Did Storj a Audit regarding native Tardigrade implementation in Duplicati?

Did Storj a Audit of the source code regarding native Duplicati Integration to be sure the encryption password is save ?

I am the developer of the native Tardigrade-Implementation and I can assure you, that the passwords are safe and not being extracted. All code is open source, so you may check for yourself.

E.g. here is the coding where the Tardigrade-Backend receives the access credentials (password and URL or AccessGrant) from Duplicati and provides it to the uplink.Net-Library (by creating an “Access”-object):

Here you can see how the uplink.NET-library handles the “secret” (your passphrase) over to uplink-c:

Here you can see how uplink-c handles the secret:

So maybe that gives you a little insight and helps you understand if it is save or not. But be careful: you may always get a “wrong version” deployed where someone added coding not visible in the github-repos. To be really save you might need to compile it all for yourself or we might need to add some certificates here.


@TopperDEL thanks for info.

How can I be sure that my Docker container is secure ?

Do you think it is possible to implement a hardware dongle such a ledger nano to retrieve encryption keys?

I think this is a very good question that should be addressed in a general way, as Storj relies on developers to create applications.
So the question would be: How to trust developers to implement all required security functions in a way that they do not get exposed or transmitted to a 3rd party?

At the end maybe for sensitive data additional client side encryption needs to be performed prior to uploading.

There is always myths around OSS and security:

So, usually we - the Community helping OSS products to be secure. The same is going for the applications built on Tardigrade platform.

Not sure how I may help you here. I don’t know how to check if the docker container is secure. And adding a hardware-dongle to the table sounds great, but I do now know how to handle this here. Furthemore - wouldn’t that mean to “approve” a backup-request everytime with your dongle? That would make regular backups a pain, wouldn’t it?

@jammerdan: You may use the default way of encrypting data from duplicati itself before the files get handed over to the Tardigrade-backend. So whatever happens there, your data could not get exposed. but then you would have to trust Duplicati again.
Checking the security of duplicati was not on my scope during development of the Tardigrade-Backend. I would assume this has been checked multiple times as Duplicati is on the market since quite a long time already and is used by thousands of people.