-
Notifications
You must be signed in to change notification settings - Fork 76
Client side encryption
This page is about an optional client-side encryption of backed-up data. Additionally, all data exchanged using BURP protocol is always encrypted in transit with public-key cryptography. Client-side encryption can be used when client does not trust server, or as an additional layer of protection.
WARNING: This page is not written by professional cryptographers studying your case. Do your own research before using any kind of encryption if your life or freedom depends on it, or (especially) if you hold private data of millions of users. If you get yourself killed or imprisoned after over-trusting any kind of encryption, do not come to us crying.
Option encryption_password needs to be set in client configuration options in order to enable built-in client-side encryption. Some caveats:
- File names are not encrypted.
- Delta differencing stops working (whole file is transferred and stored even of one byte is changed).
- Decryption of files without BURP can be difficult (but not impossible).
On Linux it is possible to use reverse-encryption feature of EncFS to create client-side encryption layer independent on BURP. It is different to the BURP built-in encryption in the following ways:
- File names are encrypted (but modification times and approximate sizes are not!).
- Delta differences work.
- Since files are encrypted in blocks, more information about file changes is revealed to attacker.
- Encryption does not depend on BURP encryption code, but on somewhat more mature EncFS project.
TODO