Mozy secures your data using either 448-bit Blowfish or 256-bit AES encryption. If you elect to use the Mozy default encryption, the Blowfish algorithm is used; if you create your own key from a pass phrase, the encryption key is created using AES. The account administrator can choose what type of encryption key can be used with the Mozy software, and how to deploy it.
Note
If your account is identified in the Admin Console as being subject to HIPAA security rules, the Mozy default encryption key cannot be used. This reduces concerns regulators might have about your vendor, Mozy, having access to your organization's encryption key.
That encryption is permanently associated with all files sent to the Mozy cloud from that computer.
Administrators can configure the Mozy software before installation to assign the encryption key type for users. The client software configuration can also be used to automate installation with a corporate key or KMS keys. If you use corporate key, all Mozy software that is installed by the affected users use the same corporate encryption key. If you use a KMS key, each affected user has a unique KMS encryption key.
You can change the encryption key type after you install the Mozy software. Doing this requires deleting the computer from the account and re-activating the software.
If users are permitted to activate the software, a user can re-launch the setup wizard through the software and reactivate. Otherwise, you must uninstall the software, then reinstall and reactivate. The Mozy software then uploads all the files again to ensure that the stored files match the current encryption key.
Encryption Options
Regardless of the type of encryption key that is used, files are encrypted in the first step of processing before they are sent to the Mozy cloud. This ensures that they are secure before ever leaving your computer and remain so during transit and at rest in the Mozy cloud. If you are using personal encryption keys, a corporate encryption key, or KMS encryption keys, Mozy cannot read and will not escrow your encryption key;
therefore, the files are never decrypted until you restore them to your computer.
The type of encryption key that is used determines whether some tasks are seamless and simple or whether extra steps are required. The Mozy default encryption key yields the least complicated experiences. A personal or corporate encryption key requires an extra set of steps for certain tasks. For example, if a personal encryption key is used, that key must be supplied to access files from the Mozy cloud when you use the Mozy mobile app. If a personal or corporate key is used, when you download files from the Mozy cloud using a web browser that you must then also use the Mozy
decryption utility to supply that key. If a KMS key is used, you must use the backup software or Restore Manager to download and decrypt files.
With a few exceptions, most features of Mozy are available regardless of which type of encryption key is used.
Table 4 Mozy encryption key options
Default encryption key
The Mozy default encryption option uses 448-bit Blowfish to encrypt files.
Mozy separately stores the key. This option lets Mozy automatically decrypt your files when you download or restore them. This is the least complicated, most seamless experience for users, imposing no restrictions on any Mozy features.
Personal encryption key
When you download and restore files, you must supply this key to decrypt those files. Mozy does not have access to your personal encryption key and cannot decrypt files for you. This means that if you lose your key, Mozy cannot help you decrypt your files. When you reinstall the Mozy software or install it on a replacement computer, you must supply this same key to ensure continued access to files you have previously backed up.
If you choose to use a personal encryption key and you also use the Mozy mobile app, you must provide your personal key to view and download files from the Mozy mobile app.
If you choose to use a personal encryption key with Mozy Sync, each instance of the sync software you install must use exactly that same key.
If you use a personal encryption key, several Mozy features are affected.
l File previews and image thumbnails are not available in Mozy on the web.
l Files cannot be uploaded from a web browser to your set of synchronized files.
l You must use the Mozy decrypt utility to manually decrypt archive packages that are downloaded from the web and files that are instantly downloaded from the web.
Corporate encryption key
Corporate encryption keys are created using a special utility, the Crypto Utility.
To protect against unauthorized access to the encryption key, Mozy assigns a shared secret that is used to encrypt the corporate encryption key file using the Blowfish algorithm. This two-step process ensures that your encryption key is secure. Mozy cannot assist you in decrypting files that you have backed up, as Mozy does not have access to your key. Corporate encryption keys are shared among all users in your organization or within a user group and can be distributed to the local computers or stored on a network server for users to access.
If you use a corporate encryption key, several Mozy features are affected.
l If you are using mobile devices, the corporate encryption key must be stored on a web server that is accessible to mobile devices.
l Files cannot be uploaded from a web browser to your set of synchronized files.
l File previews and image thumbnails are not available in Mozy on the web.
l When manually downloading files instantly from the web, or when downloading archive packages, the administrator must use the Mozy decrypt utility to manually decrypt the files.
Table 4 Mozy encryption key options (continued)
l When the Restore Manager is used to download files from the web, it must have access to the corporate key.
KMS encryption key
The KMS encryption key option uses 256-bit AES encryption. Keys are generated and managed by a key management server (KMS) that communicates with Mozy through the Key Management Interoperability Protocol (KMIP). Each user has a unique key for encrypting files. Users do not need to remember this key, because it is managed by the Mozy software and KMS. Mozy cannot assist you in decrypting files that you have backed up, as Mozy does not have access to your key. The KMS encryption key option is available only to MozyEnterprise accounts.
If you use KMS encryption keys, several Mozy features are affected.
l You cannot use the KMS encryption key option with the Mozy mobile app.
l You cannot use the KMS encryption key option with Mozy Sync.
l File previews and image thumbnails are not available in Mozy on the web.
l The KMS encryption key option allows you to backup files using the backup software on Windows. Mac OS X and Linux are currently not supported.
You can restore files using the backup software on Windows. If you have permission, you can also restore files using Restore Manager on Windows.
Encryption Key Derivation for Custom Keys
When customizing an encryption key, whether personal or corporate, Mozy runs the pass phrase you enter through multiple passes of the SHA-512 algorithm to create a hash of the pass phrase. The 256-bit AES encryption key is created from the resulting hash. Mozy never has access to your encryption key and is not able to assist you in decrypting your files if you misplace the key.
Table 5 Custom encryption key depravation
Personal Encryption Keys
Once created, the encryption key is hashed through multiple passes of the SHA-512 hashing algorithm and then stored on the local system.
On Windows, the hashed encryption key is stored in the registry. The key is additionally protected with the Microsoft Data Protection API and cannot be read by users or administrators of the computer.
On Mac OS X, the hashed encryption key is stored in state.db.
Hashing the result ensures that the encryption key remains secure on the local system. You can also save the key to a .dat file for safekeeping if you need to reinstall the software in the future.
Corporate Encryption Keys
When creating corporate encryption keys, Mozy adds the encryption key to a .ckey file and encrypts the file using a shared secret. The shared secret ensures that even if your .ckey file is compromised, your encryption key cannot be read and used to decrypt your files. Keep in mind, the shared secret is not used to encrypt or decrypt your data. The shared secret is used to encrypt your encryption key adding another level of security to your data.
When you install the Mozy software on your endpoints, Mozy decrypts the corporate encryption key file so the encrypted pass phrase can be stored on the local system. The encryption key is hashed through multiple passes of the SHA-512 hashing algorithm, encrypted with a Blowfish algorithm in CBC
Table 5 Custom encryption key depravation (continued)
mode using a symmetric key obfuscated and hidden in the client binary, and then stored on the local system.
On Windows, the hashed encryption key is stored in the registry. The key is additionally protected using the Microsoft Data Protection API, with a per-user encryption key, and cannot be read by per-users or administrators of the computer.
On Mac OS X, the hashed encryption key is stored in state.db.