SpiderOak Woes

[blu-Z8efaSeK1ezqlBn2x/YWAg at public.gmane.org (Edward Ned Harvey)]

> From: discuss-bounces-mNDKBlG2WHs at public.gmane.org [mailto:discuss-bounces-mNDKBlG2WHs at public.gmane.org] On Behalf
> Of Gordon Marx
> 
> On Tue, Apr 12, 2011 at 11:03 AM, Richard Pieri <richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
> wrote:
> > Take statements like that with a grain of salt. ?A provider could be
unable to
> recover your passwords but still have access to everything you have stored
> there through a master encryption key. ?Look for the law enforcement
> caveat in the service contract, or alternatively look for the "zero
knowledge"
> statement in those terms.
> 
> Pardon my "ignorance", but what is a "master encryption key" going to
> do? I upload an encrypted file to them, I keep the key to myself,
> there's no way they can use anything to break it.

You're not being ignorant.  The master encryption key comment was misplaced,
or irrelevant in context about crashplan.

In concept, a master encryption key is:  When you encrypt data, it's
possible to make it decryptable using multiple keys.  For example in
FileVault (Mac OSX) the administrator can create a master password before
giving the laptop to a user, and then the end user encrypts their data using
a secret password.  But if the user ever loses their password, then the
administrator can still "rescue" the data using the master pass.

Since the context of this conversation is crashplan:  Crashplan explicitly
states that if you elect to use your own password or key, it will be
required before decrypting, and if you lose your key or password, the data
will not be recoverable.  While they did not say "We do not have a master
key to access your data without your key or password"  it is evident from
their statements, that they do not have a master key.  

Now if someone wants to make an argument that crashplan is lying, that's
another situation.  Hopefully such an argument won't be made without first
obtaining some factual basis.