BackupEDGE 3.x - Archive Encryption

Technology Overview

BackupEDGE uses a powerful combination of symmetric and asymmetric algorithms to encrypt and decrypt data. It is completely standards-based, and the methodology is published here to assure users that standards are being followed and that no “back doors” or other security holes are in place. Users of encryption should be aware of the potential consequences of lost or stolen keys or pass phrases before utilizing this technology.

BackupEDGE encryption is completely standards based. Encryption is fully integrated into the product and performed at the file level. No features are compromised or disabled when using encryption.

Encryption integrated at the file level provides the following benefits:

• only data that needs to be protected is encrypted.
• overall performance stays high as only critical files are subject to CPU intensive encryption.
• full compatibility with our bit-level verify, file checksum verify, indexing, quick file access and disaster recovery features is maintained.
• each encrypted file is pre-compressed using the powerful zlib libraries to ensure that no space is lost due to the inability of tape hardware compression implementations to compress encrypted data.

Optionally, a user may choose to encrypt an entire archive (except the file headers). This works perfectly well, but at the cost of additional CPU overhead.

Archive Protection Methodology

For maximum security, each archive is encrypted with its own private, 256 bit AES encryption key using the well documented Rijndael (pronounced Rhine-doll) formula. Separate, randomly generated keys for each backup (called the “session keys”) assure that access to multiple archives does not provide a useful method for attacking the encryption.

Further, each file is compressed before encryption and a random byte is inserted into each 15 byte block of compressed data, further thwarting attempts to attack the encryption based on the attackers’ potential
knowledge of the pre-encrypted contents of one or more files on the archive.

The 256 bit encryption key for each session is created using a cryptographically strong, non-deterministic random number generator.

Licensing

An optional Encryption License is available to enable this feature. No additional products need to be installed; just re-register and activate with the purchased License serial number.

Whitepaper

This is serious, enterprise level encryption. Without the proper keys it is impossible to retrieve data encrypted by BackupEDGE. More information is available in our Encryption Whitepaper, and in the encryption section of our User Guide.

Last Updated - 2016/02/03