SpiderOak Woes

[Richard Pieri]

On Apr 12, 2011, at 11:08 AM, Gordon Marx wrote:
> 
> Pardon my "ignorance", but what is a "master encryption key" going to
> do? I upload an encrypted file to them, I keep the key to myself,
> there's no way they can use anything to break it.

Say that your storage provider uses AES-256 so you have a 256-bit key space to work with.  There are two problems with this.  First, you can't type more than about 1/4 of this key space on a keyboard.  Second, if you change your password then you have to recrypt all of your data.

The usual method of solving these two problems is the same method used by PGP and SSH.  The software first generates 256 bits worth of random data.  This is the real encryption key used to encrypt and decrypt your data.  This key is then encrypted with your password, so even if someone else gets his hands on the file he can't use it to get at your data.

Here is where the master key comes in: the provider makes a second encrypted copy of your key using its own master key.  Your key file then has two copies of your key in it: one that only you can decrypt and one that the provider can decrypt.  The provider cannot recover your password; it isn't known.  But your encryption key is known and that can be given to law enforcement without your knowledge.

None of which matters if you use some other encryption mechanism before uploading files to the storage provider.

--Rich P.