Backup secure enough?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I want to do remote backups and need opinions whether this is secure
enough?  Not looking for bomber proof security but at least a decent
security level so the weekend hacker can't open my files.

1.  Backup file is 256-bit encrypted
2.  Transfer via regular ftp
3.  Store on the server used for my web hosting in a password protected

Some of the options I've considered

1.  Transfer via SSL ftp transfer:  but if the file transferred is
already encrypted, does a SSL transfer add any value?
2.  I suspect a password protected web folder can rather easily be
craked, however, the backup file being 256-bit encrypted, how likely /
easily can this be cracked?

Thanks for your feedback!


Re: Backup secure enough?

Quoted text here. Click to load it

256-bit encrypted doesn't tell us very much about the strength of
the encryption algorithm. If I were to encrypt the backup by xor'ing
blocks of 8 bytes with the string "Not SAFE", then that's a 256 bit

There are a lot of encryption schemes that are much easier to attack
if you can get several different examples (each of which has the same
general structure...) SSL negotiates a different encryption key for
each transfer, so if you happen to be using one of those less-strong
encryptions on the backups, transfering via SSL -will- decrease your

If the encryption scheme is built into the backup program, then you
should be wary. Built-in encryption schemes tend to have
back-doors so that when the customer loses the key they can take
the file to the company and the company can get the data back for them.
Then too in the USA there are requirements related to "Homeland Security",
and there are requirements related to proving you aren't in violation
of securities laws, so companies are under pressure to use a breakable
encryption. And if the company markets the product outside of the US,
Canada, and [only] about 8 other countries, then strong encryption is a
controlled product, so either they have an "export version" or they
use an encryption that isn't stronger than 56 bits effective.

Thus for stronger security, do the encryption yourself, preferably
with an open-source encryption program developed outside of the USA.

Re: Backup secure enough? wrote:

Quoted text here. Click to load it
AES 256, Serpent-AES, ... nice.

Quoted text here. Click to load it
Very dangerous. Clear passwords open your system to the attackers. You
are careful today. What about tomorrow? If your system gets compromised
you are dead. Imagine you are boxing.

Quoted text here. Click to load it
Very, very dangerous. First, you want to separate your backups machine
and your web server since a hacker will as a first step attack your web
server, almost by instinct. Try to never give an attacker an advantage.
Even if your data is encrypted, it is more safe to keep it away from
the sharks, because once the encrypted data is stolen the need for an
attacker to steal the encryption key becomes urgent. Secondly, every
time you are asked for a password be skeptical, because passwords, if
not random, are very weak.

Quoted text here. Click to load it
At least it doesn't hurt.

Quoted text here. Click to load it
Are you sure you will never decrypt, even temporarily, your data to
this folder? Are you sure an attacker cant get out of this folder once

Kind regards

Please visit The Henry Madsen Band /

Re: Backup secure enough?

Thanks Walter and Ludovic.

Based on your responses, I guess AES 256 isn't too bad.  Wrt to server,
I'll use a different server with SSL ftp enable.

Thanks very much for your input.



Ludovic Joly acrit :

Quoted text here. Click to load it

Re: Backup secure enough?

On Mon, Sep 11, 2006 at 05:54:28AM -0700, wrote:
Quoted text here. Click to load it
If you're looking for decent security level, choosing aes 256( probably
cbc, or ctr, rather then ecb) you should reflect on way you store your
backup encryption keys or even salt/seed file - that's the weakest point.

                                - Lukasz Sztachanski

0x01A3E654 // 7832 E59C B733 9E6F CB54  6327 DFC1 161E 01A3 E654
                                                 *new keys*

Site Timeline