How Backblaze uses Encryption to Protect your Data
Our Goal is Security and Ease
Our goal is to keep your data safe while making the online backup and restore of your data easy. You do
not need to know anything about encryption to know the data you backup online is safe. At the same time, you should be able to easily add an additional layer of privacy without
making Backblaze difficult to use. Here’s an overview of how we use encryption to secure your
files. If you want to dig into the details you can read our blog post “How to make
strong encryption easy to use”
Invisible encryption
When you use Backblaze, data encryption is built in. Files scheduled for backup are encrypted on your
machine. These encrypted files are then transferred over a secure SSL (https) connection to a Backblaze
datacenter where they are stored encrypted on disk. We use a combination of proven industry standard
public/private and symmetric encryption methods to accomplish this task. To a Backblaze customer all of
this is invisible and automatic. For example, when you create your Backblaze account, we automatically
generate your private key that is used to uniquely protect your data throughout our system.
Accessing your data
Upon arriving at a Backblaze datacenter, your data is assigned to one or more Storage Pods where it is stored
encrypted. Access to your data is secured by your Backblaze account login information (your email
address and password). When you provide these credentials, your private key is used to decrypt your
data. At this point you can view your file/folder list and request a restore as desired.
New: Backblaze has enabled two-factor
authentication. Now a 6-digit code can be sent to your phone during sign-in for an extra layer of
security.
Restoring data
When you request a data restore, we do what is known as a cloud restore. This simplifies the data
restoration process. For example, let’s assume your hard drive crashes and you get a new hard
drive or even a new computer. To restore your data you first log in to Backblaze using a web browser by
providing your Backblaze account information (email address and password). Once you have logged in to
the Backblaze secure web interface you can request a restore of your data. You do not have to
install Backblaze to get your data back. To make this work, we decrypt your data on our
secure restore servers and we then zip it and send it over an encrypted SSL connection to your computer.
Once it arrives on your computer, you can unzip it and you have your data back.
Adding your own passphrase
You have the option with Backblaze to add an additional layer of privacy via a user-selected passphrase.
This passphrase will be used to encrypt your private key. This passphrase is your responsibility to
remember and safeguard. This is important: if you forget or lose this passphrase there is no way that
anyone, including Backblaze, can decrypt, and thus restore, your data. When you choose to add your own
passphrase there is no “forgot passphrase” mechanism as Backblaze does not know your passphrase.
Restoring when you set a passphrase
The data restoration process is a cloud restore, similar to the process previously described but with a few
differences. To decrypt your data, you are required to enter your passphrase on our secure
website. When you do so, it is passed over an encrypted connection to our datacenter where it is used to
decrypt your private key, which in turn is used to decrypt your data. Your passphrase is never saved on
disk and it is discarded once it is used. As before, once we decrypt your data on our secure restore
servers we then zip it and send it over an encrypted SSL connection to your computer. Once it arrives on
your computer, you can unzip it and you have your data back.
Cleaning up after a restore
When you request a restore, we locate and assemble a copy of your data on a secure
restore server in our datacenter. Once we have sent you your restore data, you can choose to delete it
immediately from the restore server or let it be automatically deleted after 7 days. Of course the
original copy of your encrypted data remains stored safely away in the datacenter.