Backup Encryption

With NAKIVO Backup & Replication you can configure encryption to protect backup data against breaches, manage passwords, and perform recovery from encrypted backups.

How Backup Encryption Works

To encrypt backup data, do the following:

1. Enable Backup Encryption in the Options step of the corresponding wizard.

2. Set up and confirm a password.

3. Optionally, in the Settings > General > System Settings > Encryption tab, enable the (AWS) Key Management Service. For more information, refer to Enabling KMS.

4. Run the job.

The product automatically generates the password hash based on the user password.

The cryptographic salt used for hash creation is saved in the recovery point metadata.

The password hash is used to generate a single-use encryption key to encrypt the backup and File System Indexing (FSI) data. For this, the FSI option must be enabled in the job.

For more information about browsing through encrypted FSI data when the password hash is available in the product database, refer to Searching Indexed Files.

You can find more details on how to enable backup encryption for the supported jobs in the following articles:

• Backup Job Wizard for VMware: Options

• Backup Job Wizard for VMware Cloud Director: Options

• Backup Job Wizard for Hyper-V: Options

• Backup Job Wizard for Amazon EC2: Options

• Backup Job Wizard for Nutanix AHV: Options

• Backup Job Wizard for Physical Machine: Options

• Backup Job Wizard for Microsoft 365: Options

• Backup Job Wizard for File Share: Options

• Backup Copy Job Wizard: Options

• Tape Backup Wizard: Options

• Microsoft 365 Object Recovery Wizard: Backup

For more details on how to enable the Backup Encryption feature, refer to Enabling Backup Encryption.

Restoring from Encrypted Backups

NAKIVO Backup & Replication keeps all encryption/decryption details safe so that you do not need to enter your password every time you need to restore data from encrypted backups. With the Backup Encryption feature, you get your backed-up data decrypted and restored even if you forget your passwords.

To recover encrypted backup data, do the following:

1. In the Backups step of the corresponding wizard, select a backup object and a recovery point. Proceed as described below:

• If the password hash is available, the product uses it to decrypt the backup and perform the recovery

• If the password hash is not available, but the AWS KMS was enabled when performing encryption on the data:

  • The product discovers an existing AWS account to get access to AWS KMS and the cryptographic keys stored therein – no need to configure the AWS KMS service in the Encryption tab.

  • The product verifies that the AWS account is correct and AWS KMS has a corresponding cryptographic key for decrypting the password hash.

  • The product restores the password hash.

  • Proceed to recovery from an existing encrypted backup. A password hash is used to decrypt the backup.

• If a password hash is not available and AWS KMS was not enabled when performing encryption on the data but salt is available:

  • In the Backups step of the corresponding wizard, select a backup object and a recovery point.

  • Enter the password manually.

  • The hash is generated based on the available salt and the provided password. The product uses the password hash to decrypt the backup and perform the recovery.

2. Proceed to the next step of the wizard.

Important

If the salt is not available in the recovery point metadata, recovery cannot be performed and the corresponding encrypted recovery point is considered corrupted.

You can find more details on how to perform restore from encrypted backups in the following articles:

• Recovery Job Wizard for VMware: Backups

• Recovery Job Wizard for VMware Cloud Director: Backups

• Recovery Job Wizard for Hyper-V: Backups

• Recovery Job Wizard for Amazon EC2: Backups

• Recovery Job Wizard for Nutanix AHV: Backups

• Recovery Job Wizard for Physical Machines: Backups

• Microsoft 365 Object Recovery Wizard: Backup

• VMware Flash Boot Job Wizard: Backups

• Backup Export Wizard: Backups

How Encryption/Decryption of System Configuration Works

To safely encrypt your system configuration bundle, initiate exporting system configuration in the Settings > General > System Settings > Configuration tab, set a password, and proceed to exporting.

To recover from the system configuration bundle, initiate importing system configuration in the Settings > General > System Settings > Configuration tab, provide the password to decrypt and import the configuration, and proceed to importing.

Refer to System Migration for more information.

Password Management

With NAKIVO Backup & Replication, you can create and manage your passwords for encrypting backups, system configuration bundles stored as self-backup, and FSI data.

Notes

• It’s recommended that you enable the (AWS) Key Management Service in the Settings > General > System Settings > Encryption tab. If AWS is enabled, all backup encryption passwords are encrypted with the Key Management Service cryptographic key to be available for recovery in case of product re-installation. For more information, refer to Enabling KMS.

• AWS Key Management Service is not applied to self-backup and system configuration encryption.

Refer to Managing Passwords for more details.