Skip to main content

is Acronis True Image Cloud "zero-knowledge"?

Thread needs solution
Beginner
Posts: 1
Comments: 0

Hi,

In researching cloud backup solutions, some products advertise themselves as being "zero-knowledge", which means that after the data stream gets encrypted as it leaves your machine, only you can decrypt it with your personally chosen password. The Company that stores your data can not decrypt it, as they have zero-knowledge about your password. If you lose your password, no one can recover your data.

Is this the case with Acronis True Image Cloud?

I have been searching the support database and have not been able to find a conclusive answer.

Thanks!

Bert

0 Users found this helpful
Regular Poster
Posts: 0
Comments: 184

#1

Hello, Bert and Mary.

Yes, if you choose to encrypt your Cloud backup then the encryption password is not saved anywhere by the company. Only a person who knows the password (you) can decrypt it. So it can indeed be called a "zero-knowledge" service.

Beginner
Posts: 0
Comments: 1

#2

Hi all,

it is not zero-knowledge, unfortunately.

If you already have an encrypted backup in the Acronis Cloud, here is an easy way to check that :

  1. log in the Acronis Cloud web portal https://cloud.acronis.com
  2. click on "Recover" on one of your backups
  3. don't type your password yet ; instead press F12 in your web browser
  4. in the troubleshooting window that appears, click "network"
  5. now type your encryption key for this backup, in the Acronis portal
  6. in the troubleshooting window, click on the "POST" request that appears
  7. click on the "parameters" tab
  8. there, you can see that your encryption key has been fully sent to the Acronis server
  9. (you can now press F12 to close the troubleshooting window)

Thus, your encryption key is fully sent to the Acronis server, and they can use it to decrypt your data.

Now, it's up to you to trust them that they did not memorize your encryption key. For example, by request of a judge or a surveillance agency, they could be asked to record your encryption key and provide your decrypted data. Or an employee who has access to the server could capture / log the traffic containing your private key.