After reading my article on encrypting sensitive data, Ian Cooper asked if it was safe “to use one of these encryption tools in conjunction with an online backup service?”
In that previous article, I discussed two separate ways to encrypt a folder filled with sensitive files: Windows’ own Encrypted File System (EFS) and VeraCrypt, a free, open-source fork of the well-remembered TrueCrypt. This time around, I’ll look at how files encrypted with either of these work with two popular online backup services, Mozy and Carbonite.
[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to firstname.lastname@example.org.]
Both Mozy and Carbonite encrypt your files and keep them encrypted on their servers. However, the default settings provide a backdoor to that encryption. It’s therefore theoretically possible for a hacker, a disgruntled employee, or the NSA to access your files.
Both companies offer a more secure option where you and only you have the key, and therefore, there’s no backdoor. Mozy calls this a Personal Encryption Key; Carbonite calls it a Private Encryption Key. The problem, of course, is that if you lose the key, you lose your backup.
But even if the backup service has the key to your files, they don’t have the key to your EFS encryption. And the files are useless without that. When I tested this, Carbonite wouldn’t let me download EFS-encrypted files onto another computer. Mozy let me download the files, but those files just contained gobbledygook.
VeraCrypt’s container approach makes this a non-issue. Remember that VeraCrypt keeps your sensitive files in one or more encrypted container files. Open a container with the password, and your files become available in a virtual drive. Close the container, and your files exist only in the encrypted container.
The simple solution: Don’t back up the virtual drive. Just back up the container. That will effectively back up the files, but they’ll be encrypted before Mozy, Carbonite, or any other online service will ever see them.