Skip to main content

Public Links to encrypted backup in cloud

Thread needs solution
Beginner
Posts: 1
Comments: 5

My understanding is that if I create a password-protected backup and store it to the Acronis Cloud, then the backup is encrypted AES-256 on the local machine and passed securely to the Acronis server, and that no information is also passed to the server that would allow decryption of the backup after it leaves the local machine.

However, the Cloud browser has the option of creating a Public Link. It appears from my testing that creating this public link and passing it to a third party will allow the third party to browse a decrypted version of the backup on the server. Can someone explain how this is possible if the backup on the server is really encrypted?

In fact, now that I think about it, I don't even understand how the Cloud browser can work if the backup is really encrypted on the server since it shows an unencrypted view of the file structure of the backup in a browser window.

Skip

0 Users found this helpful
Legend
Posts: 102
Comments: 23402

#1

Skip, if I click on the option to 'Open location' for my encrypted (password protected) Cloud backup, once the Cloud web page opens, I am immediately prompted to provide the password needed to open that protected password.

From that point forward, Acronis works using my password to provide the further access to the backup contents, including the ability to create and share public links to that data.

The help text for these public links states the following:

Managing your public links

If you have backups or versions of synchronized files stored on Acronis Cloud, you can create links to files and folders. After a public link is created, you can copy and send it to your friends. Your friends will be able to download the shared file to their computers via the Internet using a web browser.

To make a file available to other users, you just need to create a public link to this file and send the link to the people with whom you want to share the file. You can also publish the link, for example, on a forum which makes the file accessible to forum members.

A public link always points to the latest version of a file. You cannot create a link to a previous file version.

Creating public links

To create a public link:

  1. On the Files tab, select the corresponding check box of a folder or a file you want to make public.

    You can select several files and folders. In this case the program creates a separate public link for each selected item.

  2. Click the Copy link button.
  3. Click Copy All to Clipboard button.

    When you create public links for several files at once, you can copy each link to the Clipboard separately by clicking the icon - web restore copy link icon to the right of the corresponding link.

Managing public links

All your public links are located on the Sharing tab. You can check whether the published files and folders were downloaded and how many downloads were done.

The following operations are available for you:

  • To remove a public link and cancel sharing of a file, click the Settings icon (settings) to the right of the file, select Cancel sharing and confirm the operation.
  • To remove all public links at once, click the Cancel All Sharing button and confirm the operation.
  • To publish a link one more time, click the Settings icon (settings) to the right of the file, and select Copy Link to Clipboard.

My reading of the above is that Acronis is allowing you to circumvent your own password encryption in sharing such a public link, hence if this is what you don't want to do, you should not be using these links, or else ensure that the link is only to data that can be shared safely. 

Beginner
Posts: 1
Comments: 5

#2

Thanks, Steve.

 

I'm just trying to understand how secure Acronis Cloud may be. I do not see how it is possible to create a feature such as a public link unless Acronis can decrypt the file on its server. Perhaps unencrypted versions are also stored on the server. I don't understand why Acronis does not publish fully the details of how cloud encryption works, and this makes me suspicious that there are holes in the process. My concern is about maintaining the security of my data since I would expect the Acronis Cloud to be a prime hacking target.

 

Skip

Legend
Posts: 102
Comments: 23402

#3

Skip, the best advice I can offer here is for you to open a Support Case with Acronis to ask for further assurances about the security of your data stored in the Acronis Cloud / servers.

Beginner
Posts: 0
Comments: 4

#4

Hi,

I noticed the same thing, as George Foster did. This looks like a serious security risk. I have the newest ATI version 2019, build 14110.

Is there any way to disable at all linking feature for my account / backup? Also... I'm also wondering... how can one access linked files if they are encrypted, without typing in private key, hmm??

Legend
Posts: 102
Comments: 23402

#5

Adam, please see my earlier comments on this topic.

Public links require the user to provide the encryption password when they are being created, so the ultimate control here is with that user.

If you do not need or want to use public links, then there is no security exposure unless you still go ahead and create such links.

If you want to share specific data via the Acronis Cloud, then make a separate backup to upload that data, with or without encryption according to how secure it needs to be, then create a public link only to that data or a subset of it.

Further than the above, if you are really concerned then you should open a Support Case directly with Acronis to explore any security concerns about these public links to your Cloud data.

Beginner
Posts: 0
Comments: 4

#6

Thanks, Steve. I raised a Support ticket. Documentation could be a little more detailed on this manner, to avoid asking such questions by users over and over again.

Forum Moderator
Posts: 174
Comments: 5860

#7

Hello Everyone,

just wanted to add that the shared links are password-protected now