I recently made a silly mistake and forgot my private key to my Backblaze backups. Stupid me. The annoying thing is that the password is still saved on my computer, because my computer is still able to back up the files.
If you know the basics of public & private key cryptography, it becomes obvious that Backblaze must store the password locally somehow if it is able to perform a differential backup. Otherwise it would only be able to send full backups each time with the public key.
So, I asked Backblaze to help me find the cached private key (probably in some sort of hashed state) so that I could just transfer this to another computer to continue my backups. Backblaze insisted this was impossible and that there was no key stored on my computer. This means one of two things:
Backblaze is lying and they do store your private password somewhere
Backblaze is not willing to help in a case where I can prove that I am the owner of the files and simply forgot the password
Again, it would be impossible for them to actually give my password (unless they did something REALLY silly and stored it in plain text), but it should be possible for them to help me locate my hashed private key and then let me use this to continue accessing my backups.
Out of annoyance, I did a brief test in a sandboxed Windows environment and found out that the Backblaze job runner is in-fact passing a hashed private key to the server in order to perform the differential backup. Where is it storing this? I’m not quite sure. They are using some interesting tricks to store it because I could not detect any registry changes or file changes on the disk. This leads me to believe that the job runner alters a file on the computer once you enter your private key and then pulls it from there to pass to the server. I stopped trying to dig further once I proved the point.
So, now I get the joy of wiping all of my files from Backblaze and re-uploading. I very nearly cancelled the service altogether due to their lack of helpfulness. The only reason I’m staying is that it is still a good value, and it will save me time in the long run.
Tech companies need to stop using technology as a scape-goat for them not wanting to do something. I am so tired of hearing “it’s not possible” when they really mean “we don’t want to.”
955 total views, 5 views today