0

Let's suppose one wants so store valuable data (e.g. a Bitcoin seed) in an encrypted cloud such as NordLocker. Would it make any sense that such person encrypts this data (offline) first with his/her own password, with GPG or similar?

mentallurg
  • 12,418
  • 5
  • 36
  • 50
Martel
  • 123
  • 3
  • 1
    This is the 'browser crypto chicken and egg problem'. If you can't trust NordLocker with your secrets, then how can you trust NordLocker to serve you secure client-side crypto code? See https://security.stackexchange.com/questions/238441/solution-to-the-browser-crypto-chicken-and-egg-problem for some interesting reading on this subject. – mti2935 May 04 '23 at 15:03

2 Answers2

1

Yes, it makes a lot of sense to encrypt the data before sending it to any storage service. Even if the service claims to encrypt your data, this doesn't necessarily guarantee the confidentiality and integrity of the data:

  • The encryption used by the provider could be faulty. This is not just a theoretical risk. Using encryption properly and designing secure protocols is difficult.
  • The provider claims to use end-to-end encryption, so that it cannot possibly access your data, but this would have to be verified through the source code.
  • Even if the claim is true, the client-side encryption still happens through a tool of the provider. If they knowingly or unknowingly broke the end-to-end encryption at some point in the future, it would be difficult to detect that.
Ja1024
  • 5,769
  • 14
  • 21
1

Sure, it can protect against the following.

Backdoors:

A malware version of the software downloaded by accident or because an attacker compromised the software update delivery process of the cloud.

Implementation error:

It wouldn't be the first time random number generation was faulty. Or even the crypto itself. Maybe even a zero day attack on the crypto used. For this reason it may be interesting to use an unrelated cipher on the inner encryption.

Account exposure:

If a hacker figures out the password(s) to an account, a piece of data encrypted with a totally unrelated key is useless until they clear that hurdle as well.

Malicious cloud operator:

It's theoretically possible the cloud operator is doing sketchy stuff in the background unbeknownst to their users and selling the interesting data to the highest bidder. Probably not, but not impossible.

foreverska
  • 2,057
  • 2
  • 11