Official Blog
Hyper Backup encryption technologies explained
Max Wu
November 22, 2019 · 5 min read

Hyper Backup encryption technologies explained

How AES and RSA work together to protect C2 backup data

You cannot be too careful when it comes to protecting your valuable assets. Suppose you have a collection of precious heirloom jewelry. You put it in a jewelry box with a lock to protect against theft. But it’s simply not safe enough, so you turn to a bank and store your jewels in a safe deposit box securely kept in a vault for extra protection and peace of mind.

We value data confidentiality as much as you value your valuables. That’s why we employ AES-256 and RSA-2048 encryption technologies to make your backup data virtually invulnerable to unauthorized access and malicious attacks.

But what are they exactly?

AES-256

AES (Advanced Encryption Standard) is a symmetric encryption algorithm, meaning that you have to use the same key to encrypt and decrypt data. Every backup version is encrypted with a randomly generated AES key, and you’ll need the very same key to decrypt the data. A 256-bit long key size is the most complicated one among the three key lengths (128, 192, and 256 bits), and that’s what makes it extremely difficult to crack.

RSA-2048

To add an extra layer of protection to the AES key, it is further encrypted by an RSA-2048 public key. RSA (Rivest–Shamir–Adleman) is an asymmetric

encryption algorithm used to secure data transmission with a key pair – a public key and a private key used for encryption and decryption respectively. Only the owner of the paired private key can decode the public-key encrypted message.

A perfect match

When you create a task to back up data from the client-side NAS to the server-side cloud via Hyper Backup, two AES-256 keys will be generated: one for the filename and the other for the backup version. We make the filenames unreadable because we know sometimes you don’t feel comfortable showing them to others and thus they’d better be kept secret. The hard-coded filename key will turn your file name into ciphertext, so no one on the server side will see your filename whatsoever. As for the version key, it is randomly generated for each backup version. When the backup task is done, the version key will then be further encrypted by an RSA public key before the backup data goes to the server side.

Below is the flow diagram showing how it all works. Suppose you create a backup task (version 1), a filename key and a version 1 key will be generated and protected by AES-256. To further bolster data privacy and security, the version 1 key will be further encrypted using an RSA-2048 public key. Rest assured that your backup data is now safe and sound because all that’s on the server side is encrypted.

Image 1. How encryption works

Now that we understand how encryption works, it’s time to talk about how to restore a particular backup version. For the filename key, since it’s using a symmetrical algorithm, it needs the same key used for encryption to decipher the filename. Sounds simple enough, right? However, it’s a bit complicated for the version key, though. You’ll have to use an RSA private key to decrypt the AES-protected version key.

Image 2. How to restore your data

So, how are these keys distributed?

On the client side, you have an RSA public key and a hard-coded filename key. When launching Hyper Backup Explorer, you’ll be asked to set up a password to get the RSA private key. It’s of paramount importance to keep this private key because whatever is encrypted by the public key can only be decrypted by it.

You’re strongly recommended to upload the private key to your NAS. The encryption key downloaded from Hyper Backup only stays in your NAS unless it’s saved elsewhere, meaning no one, not even Synology, can decipher your data. If you are unfortunate enough to lose the private key, does it mean that you lose your data for good?

We simply won’t let it happen.

We value your data as much as you do. You can make a request for the password-protected private key stored on the server side as your last resort. As long as the password doesn’t slip your mind, you can still access your backup data all in one piece. Note that if you lose your private key and forget your password, then your data is really gone forever. Take the precautions as indicated above to prevent that from ever happening.

Data in good hands

Since Synology C2 data centers only recognize incoming data with your Synology Account, only you have access to your data in every operation you perform. You can enable client-side encryption via Hyper Backup to encrypt your data with AES-256 cipher before it’s sent to Synology C2 data centers. Plus, your NAS and Synology C2 are communicating through secure channels with SSL encryption. When logging into your Synology C2, you can enable this two-step authentication to enhance the security level, keeping your backup data out of harm’s way.

Got any comments or questions? Start a discussion on Community!