Password Recovery

Arq Cloud Backup takes your privacy and security extremely seriously. It stores all your data encrypted, and we at Haystack Software are not able to decrypt it. Only you can.

But this presents 1 problem. It makes resetting your password impossible.

So we’ve engineered a password-reset process.

When you create your Arq Account, there’s a checkbox labeled “Enable password recovery”. If you check this checkbox, Arq Cloud Backup will encrypt your account password using asymmetric encryption and store that encrypted password in the cloud.

If you forget your password, email support@arqbackup.com and we’ll be able to decrypt that data and reset your password. The technical implementation details are below.

If you did not check the “Enable password recovery” at account creation time and you change your mind later:

PLEASE NOTE: If you do not check “Enable password recovery” and you forget your password and your computer is lost or stolen, we cannot help you reset it and you cannot read your backup data! Please write your password on paper and put it somewhere safe.

Technical Implementation Details

Enabling Password Recovery

If you check “Enable password recovery” at account creation time (or later in Arq Cloud Backup’s preferences), Arq Cloud Backup creates a new random “key set” for use in encrypting your account password. It encrypts your account password with that key set and uploads it to the cloud (to a file called “encrypted_password_recovery_password.dat”). It then encrypts that key set with Haystack Software’s RSA public key and uploads that encrypted key set to the cloud (to a file called “encrypted_password_recovery_keys.dat”).

Normal Operation

The Arq Cloud Backup agent stores your account password locally, in an encrypted file. It needs that password to decrypt your backup records when you browse and restore from them.

But if your computer is lost or stolen, that copy of the account password is obviously no longer available. If you’ve forgotten your account password, you’ll need to reset it in order to access your account and restore your files.

Resetting Your Password

If you’ve forgotten your account password, email us at support@arqbackup.com and request a password reset. We require this so that a password cannot be reset without human intervention by our support staff, to reduce the possibility of a hacker resetting an account password and getting access to the account’s data.

When we receive a password-reset request, a member of our support staff logs into our administration app and enters a password-reset-password along with the account email address. Only our support staff members know this password-reset-password, and it changes often. The administration app then:

  1. uses the password-reset-password to decrypt the encrypted RSA private key (the plaintext RSA private key is not stored anywhere in the cloud, to prevent the possibility of a hacker gaining access to it)
  2. decrypts the “encrypted_password_recovery_keys.dat” file and then uses that to decrypt the “encrypted_password_recovery_password.dat” file to recover the account’s key set
  3. generates a temporary password
  4. encrypts the account’s key set with that temporary password and stores the encrypted data in the cloud
  5. sends an email to the account email address with the temporary password and instructions for choosing a new password

The account holder must then follow the instructions in the email to go to the cloud.arqbackup.com password-reset page, enter the temporary password, and choose a new password. The cloud.arqbackup.com app decrypts the key set with the temporary password, encrypts it with the chosen new password, and overwrites the account’s permanent encrypted key set.