Hmmm
No mention that the data is encrypted. Bugger if it's not and is lost in transit. And the format and send back could leave sectors open to extraction in future reuses.
Good idea (potentially) poor execution.
Cloud backup provider Backblaze has a nifty new take on large data restores, involving disk drives. Customers can order a flash drive or disk drive restore, meaning their data’s sent to them on a flash drive or external disk drive. This was a useful alternative where a web restore of data may take a while or be expensive if …
Although Backblaze encrypts all files at the source, and transmits them to the datacentre in encrypted form, their web restore process seems to involve decrypting them and sending plaintext files back over SSL.
https://www.backblaze.com/backup-encryption.html
https://help.backblaze.com/entries/20926247-Security-Question-Round-up-
"The answer shows a weak point in the Backblaze system.
As you prepare a restore, you must type in your private passphrase into the restore server. This is not written to disk, but held in RAM and for the period of time of decrypting all your files, and they are then stored in "clear text" on our very highly secured servers until they are ZIPPED up and offered to you to be downloaded."
If their disk restore process works the same way, then yeah, that's an issue.
"No mention that the data is encrypted."
Their security provisions seem to be as shit as any other cloud vendor. They state they will do a 3 pass DOD bollocks compliant wipe of the returned drives - if the data was properly encrypted they wouldn't need to would they.
Stored data is encrypted locally before transmission to them which is great, except it is encrypted with a key they hold. You have an option to encrypt the key with your own pass phrase, but, if you want to restore data you have to give them your pass phrase - you couldn't make it up......
Backblaze has attitude, and it's one that I find very likable.
It regularly publishes its disk reliability stats together with drive failures and it does so by brand type–something that Google never did when it published its document on the mechanisms underlying disk failures. It regularly updates its stats and makes them available in the public arena, and now how could anyone not like its return policy on its backup offer?
Thumbs up.
As a user of Backblaze (and no connection to them), for the price their service is unbelievable. They have saved me several times when I've deleted or overwritten a file, and the backup 'just works' - sits in the background and keeps things safe. They look after, urmm, a little over a 1TB of data for me. For <$5 month (I pay two-yearly). Show me -anywhere- else that even comes close.
Sure the encryption requires an amount of trust in them, but I use a local passphrase to provide an additional level, and really I don't store anything particularly sensitive (no IP, no work) on their service.
As far as I'm concerned, if they want to look after my collection of photos and videos of my kids growing up in a way that I can get them back if my house explodes, I'm happy. As is my wife, which is almost more important.
"You can also encrypt the drive restore during transit"
Why would you need to encrypt the drive when the data on your servers is already encrypted?
What proportion of data on your servers can not be accessed now by say the NSA and what proportion can not be accessed by say the NSA after a user has done a restore and given you their secret pass phrase?
If these are legitimate concerns, you shouldn't be using *any* backup service that encrypts for you. You should be encrypting yourself and only sending encrypted data to remote servers.
Backblaze (and any other backup/cloud provider) could simply state they have implemented XYZ encryption schemes, and in reality either not have implemented it, or worse - think they did and have a flawed implementation.
"shouldn't be using *any* backup service that encrypts for you"
That argument applies to anything 'that encrypts for me' and so is irrelevant.
There is a big difference between a storage provider who deliberately allows themselves and anyone else they choose to inspect the data I store with them and one which has to have screwed up their service implementation for that to happen.
Backblaze appears to be the former and I have trouble understanding why. Why would you choose to force your customers to trust you when you don't have to?
They are in America, perhaps they didn't have that choice.