![]() Providers like BoxCryptor may also store an encrypted copy of your private key (I believe they do), which is downloaded to the client and decrypted with a password. ![]() The encrypted files are then passed to the actual storage provider, which generally would have seen the plaintext, would have access to the file key, and would be able to provide decryption to law enforcement. ![]() That means they never see private keys or file keys, and they have no access to the encrypted data. The way they do it means the symmetric key is generated by you, and they manage only the public keys so that other users can access the file. The seed would then be stored securely in the same way that cryptographic keys are.īoxCryptor however is different from a cloud storage provider, they are a cloud cryptography provider. The private key is no longer stored, and a large amount of computing power is required to regenerate the private key from the seed using a deterministic process (say 100 billion hash iterations and 4 gigs of ram). If that kind of system is required, I would use a per account warrant public key, from a private key which was generated from a seed. It is possible that for legal reasons, the storage provider encrypts a third copy with their own key, so that data can be decrypted if they are served with a warrant. Only the private keys can then decrypt the file decryption key and thus the data. 2 copies of the symmetric key are then encrypted, one with a user asymmetric public key, and one with the master asymmetric public key. The way I would implement it is probably similar to the way many storage providers with encryption capability do.Ī random key symmetric is generated and used to encrypt the data.
0 Comments
Leave a Reply. |