Your backups are encrypted on your device before they ever reach our servers. We generate a unique encryption password per repository, share it with you during onboarding, and retain a copy so we can manage backups and restores on your behalf. You can change the password at any time.
01 — Encryption Model
How your data stays private
How encryption works
1
We generate a unique password for your repository
2
Restic encrypts your data with AES-256 on YOUR machine
3
Encrypted data transfers via SSH (AES-256-GCM)
4
We store encrypted data on RAID-10 drives
5
You receive your password. We retain a copy for managed operations.
6
You can change the password anytime
Technical details
algorithm:AES-256-CTR
MAC:Poly1305-AES
key derivation:scrypt
transport:SSH (AES-256-GCM)
repo format:restic v2
password:unique per repository
held by:you + us (managed service)
02 — Infrastructure Security
How the platform is hardened
RAID-10 Storage
Enterprise drives in a mirrored-stripe configuration with real-time SMART monitoring. Failing drives are detected and replaced proactively before data is at risk.
SSH Key-Only Access
Administrative access requires SSH key authentication on port 1022. Password authentication is disabled entirely. No brute-force surface.
Chroot Isolation
Each customer account is chroot'd into its own isolated directory. No shared access between customer environments. Your data is walled off.
Datacenter Security
Hardware is housed in a professional datacenter with physical access controls, redundant power, and network connectivity.
Firewall
Only required ports are exposed. All other inbound traffic is dropped. Outbound connections are restricted to essential services only.
Performance
Dedicated hardware — not shared cloud instances. Consistent throughput for backups and restores without noisy-neighbor performance degradation.
03 — Privacy Commitment
We don't look at your data
Desert Forge IT does not access, view, read, analyze, or monitor the content of your stored files or backup data.
The only exceptions are:
When you explicitly request our help with your data (restore requests, troubleshooting)
When required by valid legal process (subpoena, court order, warrant)
Backup data is encrypted with AES-256 on your machine before it reaches our servers. As a managed service, we hold a copy of the encryption password so we can perform backups and restores on your behalf. Our staff does not access your data outside of scheduled backup operations and restore requests you initiate.
SFTP-stored files are not client-side encrypted by default (though you can encrypt them before uploading). They are stored in isolated, chroot'd environments and our staff does not access them during normal operations.
We comply with valid U.S. legal process. We verify validity, narrow scope, and notify you unless legally prohibited. See our Privacy Policy for full details.
Not currently. We are a small, specialized provider focused on strong technical controls rather than compliance certifications. Our security practices are described transparently on this page and in our Privacy Policy.
We generate a unique password per repository during onboarding and share it with you securely. We store a copy in a secured, access-controlled system so we can manage your backups and perform restores. You can change your password at any time — just let us know and we'll update our records.
Contact us — since we retain a copy of the password for managed operations, we can provide it to you after verifying your identity. If you change the password without notifying us, and both copies are lost, the data is permanently unrecoverable.