HBS3 Client-Side Encryption Algorithm

[tuofs]

Hey,

in the past QNAP has used different encryptions depending on which backup option was used, this seems to be unified now with "Client Side Encryption".
As I'm running multiple backups with this option and would like to have a small script to check whether the decryption is still working or it's bit-garbage in my server.

Also in case of disaster recovery I would rather not rely on HBS3 to bring my files back, but to be able to do it by hand if things go downhill.

Does anyone know how the encryption is working and if yes what opensource tool to use to decrypt?

[Moogle Stiltzkin]

this is why i tested first whether client side encryption worked before i consider using it for my backup.

but i too wonder about this. how to run a check every now and then to see that the encrypt hasn't gone corrupt at some point.

in winrar i would click run test, then i would know extract the file will work. so i'm wondering if there is something similar for this?

[tuofs]

Yeah it doesn't even need to be implemented by QNAP, just knowing if I run openssl with these parameters and my password would let me decrypt my files would help me a lot and let me sleep better

[Jon2288]

I found this on the client side encryption. It is old but does state AES 256:

https://www.qnap.com/en-us/how-to/tutor ... tion-note/


"client-side AES-256 encryption"

Then further states it uses openssl:

"(4) Client site encryption: when enabled, your files will be encrypted before being transferred to the cloud storage, and your data will remain encrypted in the cloud storage. The encryption key is derived from the password you enter for this job. Without your password to decrypt the file, your original data cannot be decrypted. This prevents unauthorized access to your confidential data even if your credentials of the cloud storage are compromised or if your cloud storage provider tries to access your data. As standard openssl is used for encrypting the files, you can use it to decrypt your files after you download the files using other utilities without using a Turbo NAS. Please note that you cannot change this setting after a job is created."



What I would expect is that the software today adds something to the passphrase you provide to make it locked to the app to decrypt. Maybe not, haven't tried to decrypt with openssl yet. Will report back here when I do.

[kiravae]

Has anyone tried this yet? I prefer to use client-side encryption, but don't quite like the idea that I would require a QNAP to access my remote data (seeing as I would probably only need to do a complete restore if something happened to my current QNAP).

[bigcookie]

try this: https://github.com/Mikiya83/hbs_decipher
Developed by a forum member - dont find the thread yet quickly...

Worked for me in backup mode at least (didnt try sync mode)

[adricu]

You can decrypt files with openssl this way:

Code: Select all

openssl enc -md md5 -aes-256-cbc -d -in INPUT_FILE -out OUTPUT_FILE

[sentinelvdx]

You can decrypt files with openssl this way:

Code: Select all

openssl enc -md md5 -aes-256-cbc -d -in INPUT_FILE -out OUTPUT_FILE

Hi,

How am I suppose to use this command? Let's say I download one .pdf from the whole backup job
Don't see in that line the path of the file or where should I put the passphrase

Using S.G.S9+ Duos w/ Tapatalk

[dguerri]

The files compressed with client-side encryption Version 2 of HBS3 have an header, which contains the actual key and an initialisation vector that have been used for AES-256-CBC and some other metadata.

You can't use a single openssl cli command to decrypt these files.

Here is a quick and dirty shell script using openssl, which work only with files encrypted with Version 2 of the algorithm: https://gist.github.com/dguerri/92d9330 ... ddd4e00f00