> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Robert Hajime Lanning > > Data encrypted at rest. (AES256) > AES256 keys encrypted with PKI.
Well, dropbox also does AES256 at rest - But AES256 is only good if nobody else has your keys. Unfortunately, they do. It looks like, at the Personal and Business level, Norton Zone is the same - By just signing up for an account, no keys are generated, your content is stored on their server, accessible on multiple devices including your web browser, which means, if any encryption is used, they have your keys. But if you want to subscribe to the Enterprise offering, "For larger companies that need more control," then pricing is undisclosed, and you can get the Symantec Encryption Management Server, for additional undisclosed pricing, then your company may build your own CA and manage encryption keys of stuff that's stored on the Norton servers. Synctuary maintains meta information, including md5 sum, and doesn't compare the local & remote sides against each other. Instead, compares against meta information, to determine what has *changed* and replicates changes to the other side, including end-to-end data integrity. > Of course, if you want to run your own, there is open source: > http://owncloud.org/ It's true that owncloud exists. But when I tried them out in 2012, https://lists.lopsa.org/pipermail/discuss/2012-May/016970.html I had two major complaints - The sync algorithm, and the bad crypto. Their sync algorithm looks at the timestamps on each side, and requires that the clocks be kept in sync with each other, +/- a little fudge factor, which was around 10sec. While keeping clocks in sync is not a showstopper, it meant, that if you restored an old copy of a file from backup, your restored file would get clobbered by the client re-downloading the later copy from the other side. And if you quickly made a change, your change would not go to the other side, because your file was still considered to be "in-sync," just as before your change. Not to mention some other problems... The crypto problems were: The encryption is entirely done server-side, which means, you cannot operate your server in an untrusted environment such as public cloud. (If you can only encrypt in a trusted environment, why bother encrypting?) It was also done with password-based encryption, without any workfactor. Which is bad crypto (like passwordmaker.org, or protectedtext.com) Which makes the crypto usually easily crackable, with nothing more than a laptop. At present, as described before, Synctuary has the same level of protection - you can run something like Truecrypt in an untrusted environment, but your data would be vulnerable in-memory. When the Synctuary encryption feature becomes available this summer, the crypto will be done client-side, based on keys derived from a root trust including a strong workfactor and never exposed to an untrusted environment. Safe to operate in the public cloud. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
