen) it is designed for "in transit files" after all.

just my 2 cents.
For doing complex stuff like that, I would suggest shelling out for a 3rd party app.

I have been happy with StorageCraft Shadowprotect. Pretty sure it can do everything you have mentioned.

Of course it is possible to do all this with a heap of free utilities strung together with various scripts, at some point that get complex and error prone.
any symmetric encryption is breakable given enough time.

when it comes to archives using simple tools, AES256 provided by 7zip is one good option. likely one of the best around. pgp might be another one.

you may consider splitting the resulting file into halves bit by bit, and store them at different cloud locations and providers. the halves do not need to be the same size. the security gain is HUGE.
Avatar of Alan

ASKER

Hi Guys,

Sounds like VeraCrypt would be the best option, with 7-Zip AES probably about the same (but I note the fact that encryption is not the core of what 7-zip does, so possibly it might be more likely to have unknown bugs / weaknesses in the implementation).

If nobody has any suggestion to better those, I will suggest they use file-based VeraCrypt containers (should be faster than running a backup, then zipping using AES, since the container is pre-formed).

I'll leave this a few more days to see if anyone has any further comments.

Thanks,

Alan.
you can audit 7-ZIP code yourself and many people did before you.
there are MANY more chances to find unknown vulnerabilities ( or possibly voluntarily open loopholes ) in veracrypt than in anything else.
additionally veracrypt is expensive and probably uses standard free ( and likely outdated ) libraries anyway.
Avatar of Alan

ASKER

Please can you expand on how VeraCrypt is expensive?

It used to be free - has that changed?

Thanks,

Alan.
my bad, got mixed up with an older commercial product.

what you're talking about is the truecrypt successor, sorry. afaik that is meant to encrypt a drive, not an archive. if you store a regular backup on a cloud machine running veracrypt, the cloud machine has the key and can see the drive unencrypted so you're not actually adding much security. at best consider you're storing the key together with the archive.

if you store your backup on a local veracrypt encrypted backup and copy the encrypted drive image to the cloud, while keeping the key on premises, that's another story. and additionally you're not paying to run an additional machine in the cloud. but that is more complex to setup than using a regular archive backup.

btw, neither of the above are fit to realize incremental backups should you need them.
Avatar of Alan

ASKER

Hi Skullnobrains,

With the old TrueCrypt and now VeraCrypt, you can either encrpyt an entire drive, or you can create a file based 'container' - I would be doing the latter.

However, your point about incremental backups is a really good one, that I had not considered.

Given you weren't familar with VeraCrypt containers, you may not be able to answer this, but maybe you can, or someone else reading this will know.

Scenario:


I create a container - let's assume it is relatively large, say, 32GB.

I then mount the container and the machine sees it as an empty 32GB drive.

I now add a single file called Alan.txt containing a text string 'Hello world'.

I then dismount the container and make a copy of the container file (all 32GB!) - call it Container1

I now remount the container, and add a second file called Bob.txt containing 'Goodbye cruel world'.

I dismount the container, and rename it Container2.

If I were to do a bit by bit comparison of Container1 and Container2, would I see, say, a few thousand (or so) bits have changed, out of the 32GB, or would I see that roughly 50% of the bits have changed?

If the former, then maybe, somehow, can I do an incremental upload?

Alan.
hmm... as you mentioned, i have very little knowlege of veracrypt and did not even know about the container stuff.

what i can tell you is that when making changes to encrypted drives, you do not rewrite the whole drive or even much more data than needed. afaik, most of these tools actually encrypt individual disk blocks, and a few of them encrypt individual files on a regular device. working in any other way would produce too much of a performance hit. i'd assume veracrypt to use the former technique. either way the answer would likely be about 2 blocks worth of changes. the blocks that contains the file, and the directory entry.

i've worked with geli over an iscsi export. this does work and allows the key to be stored on the local node, but i probably would not try it on a cloud because unreliable links are very likely to crash the os. encrypted zfs using the builtin incremental block backup would work perfectly. but since you are thinking veracrypt, i assume you mainly run windows boxes and won't be comfortable setting this up.

at his point, given the requirements, i'd probably turn to dedicated software. maybe have a look at this project : https://github.com/duplicati/duplicati which i have zero experience with but features pgp and aes256 encryption and is dedicated to cloud backups. it seems to feature incremental backup algorithms similar to those found in rsync or unison together with encryption and tools dedicated for writing in the cloud that should be able to deal properly with irregular round trip times and short downtimes i'd expect from a cloud storage.

it comes with a windows installer and has drivers for many cloud providers : https://duplicati.readthedocs.io/en/latest/05-storage-providers/
Avatar of Alan

ASKER

Hi Skullnobrains,

I'll check out Duplicati.  I have heard of it, but I think in a Linux context, rather than Windows, if I recall correctly.

The client in this case runs a Windows Domain, but I am quite comfortable in Linux - my main machine at home is Ubuntu 16.04LTS and I have been using Unix since 1990 so not a newbie, but I would not describe myself as an expert.

I would be happy to setup a solution for them that went via a Linux box, and might even prefer it to give a bit of a 'barrier' between the production Windows machines and a backup Linux machine.

In this scenario I see the Linux box as being an intermediate location for the backups to be 'stored' then encrypted before sending them off to the cloud - is that correct?


Thanks,

Alan.
duplicati is actually a windows program. it relies on dotnet and runs on *nixes through mono.

if you can and had rather setup a separate host, the above mentioned zfs option seems sensible as well : setup a separate server with encryption turned on, and use the block level builtin replication to incrementally copy the pool to the cloud. possibly use dedup  and compression as well. and use a well known tool such as rsync or unison to handle the backups. and you can keep readable snapshots as well. note that zfs had better be run on solaris or bsd hosts than liinux.

i'm not sure which is best. if you test duplicati, i'm interested in some feedback.
bump : keeping the question open. ready to help if i can + happy to get some feedback
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.