Backup Encryption

NAKIVO Backup & Replication lets you configure encryption to protect backup data, recover encrypted backups, and manage encryption passwords.

How Backup Encryption Works

To encrypt backup data, do the following:

1. In the Options step enable Backup Encryption . In case of a backup copy job, you can select the encryption on the source and target.

2. Set up and confirm a password.

3. Optionally, in the Settings > General > System Settings > Encryption tab, enable the (AWS) Key Management Service. For more information, refer to Enabling KMS.

4. Run the job.

During operation:

• The solution automatically generates a password hash based on the user password.

• The cryptographic salt used for hash creation is stored in the recovery point metadata.

• The password hash is used to generate a single-use encryption key that encrypts both backup data and File System Indexing (FSI) data. (FSI must be enabled in the job.)

Note

Data compression is performed before encryption to preserve efficiency. Encryption does not reduce or interfere with compression results.

For more information about browsing through encrypted FSI data when the password hash is available in the product database, refer to Searching Indexed Files.

You can find more details on how to enable backup encryption for the supported jobs in the following articles:

• Backup Job Wizard for VMware: Options

• Backup Job Wizard for VMware Cloud Director: Options

• Backup Job Wizard for Hyper-V: Options

• Backup Job Wizard for Amazon EC2: Options

• Backup Job Wizard for Nutanix AHV: Options

• Backup Job Wizard for Physical Machine: Options

• Backup Job Wizard for Microsoft 365: Options

• Backup Job Wizard for File Share: Options

• Backup Copy Job Wizard: Options

• Tape Backup Wizard: Options

• Microsoft 365 Object Recovery Wizard: Backup

For more details on how to enable the Backup Encryption feature, refer to Enabling Backup Encryption.

Trust Zones

Trust Zones are secure areas or system components where encrypted data is processed, transmitted, or stored. These zones preserve data integrity and confidentiality throughout backup, recovery, and backup copying operations.

• Backup Jobs: The trust zone includes the source transporter, which reads data and prepares it for secure transmission.

• Recovery Jobs: The trust zone includes the target transporter, which securely writes restored data to the target location.

• Backup Copy Jobs: The trust zone may be the source transporter or the target transporter, depending on job configuration.

  To define trust zones:

• Select Options > Backup Encryption > Enable on source, to encrypt the backup data with the source transporter. In this case, the source transporter works in the trusted zone and the encrypted backup can be sent to the target transporter in the untrusted zone.

• Select Options > Backup Encryption > Enable on target, to encrypt the backup data with the target transporter. In this case, the source transporter works in the untrusted zone and the backup encryption can be done with the target transporter in the trusted zone.

Note

If you selected encryption on source or target, the Network acceleration option can not be used.

Reverse Connection

In environments with restrictive firewall policies, a reverse connection can be used. Instead of the source transporter initiating the connection, the target transporter in the untrusted zone connects back to the source using a proxy host. This helps maintain security by ensuring that only validated, encrypted requests are processed.

Restoring from Encrypted Backups

NAKIVO Backup & Replication stores all information required for encryption and decryption, so you do not need to enter the password each time you restore data from encrypted backups. Even if a password is forgotten, the Backup Encryption feature enables recovery of encrypted backup data.

To recover encrypted backup data, do the following:

1. In the Backups step of the corresponding wizard, select a backup object and a recovery point. Proceed as described below:

• If the password hash is available, the product uses it to decrypt the backup and perform the recovery

• If the password hash is not available, but the AWS KMS was enabled when performing encryption on the data:

  • The product discovers an existing AWS account to get access to AWS KMS and the cryptographic keys stored therein – no need to configure the AWS KMS service in the Encryption tab.

  • The product verifies that the AWS account is correct and AWS KMS has a corresponding cryptographic key for decrypting the password hash.

  • The product restores the password hash.

  • Proceed to recovery from an existing encrypted backup. A password hash is used to decrypt the backup.

• If a password hash is not available and AWS KMS was not enabled when performing encryption on the data but salt is available:

  • In the Backups step of the corresponding wizard, select a backup object and a recovery point.

  • Enter the password manually.

  • The hash is generated based on the available salt and the provided password. The product uses the password hash to decrypt the backup and perform the recovery.

2. Proceed to the next step of the wizard.

Important

If the salt is not available in the recovery point metadata, recovery cannot be performed and the corresponding encrypted recovery point is considered corrupted.

You can find more details on how to perform restore from encrypted backups in the following articles:

• Recovery Job Wizard for VMware: Backups

• Recovery Job Wizard for VMware Cloud Director: Backups

• Recovery Job Wizard for Hyper-V: Backups

• Recovery Job Wizard for Amazon EC2: Backups

• Recovery Job Wizard for Nutanix AHV: Backups

• Recovery Job Wizard for Physical Machines: Backups

• Microsoft 365 Object Recovery Wizard: Backup

• VMware Flash Boot Job Wizard: Backups

• Backup Export Wizard: Backups

How Encryption/Decryption of System Configuration Works

• To safely encrypt your system configuration bundle, initiate exporting system configuration in the Settings > General > System Settings > Configuration tab, set a password, and proceed to exporting.

• To recover from the system configuration bundle, initiate importing system configuration in the Settings > General > System Settings > Configuration tab, provide the password to decrypt and import the configuration, and proceed to importing.

Refer to System Migration for more information.

Password Management

With NAKIVO Backup & Replication, you can create and manage your passwords for encrypting backups, system configuration bundles stored as self-backup, and FSI data.

Notes

• It’s recommended that you enable the (AWS) Key Management Service in the Settings > General > System Settings > Encryption tab. If AWS is enabled, all backup encryption passwords are encrypted with the Key Management Service cryptographic key to be available for recovery in case of product re-installation. For more information, refer to Enabling KMS.

• AWS Key Management Service is not applied to self-backup and system configuration encryption.

Refer to Managing Passwords for more details.