this post was submitted on 25 Mar 2024
63 points (94.4% liked)

Privacy

31952 readers
601 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I'm looking into getting an extra backup solution for my laptop, and a backup solution for my NAS/media server. Currently, my laptop backs up to my local NAS, and Proton Drive, while my server has no additional backup.

Is using something like Backblaze B2 actually private and secure, especially if I use the personal encryption key I can set? Or is there another online service that may be better and more private?

top 28 comments
sorted by: hot top controversial new old
[–] [email protected] 41 points 7 months ago (1 children)

Always encrypt client-sidr before upload

[–] [email protected] 6 points 7 months ago (1 children)

Would cryptomator work for that?

[–] [email protected] 7 points 7 months ago

Cryptomator is made for that exact purpose.

[–] [email protected] 37 points 7 months ago

I would suggest using any cloud storage provider with a third party client, that automatically encrypts your files before uploading them, ensuring the cloud provider does not have any kind of access to your keys.

I personally use gocryptfs then mirror that to B2, but IIRC rclone and some other third party alternatives have built-in pre-upload encryption options that are easier to setup and use

[–] [email protected] 25 points 7 months ago (2 children)

I asked a very similar question earlier and the consensus is to encrypt before you upload. That way you care more about reliability than privacy

[–] [email protected] 12 points 7 months ago (1 children)

Make sure you test an actual restore. A backup that cannot be restored is useless.

[–] [email protected] 1 points 7 months ago

Absolutely. But this will likely just be media

[–] [email protected] 6 points 7 months ago (2 children)

And make sure your encryption keys are stored securely. You don't want a house fire or something to destroy your keys and your data.

[–] [email protected] 1 points 7 months ago (2 children)

Multiple pen-drives with encrypted storage holding keys; how does that sound? Good idea?

[–] [email protected] 1 points 7 months ago

As long as they're physically separated so you don't get screwed if there's a fire or something. And if you're DIY-ing, use multiple separate places (friends houses, work, etc).

[–] [email protected] 1 points 7 months ago

Flash loses memory over many years. I'd use like 3 different mediums and always keep a hash of the key with the key.

[–] [email protected] 1 points 7 months ago (1 children)

What are good places to store your encryption keys? I am trying to find solutions that aren't just store a piece of paper in some security deposit box.

[–] [email protected] 0 points 7 months ago (1 children)

Some options:

  • encrypted file stored on a free tier data storage (many are free for the first year)
  • Tarsnap - dedups so storage is cheap; for keys, this would be pennies per month
[–] [email protected] 1 points 7 months ago (1 children)

encrypted file stored on a free tier data storage (many are free for the first year)

I am confused, aren't you just pushing the problem further up the chain? Now you need to worry about storing the key that decrypts the file storing the key you wanted to protect in the first place.

Same goes with tarsnap, now you need to worry about where to store the tarsnap keys.

[–] [email protected] 2 points 7 months ago

You'd use a password to encrypt the keys and/or store that key in your password manager.

[–] [email protected] 23 points 7 months ago (1 children)

I am using B2 now - I started using it before they added the encrypted buckets and am using restic to encrypt everything. It's nice because I don't really have to trust Blackblaze at this point aside from them not losing my data.

I've since additionally turned on encryption on my buckets, but as far as I know they store the key for you, so in terms of privacy it's not the best.

[–] BlueBockser 2 points 7 months ago* (last edited 7 months ago)

+1 for restic. I've been using it for four years now and have never encountered an issue, including during my yearly restore practice run.

As far as B2 bucket encryption is concerned, I wouldn't trust it as far as I can throw it. Quite honestly, it could just be a fancy checkbox on their website without any actual encryption, and we wouldn't be able to tell. Either way, a compromise of Backblaze would put your data at risk.

[–] [email protected] 19 points 7 months ago (2 children)

Use rclone crypt with any provider

[–] [email protected] 3 points 7 months ago (1 children)

does encryption/decryption take time ?

[–] [email protected] 2 points 7 months ago

It's happening in background, you only see plain files and encrypted ones getting uploaded. It's seamless

[–] [email protected] 1 points 7 months ago

This is what I am doing to offsite backup my files. B2 has great pricing!

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago)

If you encrypt your data before uploading it to B2 you should be fine. Unless you run it yourself on your own server, you can't be sure that your data will be unreadable by anyone poking around unless it's encrypted.

I've been using B2 for my offsite backups for a couple of years now (since 2018), and both Duplicity and Restic encrypt data before shipping it over. I wrote about it here.

[–] [email protected] 0 points 7 months ago (3 children)

I figure I'll ask here instead of making a new post:

Does anyone know of any storage services that accept anonymous payment (cash, Monero, etc) and don't associate with an account? I'm willing to pay a premium since it would only be for a relatively small amount of data (mostly keys and whatnot). Bulk, uninteresting data would be encrypted and stored on a less expensive host like Backblaze or whatever.

[–] [email protected] 2 points 7 months ago (1 children)
[–] [email protected] 2 points 7 months ago

Cool, I haven't heard of this! Thanks!

[–] randombullet 1 points 7 months ago

Find a trusted friend

Put a server with them

Encrypt en route and at rest.

[–] [email protected] 1 points 7 months ago (1 children)

None that I know of. https://rsync.net seems to do a lot less data sharing than Backblaze, though, after having read both their privacy policies.

It's an interesting idea. I suppose you're thinking of something like what Mullvad VPN does with their physical pre-paid cards? You buy a card, that provides you an account number, and you're good to go?

[–] [email protected] 1 points 7 months ago

Yup, pretty much. I wouldn't even mind if it was hosted at a place like Backblaze and just resold, like Bitlaunch does for servers.