Encryption & Key Management

Zmanda Pro ensures that user data is always encrypted prior to storage, employing robust AES-256-CTR encryption with Poly1305 in AEAD mode and high-entropy random keys. The client device generates and manages the encryption keys automatically. These data encryption keys are subsequently encrypted using the backup user's password and stored on the Zmanda Pro Server. As a result, (A) the administrator cannot decrypt the data without the backup user's password, and (B) if the device becomes lost or damaged, only the password for the backup user associated with that device is needed to restore the data.

Note that Zmanda Pro offers an optional zero-trust model which eliminates administrators' ability to reset backup user passwords. When using zero-trust, data becomes unrecoverable if the backup user password is lost or forgotten.

Zero-knowledge ratchet

The backup user's password is utilized to generate two 192-bit keys (the "L" and "R" keys) through PBKDF2-SHA512, using fixed parameters for consistent results. The L-key is employed for logging into server instead of the actual password; the server retains only a bcrypt(sha512) hash of this L-key. The R-key remains exclusively on the client device and is used to encrypt secret keys within the user's profile on the server.

Storage Vault encryption keys

When Zmanda Pro initializes a Storage Vault, it creates two high-entropy random keys: a 256-bit "A" key and a 128-bit "E" key. All device data in the Storage Vault is encrypted with the A-key using AES-256 in CTR mode and authenticated with Poly1305 in AEAD (encrypt-then-MAC) mode. The permanent A-key is encrypted with the E-key and stored in the Storage Vault. The E-key is then encrypted with the R-key and saved in the backup user's profile on the Zmanda Pro server. During a backup, the client derives the private R-key from the backup user's password to decrypt the E-key, which is used to decrypt the A-key for data storage. This layered approach allows for key rotation, as a new E-key can be generated without re-encrypting all data in the Storage Vault.

Last updated