Ubuntu One needs cloud encryption like LastPass does it

Dale Amon amon at vnl.com
Fri Apr 6 00:41:47 UTC 2012

I would not be so harsh on these companies. They
are very quietly *told* that they will comply
with the will of certain agencies. Or else. And
they are not allowed to tell their customers. Or
else... But they are trying to sell security. So
what are they going to do? They are going to
do a doublethink and try to give you something that
is Mostly Secure. Except against certain parties.

The encryption key cannot sit on the 3rd party site.
It has to be resident on your own computer and 
under the owners control only. You cannot access
secure data anywhere from any computer. You can
only access it from particular machines on which
you have your secure key, or via a USB key that
contains a copy of the user key. 

The user's password for their crypto key should
never, ever go out across the internet. It should
happen locally, within the secure machine. 

This is all Crypto 101. It's not like it was 
something new or strange.

I do not know the details, so I will ask: is it 
the case that:

	* The user crypto key is generated on the
	  the user machine.

	* The password for the user key is set on
	  the user machine and never leaves it.

	* The user crypto key never leaves their

	* The user's password for their crypto key
	  is never used outside the confines of their
	  local machine.

	* The data is fully encrypted on the user
	  machine and only encrypted data transits
	  the net and sits on the storage server.

	* The encryption algorithm is such that 
	  no key except the one on the users 
	  machine can decrypt the remotely stored

Unless all four statements are true, the data
is *not* safe. 

If the statement made in the other reply is true,
and you can 'retrieve your data from any internet
device' then it is patently obvious that data 
security *is* violated.

Dale Amon
Immortal Data Corporation

More information about the Ubuntu-devel-discuss mailing list