Summary
A core feature of BOBcloud's Cloud Backup Suite is the focus on data confidentiality and security, achieved using the most secure encryption methods and standards. By default, all your data is encrypted on your device before any data is transferred to the cloud. The encryption password is not transmitted to your cloud account, which prevents it from being read or modified by a third party.
Along with strong data protection capabilities, we provide our Resellers with tools for easy encryption key management — protecting encryption keys from loss, corruption, and unauthorised access — and the recovery of encryption keys.
What is Data Encryption?
Data Encryption is the process of completely re-writing a file using an algorithm so that the data is obscured and cannot be read unless a secret key or password is provided to decrypt the data back into its original form.
How BOBcloud Uses Encryption to Protect Your Data
Data encryption protects the confidentiality and security of data during backup, transit, rest, and restore.
1. When data is transmitted via the Internet or other networks during backup, restore, or replication:
2. When data is stored in the backup destination — on the cloud or a Reseller's own platform:
All files are encrypted before they are transmitted to backup storage. If data is intercepted during transfer or at rest, it is useless — the backup data is stored in an encrypted format that cannot be decrypted without the correct key.
SSL / TLS Encryption in Transit
All communications between the Server and Desktop backup agents and the BOBcloud server or public cloud storage are via a 256-bit SSL (Secure Socket Layer) channel using TLS v1.2 protocol. Authentication parameters and encrypted files are further encrypted within the SSL channel — providing a double layer of protection during transit.
Encryption Algorithm
BOBcloud provides three encryption algorithm options. AES is the default we set.
| Algorithm | Protection Level | Recommended Use |
|---|---|---|
| AES (default) | Highest | Sensitive data, financial records, commercial secrets |
| Twofish | High | General business data |
| DESede | Standard | Less sensitive data where performance is prioritised |
Two encryption methods are also available: ECB (Electronic Codebook) and CBC (Cipher Block Chaining). Our default is CBC 256-bit — the industry-standard AES algorithm approved by the US government for securing top-secret information.
Can AES-256 Be Cracked?
Given enough time and processing power, any known encryption algorithm can theoretically be cracked using a brute force attack. AES-256 has 2256 possible key combinations — a number that exceeds the number of atoms in the observable universe.
Estimated time to crack AES-256 using the most powerful supercomputers available today
Even with El Capitan — one of the world's fastest supercomputers at 1,742 petaflops — cracking AES-256 remains computationally infeasible. This makes AES-256 one of the most secure encryption methods currently available.
Encryption Key Types
BOBcloud offers three options for generating the encryption key, depending on the customer's required security level:
| Type | Key Strength | Encryption Level |
|---|---|---|
| Default | Randomly generated 44-character string (A–Z, a–z, 0–9, special chars) | AES 256-bit CBC |
| User password | Dependent on login password complexity | AES 256-bit CBC |
| Custom | Dependent on client preference | Client preference |
Important: After an encryption key has been created for a backup set, it cannot be edited or read later. If the encryption key needs to be changed, a new backup set must be created and data backed up from scratch.
Where is the Encryption Key Stored?
The encryption key is stored in a special file (settings.sys) encrypted using AES-256, on the machine where the backup agent is installed.
| OS | Server Agent | Desktop Agent |
|---|---|---|
| Windows | %USERPROFILE%\.Server\config | %USERPROFILE%\.Desktop\config |
| Linux / Unix | /root/.Server/config | — |
| macOS | /Users/%username%/.Server/config | /Users/%username%/.Desktop/config |
| Synology NAS | /volume1/@appstore/BOBcloudServer/.Server/config | — |
When Do I Need to Enter My Encryption Key?
The original machine has suffered a fatal failure and you need to install the agent on a new machine to restore files.
When accessing a backup set originally created on another machine.
The .serveror.desktopfolder on the machine has been deleted.
The settings.sysfile has been accidentally deleted or corrupted.
When using BOBcloud to restore files on behalf of a client (Service Providers only).
Note: If you do not have the correct encryption key, you will not be able to access the backup set or perform any backup/restore jobs.
Encryption Key Best Practices
Do not use an encryption key containing personal information (name, birthday, login name, abc123, etc.)
The encryption key should be at least 8 characters long.
Use both uppercase (A–Z) and lowercase (a–z) characters, numbers (0–9), and special characters (+/-\=@#$%^&*()).
Keep a written copy of the encryption key stored securely off-site. Without the correct key, your data cannot be recovered.
Encryption Key Management Options
| Partner/MSP Managed | Client Managed | |
|---|---|---|
| Storage | Key stored in AES-256 encrypted file on the BOBcloud server. BOBcloud staff cannot access this password. | Only the client knows the encryption key. |
| Recovery | Keys can be recovered by contacting BOBcloud. We open a request with Ahsay and they send the password directly to the customer. | If the key is lost or forgotten, the backup data is lost forever. |
| Security Level | High | Highest |
Self-Service Encryption Key Recovery
If a client loses their encryption key, BOBcloud can request recovery via the Ahsay Self-Service Encryption Key Recovery Service. Requirements:
- A valid maintenance contract.
- BOBcloud Server / Desktop must be on v9 or above.
- The "Upload encryption key after running backup for recovery" setting must be enabled.
- The "Encryption Recovery" option must be enabled on the backup client.
- The client must have successfully uploaded encryption key details after a backup job.
- The contact email address in the backup user account must be valid.
Important: This service should never be considered a reliable recovery method. Ahsay charges a fee, recovery time is not guaranteed, and the feature can be disabled per backup set. There is no substitute for storing encryption passwords off-site in a secure location.