Enabling Backup Encryption

To set up backup encryption, do the following:

  1. In the Options step of the corresponding backup/backup copy job wizard, select Enabled from the Backup encryption drop-down list.

  2. After the Backup encryption mode is enabled, the settings link becomes available.

    Notes

    • If not configured, the settings link is highlighted in red.

    • For backup copy jobs, you can select from two options: Enabled on source and Enabled on target to enable Backup encryption. For more details, refer to Backup Encryption.

  3. Click the settings link to open the Set a Password dialog box.

    Notes

    • If the Key Management Service (KMS) is not enabled, a warning message is displayed. To enable KMS, click the Encryption Tab link to go to the Settings > General > System Settings > Encryption tab. After enabling KMS, you can proceed with setting a password.

    • It’s recommended that you enable the (AWS) Key Management Service. If AWS is enabled, all backup encryption passwords encrypted with the Key Management Service cryptographic key are available for recovery in case of product re-installation. For more information, refer to Enabling KMS.

  4. In the dialog box that appears, select the needed password or create a new one. Refer to Setting Password for more details.

  5. Optionally, you can click the Manage passwords link to manage the existing or add a new password to the list of passwords.

  6. Click Apply to proceed.

    The product automatically generates the password hash based on the user password

    The cryptographic salt used for hash creation is saved in the recovery point metadata.

    The password hash is used to generate a single-use encryption key to encrypt the backup and FSI data (if the FSI option is enabled in the job).

    • If KMS is enabled, the password hash is encrypted with the AWS KMS key and saved in the recovery point metadata.

    • If KMS is not enabled, a dialog box opens, warning you that if you lose the password, it will be impossible to decrypt your data, and this data will be lost forever.

  7. Click the Proceed button to go to the next step of the wizard.

    • To enable KMS, click the Encryption Tab link to go to the Settings > General > System Settings > Encryption tab.

    • Click the Cancel or X button to close the dialog box without applying any changes.

    Notes

    • Single chain of incremental recovery points has to have consistent encryption settings including encryption password.

    • Changing encryption settings in a job (including changing encryption password) results in creating an active full backup and starting a new chain or recovery points.