Ubuntu One needs cloud encryption like LastPass does it

Sam Smith smickson at hotmail.com
Thu Apr 5 22:42:23 UTC 2012

The point is that SpiderOak (and Lastpass) never know the user's password. And never receive the encryption key. The key never leaves the user's computer. The server never gets it. The only thing that ever lands on the server is an encrypted blob. 

What this means is that the user doesn't have to worry about the 3rd party taking care of the data. If the 3rd party is hacked, if the 3rd party has a rogue employee, etc. The data has a much better chance of being safe than if it's implemented like say iCloud where even if the data is encrypted Apple holds the encryption key and can access the data anytime they want. If Apple can access the data, a rogue employee and a hacker can potentially access the data.

> Date: Thu, 5 Apr 2012 11:32:33 -0500
> Subject: Re: Ubuntu One needs cloud encryption like LastPass does it
> From: jordon at envygeeks.com
> To: amon at vnl.com
> CC: smickson at hotmail.com; ubuntu-devel-discuss at lists.ubuntu.com
> On Thu, Apr 5, 2012 at 8:18 AM, Dale Amon <amon at vnl.com> wrote:
> > On Wed, Apr 04, 2012 at 07:55:09PM -0400, Sam Smith wrote:
> >>
> >> I use "SpiderOak" because it offers client-side encryption. It provides the security & privacy I seek.
> >>
> >> I'd prefer to use Ubuntu One, but until it supports client-side AES 256-bit encryption & additionally encrypts the decryption key itself (like SpiderOak does) I won't even consider it.
> >
> > And rightly so. With the new NSA capabilities going into
> > place and the atmosphere around the world, you are
> > absolutely not safe in your privacy if it is possible
> > for anyone to acquire your keys or decrypt your files
> > without stealing your computer and beating or threatening
> > the password out of you.
> >
> > I include various State's laws seizures and court orders
> > under the classification of 'stealing and threatening'.
> Encrypting the encryption key has nothing to do with security, you
> guys are spreading FUD and assumptions now IMO.  Encrypting the key
> has to do with usability, it's no more secure than having a single
> encryption key that you have memorized and actually it's the same
> concept except fragmented between you and the data... they still need
> only attempt to break into a single file and then they have access to
> all the other files... They encrypt your encryption key because it's
> much more feasible to re-encrypt a single file then it is to
> re-encrypt the entire set of fragmented data.  Whether on your
> computer or not if you have gigabytes or hundreds of gigabytes of data
> it could take quite a long time to re-encrypt it unless you have
> dedicated crypto hardware. Then you have to re-upload all that data
> again, wasting their bandwidth and wasting more space on their
> servers.  This is why utilities just create a strong encryption key
> for themselves and encrypt that file with your key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20120405/88c4eff0/attachment.html>

More information about the Ubuntu-devel-discuss mailing list