www.BOBcloud.net
www.BOBcloud.net
Updated: February 2025
Summary
A core feature of BOBcloud’s Cloud Backup Suite is the focus on data confidentiality and security, achieved using the most secure encryption methods and standards. By default, all your data is encrypted on your device before any data is transferred to the cloud. The encryption password is not transmitted to your cloud account, which prevents your encryption password from being read or modified by a third party. Along with strong data protection capabilities, we provide our Resellers with tools for easy encryption key management (protecting encryption keys from loss, corruption, and unauthorised access), and the recovery of encryption keys.
What is Data Encryption?
Data Encryption is the process of completely re-writing a file using an algorithm so that the data is obscured and cannot be read
unless a secret key or password is provided to decrypt the data back into its original form.
BOBcloud Data Encryption
How Does BOBcloud Use Encryption To Protect Your Data?
This is how BOBcloud backs up your sensitive client data to our service or any other cloud storage. Clients need to be confident their data is secure from unauthorised access.
Data encryption protects the confidentiality and security of data during backup, transit, rest, and restore.
1. When data is transmitted via the Internet or other networks during backup/restore or replication.
Backup / Restore
2. When data is stored in the backup destination(s), i.e. on the cloud or a Reseller’s own platform.
Backup Server on Cloud
www.BOBcloud.ne
BOBcloud Data Encryption
Customer Server
Server
Cloud storage
Backup Server on Cloud
Internet
SSL
User File
Compressed &
encrypted file
Compressed &
encrypted file
This is
a doc
All files are encrypted before they are transmitted to the backup storage. If the data is intercepted during transfer or at rest, it would be useless because the backup data is stored in an encrypted format on the backup destination.
www.BOBcloud.net
BOBcloud Data Encryption
Customer Server
Server
Cloud storage
Backup Server on Cloud
Internet
SSL
256-bit SSL communication (TLS v1.2)
Authentication parameters & encrypted files are further encrypted within an SSL channel
All communications between the Server and Desktop backup agents and the BOBcloud server or public cloud storage are via a 256-bit SSL (Secure Socket Layer) channel. This uses TLS (Transport Layer Security) v1.2 protocol to ensure your data is transmitted securely.
www.BOBcloud.net
BOBcloud Data Encryption
Encryption Algorithm
BOBcloud provides three encryption options: AES is the default we set.
AES, Twofish or DESede
AES provides the highest level of protection and DESede the lowest. Different levels of encryption allow you to protect your backup sets at varying levels, as there is a trade-off between backup/restore performance and data security.
When encrypting data using an AES algorithm, the backup speed may be affected more than the DESede algorithm. Therefore, you should use AES for sensitive client information, commercial secrets, and financial records. Consider using a lower encryption option such as Twofish or DESede for less sensitive data.
However, in reality, AES rarely affects performance in modern systems.
In addition, two encryption methods are available:
ECB (Electronic Codebook) and CBC (Cipher Block Chaining)
Our default encryption method is CBS (256-bit). You can set your own using ECB or CBC (128 or 256-bit) key lengths.
The default encryption algorithm provides the highest level of protection and is the industry standard AES (Advanced Encryption Standard) encryption algorithm. It has a 256-bit key length and CBC mode. This is the only publicly available encryption algorithm approved by the US government for securing top-secret information
www.BOBcloud.net
BOBcloud Data Encryption
SSL
Can an AES Algorithm Be Cracked?
Given enough time and processing power, any known encryption algorithm can be cracked using a brute force attack, i.e. systematically checking through all possible combinations.
AES 256 bit encryption algorithm has a possible (2^{256}) combinations.
To put this into perspective, this is an astronomically high number, far exceeding the number of atoms in the observable universe. This immense number of combinations makes AES-256 extremely secure against brute-force attacks.
5.42 x 1052 years to crack
With (2^{256}) possible keys, it would take millions of years to try all combinations using current computing power.
Even with the most powerful supercomputers available today, such as El Capitan, which can achieve 1,742 petaflops, the time required to crack AES-256 remains infeasible. This immense computational effort makes AES-256 one of the most secure encryption methods currently available.
Age of planet Earth 4.54 × 102 years
5.42 x 1052 years
Estimated life of planet Earth 7.79 × 102 years
Time required to crack an
AES 256 bit encryption
www.BOBcloud.net
BOBcloud Data Encryption
Encryption Key
BOBcloud uses an encryption key to encrypt and protect your backup sets and data from unauthorised access. After an encryption key has been created for a backup set, it cannot be edited or read later. It can be read from a live system after a successful login.
If the encryption key on a backup set needs to be removed or changed then:
- A new backup set must be created with the new encryption key.
- The data will have to be backed up again from scratch.
5.42 x 1052 years
www.BOBcloud.net
BOBcloud Data Encryption
Encryption Type
BOBcloud offers three different options for generating the encryption key, depending on the security level required by the customer: Default, User password, and Custom.
Type
Default
Encryption Key Strength
The default option and is the most secure as the encryption key is a randomly generated 44 character key string with; upper case (A-Z) and lower case (a-z) characters, numbers (0-9), and other characters (/,\,=,+..).
Encryption Level
AES, 256 bit, CBC
User password
Dependent on login password complexity
AES, 256 bit, CBC
Custom
Dependent on client preference
Client preference
www.BOBcloud.net
Although different encryption options are available, BOBcloud provides Resellers and MSPs an easy way to customise which encryption options clients can use. This encourages good data security practices via the BOBcloud group policy.
Note: If the “User password” option is selected for generating the encryption key:
- BOBcloud Server / BOBcloud Desktop will use the current login password as the encryption key.
- The encryption key will not change, even when the login password is updated later.
BOBcloud Data Encryption
Where Is the Encryption Key Saved and How Is It Protected?
The encryption key that protects the backup data is stored in a special file (settings.sys) encrypted using the AES 256-bit algorithm. This file is stored on the machine where the Server or Desktop backup agent is installed.
Depending on the operating system of the machine the settings.sys file is located in the following folder:
Operating System
BOBcloudServer
BOBcloudDesktop
Windows
%USERPROFILE%\.Server\config
%USERPROFILE%\.Desktop\config
Linux / UNIX
/root/.Server/config
-
Mac OS X
/Users/%username%/.Server/config
/Users/%username%/.Desktop/confi
Synology NAS
/volume1/@appstore/BOBcloudServer/.Server/config
-
www.BOBcloud.net
-
BOBcloud Data Encryption
When Do I Need To Enter My Encryption Key?
The common situations where the Server or Desktop backup agent will require you to enter the encryption key:
The original machine has suffered a fatal outage and you need install Server or Desktop on a new machine to restore the files.
When accessing a backup set originally created on another machine.
The .server or .desktop folder on the machine has been deleted.
The settings.sys file is accidentally deleted or corrupted.
When using BOBcloud to restore files (Service Providers only)
www.BOBcloud.net
Note: If you do not have the correct encryption key you will not be able access the backup set and data or perform any backup/restore jobs.
BOBcloud Data Encryption
Encryption Key Best Practices
For backup sets protected with “User password” or “Custom” encryption setting it is very important to make sure the encryption key will not be easily cracked or guessed. Please consider the following recommendations when creating an encryption key for your backup set.
Do not use an encryption key containing personal information, i.e. name, birthday, qwerty, login name, abc123, 123456 etc.
The encryption key should be at least 8 characters long.
The encryption key should contain both uppercase (A-Z) & lowercase (a-z) characters, numbers (0-9), and other characters (+/-\=@#$%^&*())
Keep a copy of the encryption key
www.BOBcloud.net
The encryption key is the password that allows access to your data, without the correct encryption key your data will not be recoverable. It is highly recommended that you keep a separate copy of your encryption keys and store them in a secure place. Clients are prompted to do this during the creation of each new backup set on BOBcloud Server / BOBcloud Desktop
BOBcloud Data Encryption
How To Manage Encryption Keys.
To meet both the needs of your clients and to satisfy any contractual, legal, or regulatory requirements related to data confidentiality and security, BOBcloud allows partners flexibility on how they choose to manage their clients’ encryption key:
Allow your clients to manage their own encryption keys.
The client encryption key is not stored unencrypted on the BOBcloud backup clusters. Clients managing their own encryption keys provide the highest level of protection. The downside is that if a client loses or forgets their encryption key, they will not be able to access their backup sets or recover data from them.
Manage their client encryption keys.
A copy of the encryption key is uploaded and stored on the BOBcloud platform in a special file (EncryptionKeys-YYYY-MM-DD.json.rgz) for each backup set.This is encrypted using an AES 256 bit algorithm to maintain the confidentiality and security of the client data.
The EncryptionKeys-YYYY-MM-DD.json.rgz file located in BOBcloud user home path: %_USERHOME%\{%username%}\%backupset_id%\settings folder.
www.BOBcloud.net
BOBcloud Data Encryption
Suppose a client ever loses their encryption key. In that case, BOBcloud can request an encryption key recovery directly from the Ahsay web management console using our “Self Service Encryption Key Recovery Service”.
This service should never be considered a reliable method of recovering your encryption password because Ahsay makes a charge; the recovery time is not guaranteed, and it is possible to turn off this feature on backup sets. There is NO substitute for storing your encryption passwords off-site in a secure location.
Partner/MSP
Client
Security Level
The keys are stored in a file protected by AES 256 bit encryption on the BOBcloud server (BOBcloud staff cannot access this password). The partner/MSP does not have access to keys.
Only the client knows the encryption key.
Recovery
Encryption keys can be recovered by contacting BOBcloud. We will open the request with Ahsay and they will send the password to our customer and not us.
If the encryption key is lost or forgotten, the backup data is lost forever.
www.BOBcloud.net
BOBcloud Data Encryption
To use the Self-Service Encryption Key Recovery Service, Resellers must have:
- A valid maintenance contract.
- BOBcloud Server / BOBcloud Desktop must be on v9 or above.
- The “Upload encryption key after running backup for recovery” setting is enabled on the backup user account on the BOBcloud backup server.
- The “Encryption Recovery” option must be enabled on the BOBcloud Server / BOBcloud Desktop backup client.
- BOBcloud Server / BOBcloud Desktop v9 must have successfully uploaded the encryption key details after a backup job. These are saved in the EncryptionKeys-YYYY-MM-DD.json.rgz file located in BOBcloud user home path: %CBS_USERHOME%\{%username%}\%backupset_id%\settings
- The contact email address in the backup user account must be valid.