Encryption

Protecting the privacy of your data is a top priority for Backblaze, and that means encryption. Providing a service that is extremely easy to use is also a key part of the Backblaze vision, and encryption can make a product hard to use. Therefore, Backblaze built a system that delivers encryption without compromise using the following requirements:

1. Protect data with military-grade encryption.
2. Implement encryption transparently so you do not have to deal with it.
3. Allow you to change your password without re-encrypting your data.
4. In business environments, allow IT access to data without the user’s password.

Encryption Architecture

To accomplish these ambitious goals, Backblaze uses a combination of public/private and symmetric key algorithms.

The math behind this cryptography can be complicated, but the idea is simple: public/private keys let you encrypt data with one key and decrypt it with another key. 

Typically, data is encrypted with the public key and decrypted with a private key that is kept secret, but the reverse also works. This is very useful because it allows Backblaze to encrypt data in the background without requiring you to enter your password.

Unfortunately, public/private key algorithms are slow and cannot be used to encrypt a large amount of data. Symmetric key algorithms use the same key to encrypt and decrypt data, and they are very fast with large amounts of data. However, since the same key is used to decrypt the data, the data is secure only if the symmetric key is secure.

Backblaze combines these algorithms as shown in the following images.

Encryption Process

Backblaze generates a new 2048-bit RSA public/private key pair when you install the Backblaze client, stores the public key on the local disk, and transmits the private key to a data center using Hypertext Transfer Protocol Secure (HTTPS). Then, for each backup session, Backblaze generates a new random 128-bit AES symmetric key which is used to encrypt your data. Backblaze secures the 128-bit AES key by encrypting it with the your public key and transmits the encrypted file along with the encrypted key to a data center over HTTPS. Backblaze destroys the unencrypted 128-bit AES key at the end of each backup session and never writes it to disk. To decrypt a file, your private key is used to decrypt the 128-bit AES which is then used to decrypt the file.

Your private key, which is stored safely in a data center, is protected by a password that is highly guarded. However, Backblaze also allows you to secure your backup with a private encryption key (PEK). When this is done, it is impossible to access the data without the PEK. Backblaze does not recommend this option because it means that Backblaze cannot help you if you forget this password.

1. When you look back at the security requirements above, it is clear that AES is the encryption standard that is adopted by the U.S. government to protect classified information.
2. Using your public key means that Backblaze can safely run transparently in the background without compromising security.
3. Since a PEK is used to secure the private key rather than to directly encrypt the data, you can change the PEK by re-encrypting only the private key with a new one.
4. Last but not least, you can make several copies of a private key and encrypt each copy with a different password to provide an IT department access to data without the need to share passwords.

For information about Backblaze B2 Cloud Storage security, click here.