Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'Crashplan security concern with FileVault' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Crashplan security concern with FileVault
Authored by: Basilisk on Apr 30, '09 11:11:17PM
I'm confident that the file contains fields called "privateKey" and "publicKey" as well as other obvious account data (email, guid). This is consistent with Crashplan's terminology for key handling. I'm also confident that the file is automatically updated by Crashplan and contains the same key data across every computer attached to my Crashplan account (also consistent with Crashplan's use of a single encryption key for all computers on an account).

It may be that the key may only be stored in that location if you use a "data password", which is ostensibly their higher level of security. I you use normal security level the encryption key is actually escrowed on their server (per their FAQ). In that case they may just download the key everytime.

Crashplan has a page that tries to explain all this which makes it (somewhat) clear that the "private" key is stored unencrypted on the source computer. Their latest version even offers an option to supply your own private encryption key, though its not clear that resolves the issue of secure storage of the key for FileVault users.

[ Reply to This | # ]