Encryption Norton 360 2013 Question - Help getting clarity about encrytion of backups

I need help getting clarity about encrytion of backups.  I have searched and searched and even chatted with Norton support, but am looking for more confirmation. 

 

Are Norton 360 2013 backups encrypted?  My chat with Norton support indicated that all backups are encrypted using AES 256, but the only public references I see to AES encryption are limited to Norton Online Backup and even there they indicate that the encryption occurs in the Norton Data Center and not locally.

 

Can anyone confirm one way or another?  I perform my backups locally to a NAS, but then push them to another off-site location where I do not have full control over the NAS devices and I need to ensure AES 256-bit.

 

Hi,

 

Q. How does Symantec ensure the security of online backup?
A. Symantec ensures the security of online backup through a variety of measures including: encryption of data during file transfer, user authentication tokens, and per-session keys. Data to be stored is encrypted using 256-bit AES encryption and the transmission is encrypted using 128-bit AES encryption.

 

http://www.symantec.com/norton360hp/about/n360faq.html#f5

 

I hope this helps.

Thanks, but this is the issue. The only statements ( such as this one and others like it) specifically call out the security of the norton hosted “online backup”. I can find no equivalent for the backups generated and stored locally. Are you aware of one that isn’t specifically referencing the hosted backup?

I've tried to find an answer for you, but the best I could come up with is a thread that I found here.  Please refer to DaveH's reply.  It's over 12 months old, so would relate to v6.

 

http://community.norton.com/t5/Norton-360/Norton-360-Backup-encryption-keys-for-CD-DVD-flash-drive-and/td-p/669177

 

Maybe someone else can provide clarity.

Hi dslrsearcher

To see it with your own eyes is what you need I think, so if you do a backup with the process you are using but instead of NAS being the storage use a flash drive or even a disc, use all the file formats and then take that to another computer with no Norton product on it and when you open the files and get garbage you’ll know.  I’d try it on another system with Norton just in case then try on your system.  If the files won’t open that may not mean they are encrypted it nay mean they are corrupt. 

 

 

ATB

 

intesec

I still stand by my statement in that other post Krusty posted.

I think your relying on physical security for local backups. Regardless of if the local backups are encrypted or not, it becomes a moot point when any version of 360 can open them.

Never during the setup of a local backup are you ever asked for a password.  You can also open the local backup sets on a system running the trial version of 360 so it's not connected to the Norton account like the online baclup is.

 

But thats just my experiance, if your going to provide your own offsite backup your going to need to provide your own encryption or security.

 

Dave

 

 

Just to say that I cannot find text that I know is backed up in my local "backup" files without using Norton...

 

Of course that does not say anything about the quality of the encryption...

Thanks do fall of the help. It sounds like it just isn’t a viable product if you have any security needs. It sounds like while it may be encrypted, it doesn’t sound like it has any security around the keys if any install (even those w/o accounts) can access the encrypted contents. I don’t know why you would even bother encrypting if there isn’t any real security around who can unencrypt the contents. As suggested, I may spin up a vm and test out some scenarios.

Just keep in mind that it's main function is a backup program.  It never claims to be an encryption tool.

 

It's easy to test it yourself, especially if you have a external USB drive that you can make a small backup set onto.

 

The "portable" restore files are ARestore.exe and  ARestore.loc

If yuo place those 2 files on the "root" of the external drive (not within any folders), you will be able to use arestore to open up the backup set on any system, even if that system does not have 360 installed on it.

(The backup set should be in the default folder that the program makes, I can't remember what the name is, it's been a while since I used it).

 

Install the 360 trial into a temp VM, do not activate it or even associate it with your Norton account.  When it asks for a key click "remind me later" when it asks you to create a norton account, don't fill in the box, leave it empty and click "next" twice and another option wil then appear to skip it.

 

Now you will have 360 installed on a totally new system (vm) and it's impossible for it to know your key, your norton account, or who you are.

 

Search for ARestore.exe and  ARestore.loc and put copies on the root of the external drive.  Double click arestore,exe and you will find you can access the backups created on your other system.

 

Dave

 

Thanks, all! I just tested it here and without question, there is effectively no encryption-based on these backups. I cannot really tell if it does encrypt, but if it does then it always uses a universal key/password. I was able to retrieve files on a PC that had no link to my Norton account.

Fair point that they do not advertise as an encryption product. And in fact, that was why I wasn’t planning to use. I gave Symantec a call before I dismissed using this product. The distressing part is that their own support desk was emphatic that they do encrypt all backups. Perhaps it is factually correct, but encrypting with a universal password/key is misleading as it is not really providing encryption of any real protection in my opinion. If they wanted to embed personalized random keys in my Norton account to help avoid the added risk that users forget their password, it would be ok.

Again, thanks for your help. Glad to have a clear answer on this.