Hacker News new | past | comments | ask | show | jobs | submit login

Arq seems to be a backup rather than a sync service that makes your files available on all your devices + from the web. As for the questions:

1. I couldn't find detailed info on Arq, but "plain" encrypted storage is different from client-side encryption (where you, and nobody else, control the keys)

2. Our integrity check is very efficient, allowing us to update a hash of the complete dataset in real-time (while re-MD5ing a set of data at every small update takes time)

3. See another answer in this thread: from a security point of view, the fact that the server is not open-source does not matter as the client verifies all server replies.

We believe that our security features are top-notch and are worth the price if you really care about the security of your data :-)




1. Tarsnap and (I believe) Arq both have client-controlled keys; the server can't decrypt data.

2. Stop saying you MD5 things, and, if you're using it, stop using MD5. Also: this is not a compelling feature. Tarsnap HMAC-SHA256's every block of data it stores.

3. I'm not going to tell you that you need to open-source your server, but I wouldn't give "it doesn't matter for security" as a reason why.

You should put a page together that explains your whole cryptosystem, down to "why you're using CFB" and "how you pick IVs for CFB" and "where integrity checks are performed", so that people can review it. It's awfully hard to assess security claims without detailed information.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: