The encryption routine takes two parameters – the file descriptors of input file and the output file to which the encrypted data is to be saved. It is always a good idea to zero-fill your buffers using the memset or bzero commands before using the buffers with data. This is especially important if you plan to reuse the buffers. In the program below, the input data is being encrypted in blocks of 1K each.
The steps for encryption are as follows :-
- Create a cipher context
- Initialize the cipher context with the values of Key and IV
- Call EVP_EncryptUpdate to encrypt successive blocks of 1k eack
- Call EVP_EncryptFinal to encrypt “leftover” data
- Finally call EVP_CIPHER_CTX_cleanup to discard all the sensitive information from memory
You may be wondering what “leftover” data is? As mentioned earlier, Blowfish encrypts information in blocks of 64-bit each. Sometimes we may not have 64 bits to make up a block. This may happen if the buffer size in the program below or the file/input data size is not a integral multiple of 8 bytes(64-bits).So accordingly the data is padded and then the partial block is encrypted using EVP_EncryptFinal. The length of the encoded data block is stored in the variable tlen and added to the final length.
int
encrypt (int infd, int outfd)
{
unsigned char outbuf[OP_SIZE];
int olen, tlen, n;
char inbuff[IP_SIZE];
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init (& ctx);
EVP_EncryptInit (& ctx, EVP_bf_cbc (), key, iv);
for (;;)
{
bzero (& inbuff, IP_SIZE);
if ((n = read (infd, inbuff, IP_SIZE)) == -1)
{
perror ("read error");
break;
}
else if (n == 0)
break;
if (EVP_EncryptUpdate (& ctx, outbuf, & olen, inbuff, n) != 1)
{
printf ("error in encrypt update\n");
return 0;
}
if (EVP_EncryptFinal (& ctx, outbuf + olen, & tlen) != 1)
{
printf ("error in encrypt final\n");
return 0;
}
olen += tlen;
if ((n = write (outfd, outbuf, olen)) == -1)
perror ("write error");
}
EVP_CIPHER_CTX_cleanup (& ctx);
return 1;
}
To ensure that your private data stays private, CrashPlan encrypts your files before transport, with no dependency on destination or Internet security. CrashPlan+ / CrashPlan PRO uses 448-bit Blowfish encryption; CrashPlan (the free version) uses 128-bit Blowfish, the same 128-bit encryption that online banking and most businesses use.
“128” and “448” refer to the length of the encryption key. The longer the key, the harder it is to decrypt data.
Blowfish is an encryption algorithm. It’s a freely available, documented and open method of encrypting data. Being Open is very important, because it means that it uses public processes that can be tested by everyone and as a result, proven to be secure. Blowfish was invented by a security expert named Bruce Schneier.
We escrow the encryption key to protect you in case your computer is lost or stolen. Because only you (the customer) knows the private password, no one else can restore your files. In the event that you need to reinstall CrashPlan, your configuration settings are pulled from our server, including your locked encryption key.
CrashPlan’s servers maintain this encryption key, so it is transferred securely with the same encryption technology used to encrypt data during backup. The encryption is stored as part of your CrashPlan configuration settings and in the archive.
Considerations
- Your private key is never cached or stored on any remote location. It is stored on the source computer that is being backed up. Your data is encrypted with the key on the source computer, so that CrashPlan can back up without prompting.
- CrashPlan uses the same key for restoring files.
- Unless you replace the archive encryption key with your own private key, the encryption key doesn’t change. This means that you can still restore versions of files associated with the original password. If you change your password, CrashPlan locks the encryption key with the new password.
- Your private password or private key is never sent to CrashPlan, and therefore CrashPlan Support cannot obtain the password or key for you if you lose it. You won’t be able to restore the data that has already been backed up without the private password, and you will need to restart your backup from scratch.
- If you really must downgrade your security, you will have to create a new account and start over. If you want to does this under the same email address, email support to disable your account.