It uses convergent encryption, where the local key is derived from the file itself
One of the most interesting new companies at last weeks' TechCrunch Disrupt conference, and one of the finalists, Bitcasa made quite a splash with its cloud backup and sync service.Bitcasa promises infinite storage for a small, fixed monthly fee and client-side encryption, the Holy Grail of cloud storage. It almost sounded too good to be true.
But the product is not live yet and there were many unanswered questions. The biggest was how it was possible to have client-side encryption and file de-duplication in the cloud, as the company claimed, at the same time.
Encrypting files locally means that a cloud storage provider can't access them in any way, they need to have a key which only the user has to decrypt them.
However, identical copies of a file encrypted with two different client-side keys will result in two entirely different files to be stored online.
This is why Dropbox encrypts files in the cloud and has access to both keys used in the encryption process, because it wants to be able to store only one copy of any given file.
This means that a Lady Gaga MP3, a DVD image and anything that is going to be on a lot of people's computers is only stored once, ensuring a huge space saving for Dropbox. The downside is worse privacy protection.
There are services that offer client-side encryption, but they are more expensive, either for the user or for the company that runs them.
Bitcasa though promised the best of both worlds. Bitcasa CEO Tony Gauda has explained how the company does it, through a process dubbed Convergent Encryption.
The idea is quite simple, actually. The client-side key is generated for each file and it is unique to that file. Two users with the same file will generate the same exact key, however you need to have the exact file for you to generate that key.
Using the same key, obviously, means that the encrypted files will be identical as well, therefore enabling Bitcasa to store only one copy.
It's a clever solution and one with only a few caveats. The method is slightly less secure than having a unique key for each user, but the larger risks are largely theoretical.