Protected Items and Storage Vaults
The user's configuration is broadly separated into Protected Items and Storage Vaults.
A Protected Item is a description of the set of data that should be backed up.
A Storage Vault is a location where the backed-up data can be stored. In most common configurations, this would be a to the Magnus Box storage network; but it's possible for the Magnus box software to back up to a local disk
All data within a Storage Vault is compressed, encrypted, and deduplicated. A Storage Vault is the unit of deduplication; data is not deduplicated between multiple Storage Vaults.
Multiple devices (e.g. different computers, servers or laptops) can log in to the same Magnus Box user account with a shared password. Each device has its own private set of Protected Items, but shares access to the same Storage Vaults. This allows you to deduplicate data between multiple devices.
Each device can also restore and delete each others' backed-up data, so it is important that multi-device accounts are only used in trusted contexts.
When a new account is created, they have no Protected Items and also no Storage Vaults. The client must register a new Storage Vault either by manually entering details or by "requesting" a new Storage Vault from the server.
We strongly recommend that users use strong passwords. Even the best security is foiled by a user choosing a weak or commonly-used password, such as
Magnus Box always encrypts all user data before storing it, using strong AES-256-CTR with Poly1305 in AEAD mode with high-entropy random keys.
Encryption keys are automatically generated and managed by the client. The data encryption keys are then encrypted against the customer's password, and stored on the Magnus Box Server. This means that (A) Magnus Box is unable to decrypt data without the customer's password; and (B) in the event of a customer PC loss, only the customer's password is necessary to log in to the account and restore data.
For more technical details about the encryption formats and key management, please see the Appendix.
You can register additional commands to run before- or after any backup job. For maximum flexibility, commands can be registered
- for a Protected Item (e.g. to dump a database), or
- for a Storage Vault (e.g. to perform custom network authentication), or
- for a Schedule (e.g. to shut down the computer afterward).
During a backup job, the commands are run in this order: Schedule Before, Protected Item Before, Storage Vault Before, Backup, Storage Vault After, Protected Item After, Schedule After.
Shell built-ins can be used as part of the command execution - the specified command is passed to either
/bin/sh as appropriate for your operating system.