Encryption Keys, User Data and Subpoenas

In the past week, we’ve seen Dropbox, a company that as another company we respect quite a bit and personally I use quite a bit, have to engage and discuss a recent alteration of their terms of service to be more transparent about who and how someone can access a given user’s data for the service.

As a company who also acts as a storage system/service, we felt that taking the time to explain (as we have in the past) how Nasuni approaches the problem of customer data and access would be worthwhile. Dropbox and the Nasuni Filer are two very different products, aimed at two very different markets, but both ship data to “the cloud” – and data security is important to both.

The Nasuni Filer incorporates something we feel is critical for data security – unique, customer controlled encryption keys, using industry standard encryption software. Every volume has support for one or more encryption keys. Our customers are in control of all of the keys in use by the volumes on the Filer. Keys can come from one of two places – first, a customer can provide a key or second, for those customers who do not want to manage the keys themselves, the Filer can generate a new unique encryption key.

Nasuni does not have access to any key provided by a user.

For customers who chose Filer generated keys, these keys can be saved by the customer but are additionally placed in escrow with Nasuni for user convenience. Encryption keys supplied by customers do not get escrowed with Nasuni, nor do they leave the Filer in any way.

Whether the key comes from the user or is generated by the Filer the key is never stored in the cloud, with the cloud storage provider (so they can not decrypt your data), or anywhere near your data.

The simple rule is this: If you provide the encryption key; we never have access to that key. If you ask us to generate the key for you; we do retain a copy of the key in escrow. You can use this knowledge to determine how you, as the user, provide and use the encryption keys.

That’s how the Filer works – but now we have to address the legal aspect: Nasuni, as a US based company, must comply with legal requirements just as Dropbox and every other storage provider in the US must.

If Nasuni receives a request from the government, such as a subpoena, we first evaluate the legality of the request with our lawyers before we even consider handing over anything customer related. Next, we notify the user/company of the request except when there is a legally binding reason for us not to.

Once legally validated, Nasuni is under obligation to provide data to the agency making the request. We will provide them access to the data and records they request, and if a customer has escrowed their keys with us, we would need to supply those as well as the data, meaning that the agency would have both required pieces to decrypt and access the file contents.

If a customer has provided their own encryption key(s) – Nasuni, or the cloud provider, do not have those keys, and can not provide them as part of a subpoena or other legal process. We can not decrypt or access your data. We can not supply a key which we do not have. This is not policy or trust level protection: It’s impossible.

We offer auto-generated and escrowed keys as a convenience to the user – the benefits of having this feature outweigh the cost. A user or company who knows nothing about encryption keys and key escrow can still have strong data security and instantaneous disaster recovery, they can install a Filer in minutes and immediately be up and running.

The flipside is as I’ve outlined: if legally compelled, we have to provide those keys.

Since day one our best practice and advice has been to generate and use your own keys when possible, and to simplify this, we offer numerous features within the Filer to add/remove/change encryption keys on volumes.

We believe that the model we support offers the best balance between user experience and security – you are always in control, and can pick the appropriate key model that fits your business and processes. Should you provide your own encryption key(s) – only you will ever have access to your unencrypted data.

For more, you can also read: