# Encryption for images in the cloud.....



## DaveMCO (Mar 11, 2021)

Folks:
I asked this same question over on the Adobe support forums this morning.  No answer yet.  I figured that I would ask here as well in case someone has already figured this out.....  here goes:

I am trying to figure out if the images that I upload to the cloud via Lightroom reside on the Adobe cloud as encrypted files.

I have been pointed to this document which describes how ENTERPRISE users have their User Generated Content encrypted:

https://www.adobe.com/content/dam/cc/en/security/pdfs/CCE_security_whitepaper.pdf

unfortunately, this document does not address individual accounts (like mine... LR 1TB plan).

Is my “User Generated Content” (I.e. the images that I sync up through LR) also encrypted on adobe’s servers?

Thank you


----------



## Paul McFarlane (Mar 12, 2021)

It's a question only Adobe can legitimately answer.


----------



## DaveMCO (Mar 12, 2021)

Paul McFarlane said:


> It's a question only Adobe can legitimately answer.


Thank you and agreed.  I was hoping that someone had previously asked and knew the answer already.

I have posted my question yesterday here:
https://feedback.photoshop.com/conv...ages-stored-in-cloud/604a2aacde1dd33994412530
no answer from Adobe yet to what I think is a very simple/straight forward question.

Is the site above the correct place to ask this question or did I ask It in the wrong place?


----------



## Paul McFarlane (Mar 12, 2021)

It's a good place because Adobe Engineers check the posts. However, it's potentially one that may have legal implications, hence my comment it needs to be Adobe. You could also try going onto Virtual Chat and get through to someone, but then it's more likely to be a verbal response.

I don't disagree that it's a straightforward question, btw; it's one any professional photographer with Copyright concerns may want to understand if they were to use the cloud for images.


----------



## DaveMCO (Mar 12, 2021)

Paul McFarlane said:


> It's a good place because Adobe Engineers check the posts. However, it's potentially one that may have legal implications, hence my comment it needs to be Adobe. You could also try going onto Virtual Chat and get through to someone, but then it's more likely to be a verbal response.
> 
> I don't disagree that it's a straightforward question, btw; it's one any professional photographer with Copyright concerns may want to understand if they were to use the cloud for images.


Thanks again, Paul.  I do find it quite odd that Adobe has an entire website detailing security and publishes a really detailed 16-page white paper on security (encryption, etc with charts and all) for the “enterprise” but seemingly has literally nothing online for individual accounts.  Perhaps the same architecture exists for individual accounts, perhaps not.  I am stunned that the answer to my question is not immediately evident with one google search.

we’ll see, I guess, what Adobe says when (if) they answer my question.


----------



## Linwood Ferguson (Mar 12, 2021)

I'd offer the suggestion that at some level the question is moot.  Since you do not provide an encryption key, if they are encrypted Adobe is the one picking the encryption keys, so if adobe is hacked, having them encrypted may make it more difficult to access them but certainly still possible.  Further, since Adobe's cloud is inherently designed to permit easy display via the web, and easy access from your own versions of their apps, any compromise of their copy of your credentials (which we know has already happened in the past) could expose them as well, and obviously any compromise of your credentials on your system (something I would argue for users in general is more likely, I mean no implication of the OP) also exposes them.

I'd also argue that I have yet to hear even more fundamental answers to data integrity and security questions about Cloudy -- are backups made and versioned for example, so if Adobe were hacked last Tuesday and only found out today after 4 billion images were corrupted, could they roll back?  How far back)?  Or are images checked for integrity during transmission?   Is there pro-active scanning of static data (a la zfs) for integrity issues? 

Cloud storage is exceptionally safe, but I never feel reassured unless a cloud vendor is transparent on all such aspects.  Cloudy wants to be the master keeper of your images.   It is one thing that has kept me off Cloudy (feature set and plugins are the main thing though).


----------



## DaveMCO (Mar 12, 2021)

Ferguson said:


> I'd offer the suggestion that at some level the question is moot.  Since you do not provide an encryption key, if they are encrypted Adobe is the one picking the encryption keys, so if adobe is hacked, having them encrypted may make it more difficult to access them but certainly still possible.  Further, since Adobe's cloud is inherently designed to permit easy display via the web, and easy access from your own versions of their apps, any compromise of their copy of your credentials (which we know has already happened in the past) could expose them as well, and obviously any compromise of your credentials on your system (something I would argue for users in general is more likely, I mean no implication of the OP) also exposes them.
> 
> I'd also argue that I have yet to hear even more fundamental answers to data integrity and security questions about Cloudy -- are backups made and versioned for example, so if Adobe were hacked last Tuesday and only found out today after 4 billion images were corrupted, could they roll back?  How far back)?  Or are images checked for integrity during transmission?   Is there pro-active scanning of static data (a la zfs) for integrity issues?
> 
> Cloud storage is exceptionally safe, but I never feel reassured unless a cloud vendor is transparent on all such aspects.  Cloudy wants to be the master keeper of your images.   It is one thing that has kept me off Cloudy (feature set and plugins are the main thing though).


Thank you greatly for your well-reasoned reply.  I too have been thinking through the items you raise.

I believe that I read in the “cloud for enterprise white paper” or elsewhere  that for “enterprise“ users Adobe DOES pick the key and rotates the key yearly, I think.  But I  also believe that enterprise users are allowed to “set” their own key — something that “individual“ subscribers don’t seem to be able to do even IF the images are encrypted.

I believe that Apple’s iPhoto “cloud” is encrypted and also does not have a user assigned key..... so, Adobe may be functioning the same way... that’s what I am trying to find out.....

your point on the biggest vulnerability being the hack of the SUBSCRIBER (me, you, others) is also well-taken and likely true.

your further points on back-ups/rollbacks, etc are also spot on.  I am not as worried about that as I keep copies of all originals (and processed/finished TIFs)in my own file structure on my own SSDs.  

Thank you again for your solid response.


----------

