Password Recovery

Arq Cloud Backup takes your privacy and security extremely seriously. It stores all your data encrypted, and our goal was that we at Haystack Software would not be able to decrypt it. Only you would.

But this presents 1 problem. It makes resetting your password impossible.

So we’ve engineered a password-reset process.

When you create your Arq Cloud Backup account, by default Arq Cloud Backup uses your account password as the encryption password for your data.

If you forget your password, email support@arqbackup.com and we’ll be able to decrypt that data and reset your password. The technical implementation details are below.

NOTE: Password recovery can only be enabled at account creation time. If you decide later you want password recovery, you’ll have to delete your Arq Cloud Backup account (log into cloud.arqbackup.com and click the Delete Account link) and create a new account; your existing backup data will be deleted.

WARNING: If you click the Show Advanced Options button at account-creation time and choose a separate encryption password, only you know that password. If you later forget your password and your computer is lost or stolen, we cannot help you reset the password and you cannot read your backup data! Please write your password on paper and put it somewhere safe.

Technical Implementation Details

Enabling Password Recovery

At account creation time, the Arq Cloud Backup app generates your “key set”. The key set is the keys used to encrypt and verify your backup data. Arq Cloud Backup stores that key set, encrypted with your password, in the cloud in a file called encrypted_master_keys.dat.

if you have not chosen a separate encryption password, Arq Cloud Backup also creates a random password, encrypts your key set with that random password, and stores that separate encrypted key set in the cloud at encrypted_password_recovery_keys.dat. It also encrypts that random password with Haystack Software’s RSA public key and stores that encrypted data in the cloud in a file called encrypted_password_recovery_password.dat.

Normal Operation

The Arq Cloud Backup agent stores your account password locally, in an encrypted file. It needs that password to decrypt your backup records when you browse and restore from them.

But if your computer is lost or stolen, that copy of the account password is obviously no longer available. If you’ve forgotten your account password, you’ll need to reset it in order to access your account and restore your files.

Resetting Your Password

If you’ve forgotten your account password, email us at support@arqbackup.com and request a password reset. We require this so that a password cannot be reset without human intervention by our support staff, to reduce the possibility of a hacker resetting an account password and getting access to the account’s data.

When we receive a password-reset request, a member of our support staff logs into our administration app and enters a password-reset-password along with the account email address. Only our support staff members know this password-reset-password, and it changes often. The administration app then:

  1. uses the password-reset-password to decrypt the encrypted RSA private key (the plaintext RSA private key is not stored anywhere in the cloud, to prevent the possibility of a hacker gaining access to it)
  2. decrypts the encrypted_password_recovery_keys.dat file and then uses that to decrypt the encrypted_password_recovery_password.dat file to recover the account’s key set
  3. generates a temporary password
  4. encrypts the account’s key set with that temporary password and overwrites encrypted_master_keys.dat in the cloud
  5. sends an email to the account email address with the temporary password and instructions for choosing a new password

You must then follow the instructions in the email to log into cloud.arqbackup.com with the temporary password and change it to a new permanent password. The cloud.arqbackup.com web app decrypts the key set with the temporary password, encrypts it with the chosen new password, and overwrites encrypted_master_keys.dat.