Online Backup

I was recently listening to the radio and heard the technology guru talking about Carbonite. I’ve also recently heard mention of Mozy. Both of these are fully automatic online backup solutions which, once you install, back up every file written to your disk. Carbonite even keeps previous versions of files (and deleted files) for 30 days after modifications were made, just in case the problem is not corruption or loss, but user error.

Both services encrypt the files on the PC using Blowfish before transmission; typically with a key that is generated by (and archived by) the service. Mozy has, and Carbonite is planning to release, the capability of using your own encryption key which is not archived by their servers. Additionally, both transmit everything over SSL. (Why the second layer of encryption is necessary perplexes me.)

What happens when one of these companies’ key archives is stolen by a hacker or disgruntled employee? What if a large organization offered an employee 5 times their yearly salary to get another person’s key/data? How do we know they’re really doing the encryption properly, why aren’t they FIPS 140 validated? Why Blowfish and not AES? If I’m a corporation who doesn’t think these services are trustworthy, how can I make sure my employees don’t use one of these services to back up corporate data?

Both Carbonite and Mozy offer free trials, check them out if you wish. There are plenty of other competitors out there too. Automated online backup seems like an interesting idea, but still presents too many questions for me.