Encryption in Flight and at Rest

Backup encryption uses a mathematical algorithm to transform data into a secure, encoded format. The goal of backup encryption is to make your data unintelligible to unauthorized readers and impossible to decipher when attacked. Backups sent over the Internet should be encrypted before the first bit leaves your organization and travels over the WAN (backup encryption in flight). If the destination is not secure, your data should remain encrypted as well (backup encryption at rest).

NAKIVO Backup & Replication uses AES-256 encryption to protect backups, which is the de facto worldwide encryption standard that secures online information and transactions used by financial institutions, banks, and e-commerce sites. Encryption in flight and at rest is supported for virtual machine and physical machine backups.

VM Backup Encryption in Flight

Backup encryption in flight is performed by the components responsible for data processing and transfer.

For VMs backup, encryption in flight is performed by a pair of Transporters.

The Transporter is a component of NAKIVO Backup & Replication that performs data read, compression, deduplication, encryption, transfer, write, verification, granular recovery, full VM recovery, and so on.

The source Transporter encrypts and sends the backup data, while the target Transporter receives and decrypts it. For example, when backing up VMs over the WAN to an offsite location, the Transporter installed at the source site compresses and encrypts VM data before transferring it over the WAN. The Transporter installed at the target site then receives and decrypts the data before writing it to the Backup Repository.

For physical machine backups, encryption in flight is performed by the Physical Machine Agent (PMA) on the source machine. The PMA encrypts backup data before transmission, ensuring that data remains protected over the network.

Note

Data compression is performed before encryption to maintain its efficiency. Encryption does not interfere with or degrade the results of compression.

VM Backup Encryption at Rest

It is equally important that data at rest be secured by encryption. NAKIVO Backup and Replication enables you to encrypt Backup Repositories so that backup data at rest, stored in the repository itself, is secure.

Backup repository encryption applies to both virtual machine and physical machine backups. You can configure encryption on the Options page of the repository creation wizard. For details, refer to the following topics:

Source Side Backup Encryption

Source-side backup encryption is a mechanism that encrypts data on the source before it is transferred and keeps it encrypted throughout storage. Unlike traditional encryption in flight or encryption at rest, source-side backup encryption combines both approaches into a single, unified process.

When source-side backup encryption is enabled, backup data is compressed and encrypted at the source before it leaves the source side. The encrypted data is then transferred over the network and stored in the Backup Repository without being decrypted. As a result, backup data remains encrypted both during transmission and while stored at rest.

How Source-Side Backup Encryption Works

  1. Backup data is read from the source workload.

  2. Data is compressed to optimize storage and transfer efficiency.

  3. A single-use AES-256 encryption key is generated based on the user-defined encryption password.

  4. Data is encrypted on the source side using this encryption key.

  5. Encrypted data is transferred to the destination.

Encrypted data is written to the Backup Repository and stored in encrypted form.

The encryption key is not stored by the product and is discarded after use. Only the password hash required for recovery is securely stored, optionally protected by a Key Management Service (KMS).

For more information on how backup encryption works, refer to Backup encryption.