Support for encrypting backups

I’m also looking to migrate off CrashPlan. ( sad really )

I’m comparing UrBackup and Duplicati as my solutions for family backup. I see number of other posts here in a similar predicament.

I find that Duplicati is a little fiddly t use and I would be concerned about user error, also a file restore seems to take a very long time depending on what volume of database files needs to be downloaded.

I think UrBackup is very promising. I agree with other posters here tht it does need a client side PKI based encryption option. I would gladly sacrifice server disk space and deduplication of backed up data in favour of files being encrypted using a GPG or other PKI encryption key. For me this is a must-have feature.

I am also in support for feature of some sort of encryption of data at the server for security compliance.

Apart from the client, the data on the server should not be accessible to any other (Admin/user) and in case it is not possible then at least data should be correctly encrypted so that it is safe and can not be decrypted.

@uroni +1 from me.

I don’t need encryption of file-structure. If I’m unable to read the file, that’s good enough for me. Super-duper-important is that the client encrypts stuff, and not the server.

Encryption would need to be reproducible, I guess, to prevent continuous full backups.

This feature would take away a lot of issues with regard to #gdpr

2 Likes

Encryption of file-structure or partition image would be great for everyone. It can be enable or disable from server side and client side. For home users should be able to use it for general purposes. However, it should be only set from administrator for business purposes.

Without any encryption option with UrBackup, unfortunately its not a choice to backup & restore solution for me at all. :frowning:

Thank you.

Allowing encryption to be disabled serverside would render encryption useless, don’t you think?

I’d like to point out that I for one want to see the ability to encrypt backup traffic on LAN too, not just internet. This way the backup traffic can’t get snooped by staff or internal breaches. The majority of IT Security breaches, statistically, are done by company staff, not external parties. Having it be unencrypted on LAN makes it just that much easier to scoop data off other computers you don’t have access to.

You can of course use the internet mode locally. It’s harder to setup, but otherwise it has next to no disadvantages.

I might have missed it, but where in the Admin Docs would I find adapting the internet mode for LAN? Does that break LAN discovery at all?

One of these:

  • You can run "C:\Program Files\UrBackup\enable_internet_only.bat" on the clients
  • Put server in a separate (virtual) network and only forward internet + web interface
  • Block 35623 UPD outgoing on the server with its firewall settings
  • The 2.2.x server has a --internet-only switch. On Windows add
    –internet_only_mode
    true
    to args.txt

Of course it breaks LAN discovery. But you can temporarily switch LAN mode back on once you have a new client.

2 Likes

Are “internet” clients able to get new client updates pushed from the server? Is there any possibility in the future we can have LAN encryption + discovery? Or is that an impossibility?

Sorry. But if the client would encrypt the backup, encryption of the traffic would not be required…

I’m confused. Internet backup (as opposed to LAN), would mean the backup itself is encrypted, even on the server-side? Not the traffic between Client and Server?

What about wanting in-traffic encryption, but not on-disk encryption on the server? (for restoration reasons)

Also, another question came to mind. If I do ONLY internet backups, does the Restoration ISO stop being able to discover LAN UrBackup servers?

Shall we keep this topic about the Feature Request it’s about?

Well, I’m game for being on-topic, but after reviewing this thread, it looks like it’s relevant to the latest response given about internet v LAN. So… should I start another thread for that one question? :confused:

Why don’t you need that? Do you encrypt the whole disk?

First, thanks for your work, Urbackup is Great tools !!
There are two kinds of encryption, first is the physical access to the harddisk, second is to the backup administrator, us.
First kind of encryption, recently I came across a client’s compliance assessment, they asked is the backup storage encrypted? well, I can say yes because I can encrypt my storage partition :stuck_out_tongue_winking_eye:
Second, can you read all data stored in the backup? Er… Yes I can. :frowning:

I am thinking, it can be fulfilled both by adding a “Keyphase” in the Urbackup client setting, so the backup content of a client is encrypted by that keyphase, so you can only read the content if you have the keyphase.
I know it will increase the server loading very very much I can imagine the incremental backup mechanism, you need to decrypt everything, compare it then backup and combine it and encrypt it. sounds it will slow down to an unacceptable speed.
just my 2 cents.

Based on my previous needs, and what I’ve seen from other products, only the data itself would need to be encrypted. The names and other data (size, time, etc) would not need to be altered.

The goal would be just to protect the data itself.

I assume this would (or, at least, could) adversely impact DeDuplication, but for the intended use cases, that would be less of a concern.

@uroni is this feature on your roadmap? having data encrypted with a user key would really be a killer-feature and help a lot in keeping private data secured

An implementation of this is currently in the dev branch. It solves this “properly”, so it also encrypts metadata such as file names + sizes + file system structure, but of course de-duplication between clients isn’t possible anymore. Pieces such as being able to mount the encrypted backups on the server are currently missing plus a lot of other things.

Focus is currently on finalizing 2.5.y. So if you want to help, testing that would speed up that, so focus can be switched to dev.

9 Likes