SUMMARY
An overview of encryption and important considerations when using it for backups.
ISSUE
Unitrends customers have the ability to enable or disable encryption on a per client basis, modify passphrases as needed, and ensure data remains encrypted from beginning to end for local or offsite backup copies. Unitrends Backup and Recovery solutions use AES 256 bit encryption to secure and protect sensitive customer data. For customers that have a need or desire to leverage encryption, please consider the following before enabling encryption.
-
Encryption has a performance and storage impact. Unencrypted backups will run faster and provide the longest possible, on-appliance, retention.
-
Unitrends support cannot recover a lost or forgotten passphrase. It’s imperative that customers make backup copies of the master key. For more information, see: Encryption passphrase has been lost or forgotten.
-
Encryption occurs during the backup process as data is written to disk, so backups taken prior to enabling encryption will remain unencrypted.
RESOLUTION
To enable encryption you must first set the encryption passphrase and then back up the Master Key file. Always backup your master key file! For instructions, see: Set up encryption on backup system or hot backup copy (replication) target.
When passphrases are changed, the system protects legacy passphrases in a new encrypted file, secured with the new key, and those legacy passphrases are used for accessing backups and backup copies encrypted under the previous passphrase. However, only the current passphrase is required to be known to do so. When migrating from one Unitrends System to another where encryption is in use on the original system, the MasterKey file must be migrated as well. For details on how to migrate the MasterKey file, reference: Migrate encryption Master Key file to a new appliance. Alternatively, the older passphrases can be separately documented and entered into the system when recovering data that was encrypted using a previous passphrase.
After encryption has been enabled and a passphrase set, administrators may select individual servers and/or applications to be encrypted. This is done in the Configure section, under the Protected Assets tab, where any client asset or application can be selected to edit, and then encryption can be enabled. For further details, see: How to select which backups should be encrypted.
When backups are being replicated to a secondary Unitrends target (Hot Backup Copies) and encryption is enabled on the source appliance, the target must also have encryption enabled. Encrypted backup copies will fail to replicate to the target if the target does not have encryption enabled. Once encryption is enabled, both encrypted and non-encrypted data can be sent to the target. For details on how to enable encryption, see: Set up encryption on backup system or hot backup copy (replication) target.
NOTES
For more detailed information about managing encryption with Unitrends backup and recovery software, please see "Encryption" in the Administrator Guide.