I recently purchased an account with IDrive to help with my backup scheme.

I have a question about online backups that I haven't really gotten a good answer for, and maybe someone on here might know. I even called IDrive, and you don't really get to talk to anyone technical enough to get a good solid answer.

Anyway, just a quick run down of what IDrive is. You basically upload your files to them for archival purposes. Your files are encrypted via a personal key that only I know, and then again with a key that only IDrive knows. Without those two keys, the files are useless.

So, here's my question.

I can log into IDrive's website. I can browse my dataset that I have uploaded to them. I can even click on a file I want to restore it. However, once I click on the file, it prompts me for my encryption key before the file starts downloading.

So...... wtf? Doesn't this mean that the file is now sitting on their server decrypted? How else is it sending me the file in a non-encrypted format?

Surely people who set these backups up have to think of something like this. There must be some way I'm not thinking of that would prevent someone from looking or getting that unencrypted file......

I doubt your data is at risk. Looks similar to Carbonite (http://www.carbonite.com/how_it_works/).

I doubt your data is at risk.I doubt it too. Surely whoever set this up would have to think of that. There must be something I'm not understanding correctly on how the retrieval works.

Not familiar with IDrive. Is there a client side component, or is this all "cloud storage"?

Not familiar with IDrive. Is there a client side component, or is this all "cloud storage"?There is a client you can use if you want, but you don't have to use it to retrieve your files. Only to upload them.

I recently purchased an account with IDrive to help with my backup scheme.

I have a question about online backups that I haven't really gotten a good answer for, and maybe someone on here might know. I even called IDrive, and you don't really get to talk to anyone technical enough to get a good solid answer.

Anyway, just a quick run down of what IDrive is. You basically upload your files to them for archival purposes. Your files are encrypted via a personal key that only I know, and then again with a key that only IDrive knows. Without those two keys, the files are useless.

So, here's my question.

I can log into IDrive's website. I can browse my dataset that I have uploaded to them. I can even click on a file I want to restore it. However, once I click on the file, it prompts me for my encryption key before the file starts downloading.

So...... wtf? Doesn't this mean that the file is now sitting on their server decrypted? How else is it sending me the file in a non-encrypted format?

Surely people who set these backups up have to think of something like this. There must be some way I'm not thinking of that would prevent someone from looking or getting that unencrypted file......

If the files are that sensitive, would it make sense to encrypt them yourself even prior to uploading to them? Just a thought.

-chuckles-

If the files are that sensitive, would it make sense to encrypt them yourself even prior to uploading to them? Just a thought.

-chuckles-The problem with that is it would make incremental backups an impossibility.

The only real way to do that is to make a truecrypt partition and work off of that. However, any time that partition file changed, I would be stuck uploading the entire damn however many gigs I make the partition again.

The only other option would be to single encrypt every file on my hard drive. However, that would get old real fast unencrypting and encrypting files every few seconds.

I'm not worried about the data being read as I'm sure they have thought of this, I was just curious how it worked, that's all.

You all know a lot more about this than I do, but if you are using public key encryption would it not still be encrypted until you used your password? then the only unsecured part would be the ride down the pipe to your machine?

I'm not worried about the data being read as I'm sure they have thought of this, I was just curious how it worked, that's all.

You're a trusting person. :)

-chuckles-

You all know a lot more about this than I do, but if you are using public key encryption would it not still be encrypted until you used your password? then the only unsecured part would be the ride down the pipe to your machine?Right, but that's what I'm saying. It has to be decrypting the file server side, and then sending me that unencrypted file from the server end. So, my concern would be what happens to that unencrypted file once I get the file downloaded?

You're a trusting person. :)

-chuckles-Ha, no, I'm not, I just don't know enough about how that works. I refuse to believe that a company founded on all this security would have a simple loop hole as this. There has to be something I'm missing.

I just sent this to them via email. I'll report back if I get a good answer. For some reason it removed all the ' I had in my email. They must have had issues with SQL or something... weird.

Users technical issues/comments/suggestions: I have a question in regards to IDrive that I have not really gotten a good answer for. Please read my question carefully as Ive felt that others have not quite understood what Im asking.

I have a concern in regards to security.

I have IDrive installed on my home PC and Im using my own key phrase.

My concern is this. Say I upload a folder of word documents to my IDrive through the IDrive Windows software. After its uploaded I can go to idrive.com and log in to my account. Once I log in, it shows me a list of my files I have uploaded to the IDrive server. If I browse to a file to download it and click on it, it prompts me for my keyphrase.

When I enter in my keyphrase, the file is decrypted on your server, and then downloaded to my PC through my web browser.

During the transfer, there is a perfectly good unencrypted version of my file sitting on your server.

How is this a secure way to do it? Wouldnt it be better to download the encrypted file and then have the file decrypt locally on my end?

Please advise.

All supposition, but given the lengths they seem to go to market two factor encryption, I'd expect they do client side (javascript or something) decryption so it's decrypted post-flight. Would offload half the decryption overhead as well.

edit: http://www.idrive.com/online-backup-security.htm
yea, it looks like decryption is client side, so going over the wire, you like have a one factor encrypted (idrive's factor has been decrypted). So it's like js, java, ajaxy bullshit goin on at the client.

edit:edit: quote:
These world-class facilities are custom designed with raised floors, HVAC temperature control systems with separate cooling zones and seismically braced racks. They offer the widest range of physical security features, including state-of-the-art smoke detection and fire suppression systems, motion sensors, 24 X 7 secured access, video camera surveillance and security breach alarms.

good to see they have... a machine room. yep, a machine room, that's classy.
I recently purchased an account with IDrive to help with my backup scheme.

I have a question about online backups that I haven't really gotten a good answer for, and maybe someone on here might know. I even called IDrive, and you don't really get to talk to anyone technical enough to get a good solid answer.

Anyway, just a quick run down of what IDrive is. You basically upload your files to them for archival purposes. Your files are encrypted via a personal key that only I know, and then again with a key that only IDrive knows. Without those two keys, the files are useless.

So, here's my question.

I can log into IDrive's website. I can browse my dataset that I have uploaded to them. I can even click on a file I want to restore it. However, once I click on the file, it prompts me for my encryption key before the file starts downloading.

So...... wtf? Doesn't this mean that the file is now sitting on their server decrypted? How else is it sending me the file in a non-encrypted format?

Surely people who set these backups up have to think of something like this. There must be some way I'm not thinking of that would prevent someone from looking or getting that unencrypted file......

All supposition, but given the lengths they seem to go to market two factor encryption, I'd expect they do client side (javascript or something) decryption so it's decrypted post-flight. Would offload half the decryption overhead as well.Right, but what I'm talking about is when I log into the website. It's just Firefox downloading the file at that point. Firefox is just the dumb client in this operation accepting the data being sent to it. Firefox is not doing any decryption what-so-ever. Therefore, the only conclusion I can have is the file is decrypted on their server to send to me, right?

Right, but what I'm talking about is when I log into the website. It's just Firefox downloading the file at that point. Firefox is just the dumb client in this operation accepting the data being sent to it. Firefox is not doing any decryption what-so-ever. Therefore, the only conclusion I can have is the file is decrypted on their server to send to me, right?Maybe not. The decryption could be done client side via Javascript or similar, but that seems unlikely. If the encryption is any good, I suspect the algorithms work in the whole file and not a streamed portion.

I wouldn't be too concerned over the server side decryption though. It would be in a temporary space or memory. Does iDrive use https? That could be a bigger concern. If there servers are in the US, then you are screwed anyway because of the DHS and their file server access laws (we had to set up servers in Canada so that Canadian client docs could not be accessed by US authorities - they actually have laws about that - PIPEDA).

quick way to check, just crack open the page source for that download interface, see what's goin on. If it is just a link to a file.. yea, i'd say they're storing in memory at best, at worst on-disk structures. If there's some javascript or client side scripting in there, I could see that working (javascript that generates an HTTP GET or some such nonesense).

edit: or just sniff the tcp stream :)

Right, but what I'm talking about is when I log into the website. It's just Firefox downloading the file at that point. Firefox is just the dumb client in this operation accepting the data being sent to it. Firefox is not doing any decryption what-so-ever. Therefore, the only conclusion I can have is the file is decrypted on their server to send to me, right?

Here are the screen shots on how you restore a file via their web interface.

After I log in the site:

http://i240.photobucket.com/albums/ff99/Bojangles888/idrive001.jpg

Where it asks me to enter in my key:

http://i240.photobucket.com/albums/ff99/Bojangles888/idrive002.jpg

The link it gives me to download the file:

http://i240.photobucket.com/albums/ff99/Bojangles888/idrive003.jpg

The link it provides to download the file is this. Someone should click on it real fast while I have the file sitting here. That'd be hilarious if it lets you download it.

https://www.idrive.com/idrivee/jsp/restore.jsp?p=D%3A%5CBackupFiles%5CJunk%5Ccharter. txt&s=2276&ver=1 (https://www.idrive.com/idrivee/jsp/restore.jsp?p=D%3A%5CBackupFiles%5CJunk%5Ccharter. txt&s=2276&ver=1)

Maybe not. The decryption could be done client side via Javascript or similar, but that seems unlikely. If the encryption is any good, I suspect the algorithms work in the whole file and not a streamed portion.

I wouldn't be too concerned over the server side decryption though. It would be in a temporary space or memory. Does iDrive use https? That could be a bigger concern. If there servers are in the US, then you are screwed anyway because of the DHS and their file server access laws (we had to set up servers in Canada so that Canadian client docs could not be accessed by US authorities - they actually have laws about that - PIPEDA).Yea, they use HTTPS. I think they are in the US. However, the most US authorities could get from my data sets are the file names without my key.

quick way to check, just crack open the page source for that download interface, see what's goin on. If it is just a link to a file.. yea, i'd say they're storing in memory at best, at worst on-disk structures. If there's some javascript or client side scripting in there, I could see that working (javascript that generates an HTTP GET or some such nonesense).Here's the code that I found relevant to what's going on. Also, the phrase:

"CLICK HERE TO RESTORE CHARTER.TXT" is no where in the source. Which means some sort of PHP or SSI is putting it there.

<tr>
<td align="right" class="txtcontent"> <span class="txtheader">Files / Folders Per Page </span>:
<select name="noe" id="noeselect" onChange="javascript:STREAMNET.idrive.update('D:','f','0','0 ','0',document.getElementById('noeselect').value)">
<option value="10" selected >10</option><option value="20" >20</option><option value="30" >30</option>
</select></td>

</tr>
</table><br />

<table width="95%" border="0" align="center" cellpadding="3" cellspacing="0">

<tr>
<td colspan="6"><strong><a href="/idrivee/jsp/IDEWelcome.jsp" class="linkbody" title="Home">Home</a><a href="folder.htm" class="linkbody"></a> <span class="txtbold">\</span>&nbsp;<a href="javascript:STREAMNET.idrive.update('D:','f','0','0 ','0','10')" class='linkbody'title='D:'>D:</a><span class='txtbold'> \ </span></strong></td>
</tr>

</table>

<table width="95%" border="0" align="center" cellpadding="2" cellspacing="1" bgcolor="#ebebeb" class="txtcontent">
<tr>
<td width="389" bgcolor="#ffffff" class="txtheader"><a href="javascript:STREAMNET.idrive.update('D:','f','0','0 ','0','10')" class="linkbody">Name</a></td>
<td width="74" bgcolor="#ffffff" class="txtheader"><a href="javascript:STREAMNET.idrive.update('D:','f','0','0 ','1','10')" class="linkbody">Size</a></td>
<td width="142" bgcolor="#ffffff" class="txtheader"><a href="javascript:STREAMNET.idrive.update('D:','f','0','0 ','2','10')" class="linkbody">Last Modified</a></td>
<td width="53" bgcolor="#ffffff" class="linkbody style2" align="center"><b>Version</b></td>

</tr>

All look server side to me.
I think you need to store all you sensitive files on flash drives and conceal them (http://uk.answers.yahoo.com/question/index?qid=20081111121733AAhuu1l).

All look server side to me.
I think you need to store all you sensitive files on flash drives and conceal them (http://uk.answers.yahoo.com/question/index?qid=20081111121733AAhuu1l).HAHAHAH!! How in the hell did you run across that? Oh man, I love the internet sometimes.

I think what's going on is this java program is literally decrypting the file on the fly as it sends it to me.

That's my best guess. Which, if the case, is fine by me as that means there is still no decrypted version of my file anywhere.

If it is java, then yes, i'd completely agree. Otherwise they'd be blatantly lying in much of their "technical"/sales docs. It says the traffic over the wire is 128bit.
HAHAHAH!! How in the hell did you run across that? Oh man, I love the internet sometimes.

I think what's going on is this java program is literally decrypting the file on the fly as it sends it to me.

That's my best guess. Which, if the case, is fine by me as that means there is still no decrypted version of my file anywhere.

It says the traffic over the wire is 128bit.HTTPS would satisfy that criteria.

HTTPS would satisfy that criteria.
According to their drawing.

It should encrypt the file on my end with 256-bit. Then, after the encryption, send the file over SSL (which is where they get their 128-bit from) then encrypt it again with the iDrive key (another 256-bit encryption) which finally stores it on the server.

http://www.idrive.com/images/ide_security_graphics.jpg

looking at this more:
http://www.idrive.com/online-backup-security.htm

it looks like they do all of the above, it's 2 factor aes (your key + their key, 128bit each) with https around all interaction. I've still gotta believe the personal key decryption goes client side, it would be foolish of them to NOT offload that kind of overhead to the client :)

edit: damnit, but if they encrypt before sending it off to their servers, you'd have to have the priv key in the client side software.. Please let us know if you ever get an answer, this is driving me crazy.
HTTPS would satisfy that criteria.

edit: damnit, but if they encrypt before sending it off to their servers, you'd have to have the priv key in the client side software.. Please let us know if you ever get an answer, this is driving me crazy.Yes, I have to enter in my key phrase in the client installed on my local machine.

From my understanding, it goes.

File on my PC => encrypted with my keyphrase + compression => SSL to their server => encrypted with second iDrive key phrase.