CrashPlan (the free version) uses 128-bit Blowfish to encrypt your files. CrashPlan+ uses 448-bit Blowfish encryption, which is much stronger than the 128-bit encryption that online banking and most businesses use.
Blowfish is an encryption algorithm. It's a freely available, documented, and open method of encrypting data. Being Open is very important. This means that the processes it uses are public and can be tested by everyone and are proven to be secure. Blowfish was invented by a security expert named Bruce Schneier. More information is available online here: http://www.schneier.com/blowfish.html
448-bit is the length of the key. The longer the key, the harder it is to decrypt data.
Put simply, if someone ever accessed your backup archive, both your password and encryption key is needed to decrypt your data.
Each of data block is identified by the type/level of encryption. So you can have 448-bit encrypted blocks mixed with 128-bit encrypted blocks in the same backup. Backup continues where it left off and uses the stronger encryption for files going forward.
Your account password is the password you entered when you installed CrashPlan. Along with your email address, it links all your computers together.
Enter the account password if you indicated that a password is required to run the CrashPlan desktop. You'll also use the account password to access your CrashPlan account online.
A data password is used to prevent someone else from restoring your files. If you have enabled the data password option, you'll need to supply your data password before you can restore files.
The data password is never sent to CrashPlan, and therefore CrashPlan Support cannot retrieve or restore this password for you if you lose it.
Imagine you have your keys to your car locked in a safe. The data password is the key to the safe, not the keys to the car. You can still restore versions of files encrypted with the original data password and you don't need to start your backup over.
Your data is not actually encrypted with the data password or account password. Those passwords act as a way to lock or protect the actual key used to encrypt data. So if you change your password, we do not have to re-encrypt your data or start the back up over. We just re-lock the data key with the new data password. Your data encryption key never changes.
The data password is completely independent of your account password.
I hate to be the bearer of bad news, but the reason we give so many warnings before you use this feature is because there is absolutely no way to help you recover a password we are never privy to.
The only way to fix this would be to start your backup again, since you won't be able to decrypt the data that has already been backed up. To do this:
Yes, we escrow the data encryption key when not using a private data password.
If you use a private data password, we escrow the locked key for you in case computer is lost or stolen; however we cannot use it as only you (the customer) know the secret (private data password) to unlock it.
It is stored in your CrashPlan configuration settings but locked by your private data password. It is also stored in the archive locked by your private data password, this facilitates guest restore.
Upon reinstalling CrashPlan, your configuration settings are pulled from our server, including your locked encryption key. You are then prompted for your private data password before restoring. The private data password is used to unlock the encryption key to begin restore.
Yes, we relock the data encryption key with the new password when it is changed.
Yes, it is transferred securely. Not necessarily SSL but with the same encryption technology used to encrypt data during backup. Also the key is locked or encrypted itself.
Yes. Checking the “Secure data with a private data password” check box affects ALL of your computers. Setting the data password on one computer sets the same data password on all computers under your account and you'll need to enter the this data password on all the computers in your account.
To use CrashPlan together with FileVault, you have two choices:
When evaluating software for HIPAA compliance you need to examine how the product handles security issues (passwords, transmission, encryption, etc.)
In these areas, CrashPlan is HIPAA compliant and here's why: