How Backblaze uses Encryption to Protect your Data
Our Goal is Security and Ease
Our goal is to keep your data safe while making the online backup and restore of your data easy. You do not need to know anything about encryption to know the data you backup online is safe. At the same time, you should be able to easily add an additional layer of privacy without making Backblaze difficult to use. Here’s an overview of how we use encryption to secure your files. If you want to dig into the details you can read our blog post “How to make strong encryption easy to use”
Invisible encryption
When you use Backblaze, data encryption is built in. Files scheduled for backup are encrypted on your machine. These encrypted files are then transferred over a secure SSL (https) connection to a Backblaze datacenter where they are stored encrypted on disk. We use a combination of proven industry standard public/private and symmetric encryption methods to accomplish this task. To a Backblaze customer all of this is invisible and automatic. For example, when you create your Backblaze account, we automatically generate your private key that is used to uniquely protect your data throughout our system.Accessing your data
Upon arriving at a Backblaze datacenter, your data is assigned to one or more Storage Pods where it is stored encrypted. Access to your data is secured by your Backblaze account login information (your email address and password). When you provide these credentials, your private key is used to decrypt your data. At this point you can view your file/folder list and request a restore as desired.New: Backblaze has enabled two-factor authentication. Now a 6-digit code can be sent to your phone during sign-in for an extra layer of security.
Restoring data
When you request a data restore, we do what is known as a cloud restore. This simplifies the data restoration process. For example, let’s assume your hard drive crashes and you get a new hard drive or even a new computer. To restore your data you first log in to Backblaze using a web browser by providing your Backblaze account information (email address and password). Once you have logged in to the Backblaze secure web interface you can request a restore of your data. You do not have to install Backblaze to get your data back. To make this work, we decrypt your data on our secure restore servers and we then zip it and send it over an encrypted SSL connection to your computer. Once it arrives on your computer, you can unzip it and you have your data back.Adding your own passphrase
You have the option with Backblaze to add an additional layer of privacy via a user-selected passphrase. This passphrase will be used to encrypt your private key. This passphrase is your responsibility to remember and safeguard. This is important: if you forget or lose this passphrase there is no way that anyone, including Backblaze, can decrypt, and thus restore, your data. When you choose to add your own passphrase there is no “forgot passphrase” mechanism as Backblaze does not know your passphrase.Restoring when you set a passphrase
The data restoration process is a cloud restore, similar to the process previously described but with a few differences. To decrypt your data, you are required to enter your passphrase on our secure website. When you do so, it is passed over an encrypted connection to our datacenter where it is used to decrypt your private key, which in turn is used to decrypt your data. Your passphrase is never saved on disk and it is discarded once it is used. As before, once we decrypt your data on our secure restore servers we then zip it and send it over an encrypted SSL connection to your computer. Once it arrives on your computer, you can unzip it and you have your data back.
Cleaning up after a restore
When you request a restore, we locate and assemble a copy of your data on a secure restore server in our datacenter. Once we have sent you your restore data, you can choose to delete it immediately from the restore server or let it be automatically deleted after 7 days. Of course the original copy of your encrypted data remains stored safely away in the datacenter.