Encryption

We recommend that you encrypt all backups that are stored in the cloud storage, especially if your company is subject to regulatory compliance.

Important  There is no way to recover encrypted backups if you lose or forget the password.

Encryption in a protection plan

To enable encryption, specify the encryption settings when creating a protection plan. After a protection plan is applied, the encryption settings cannot be modified. To use different encryption settings, create a new protection plan.

To specify the encryption settings in a protection plan

1. On the protection plan panel in the Backup module settings, enable the Encryption switch.
2. Specify and confirm the encryption password.
3. Select one of the following encryption algorithms:
   • AES 128 – the backups will be encrypted by using the Advanced Encryption Standard (AES) algorithm with a 128-bit key.
   • AES 192 – the backups will be encrypted by using the AES algorithm with a 192-bit key.
   • AES 256 – the backups will be encrypted by using the AES algorithm with a 256-bit key.
4. Click OK.

Encryption as a machine property

This option is intended for administrators who handle backups of multiple machines. If you need a unique encryption password for each machine or if you need to enforce encryption of backups regardless of the protection plan encryption settings, save the encryption settings on each machine individually. The backups will be encrypted using the AES algorithm with a 256-bit key.

Saving the encryption settings on a machine affects the protection plans in the following way:

• Protection plans that are already applied to the machine. If the encryption settings in a protection plan are different, the backups will fail.
• Protection plans that will be applied to the machine later. The encryption settings saved on a machine will override the encryption settings in a protection plan. Any backup will be encrypted, even if encryption is disabled in the Backup module settings.

This option can be used on a machine running Agent for VMware. However, be careful if you have more than one Agent for VMware connected to the same vCenter Server. It is mandatory to use the same encryption settings for all of the agents, because there is a type of load balancing among them.

After the encryption settings are saved, they can be changed or reset as described below.

Important  If a protection plan that runs on this machine has already created backups, changing the encryption settings will cause this plan to fail. To continue backing up, create a new plan.

To save the encryption settings on a machine

1. Log on as an administrator (in Windows) or the root user (in Linux).
2. Run the following script:
   • In Windows: <installation_path>\PyShell\bin\acropsh.exe -m manage_creds --set-password <encryption_password>

     Here, <installation_path> is the protection agent installation path. By default, it is %ProgramFiles%\BackupClient.

   • In Linux: /usr/sbin/acropsh -m manage_creds --set-password <encryption_password>

To reset the encryption settings on a machine

1. Log on as an administrator (in Windows) or root user (in Linux).
2. Run the following script:
   • In Windows: <installation_path>\PyShell\bin\acropsh.exe -m manage_creds --reset

     Here, <installation_path> is the protection agent installation path. By default, it is %ProgramFiles%\BackupClient.

   • In Linux: /usr/sbin/acropsh -m manage_creds --reset

To change the encryption settings by using Cyber Protection Monitor

1. Log on as an administrator in Windows or macOS.
2. Click the Cyber Protection Monitor icon in the notification area (in Windows) or the menu bar (in macOS).
3. Click the gear icon.
4. Click Encryption.
5. Do one of the following:
   • Select Set a specific password for this machine. Specify and confirm the encryption password.
   • Select Use encryption settings specified in the protection plan.
6. Click OK.

How the encryption works

The AES cryptographic algorithm operates in the Cipher-block chaining (CBC) mode and uses a randomly generated key with a user-defined size of 128, 192 or 256 bits. The larger the key size, the longer it will take for the program to encrypt the backups and the more secure your data will be.

The encryption key is then encrypted with AES-256 using an SHA-256 hash of the password as a key. The password itself is not stored anywhere on the disk or in the backups; the password hash is used for verification purposes. With this two-level security, the backup data is protected from any unauthorized access, but recovering a lost password is not possible.