What Is the Reason for Encrypting Data in a Backup?
Instead of asking why you should encrypt your backups, you might be better off trying to justify the reverse. Ask yourself, “Why shouldn’t I encrypt my backups?” It’s harder to come up with a justifiable reason. And if you leave it at that, then you're encrypting. And that’s the right decision.
How Do You Want to Encrypt Backups?
There are two basic backup encryption technologies that help protect your backups: Source-side data encryption and server-side encryption. Source-side data encryption uses customer-controlled keys to encrypt your data before it leaves your server or network. In CloudBerry Backup, that means protecting your data with 256-bit AES encryption. The Advanced Encryption Standard is used worldwide and back in 2003 the U.S. Government announced it was secure enough to protect classified data. It’s a symmetric algorithm, meaning the same key is used to encrypt and decrypt your data. Think of the encryption key as the combination that opens the safe.
What happens if you lose your encryption key? In that case, you're out of luck. Without it, you're not going to be able to decrypt your backups. Not in your lifetime anyway. Which brings up the one administrative item you do need to do. And that tracks your encryption key usage. You'll need to keep these keys in a secure location (which may be a password safe or an encrypted document with limited access).
Think of the encryption key as the combination that opens the safe.
What is an Encryption Key?
What are these encryption keys and what do they look like? They are like passwords with combinations of letters, numbers, and symbols. They could be as simple (and insecure) as using the letter “a”, something complex and impossible to remember like “Da^\^K1'8Uay7pFIq:1S” or a memorable passphrase like “when.1.wasYoung-I-likedToGoOnROLLERcoasters”. There's no shortage of articles on the internet about password / key length and complexity. The important thing to remember is, the longer the key, the harder it is to crack the encryption with a brute force attack.
With your backups encrypted, only those with both access to the backup files and the encryption keys can decrypt your data.
How Does Server-Side Encryption Work?
Server-side encryption (SSE) is about protecting your data at rest at the storage level. It’s a feature that’s offered by many of the cloud storage providers. It has a few different names: Amazon S3 calls it Server-Side Encryption. Microsoft Azure calls it Storage Service Encryption. Google Cloud Platform calls it Encryption at Rest. Google enables the feature by default but with Amazon and Microsoft, it can be enabled with a single click. All implementations use AES with 256-bit keys. And it’s free.
So, what's it doing and why should you care? Server-Side Encryption automatically encrypts data when it arrives, stores the data on disk, and automatically decrypts the data when it leaves - using encryption keys managed by your cloud service account. There are options on many cloud providers where you can manage keys, but for now, we'll discuss the simplest implementation.
The data on disk is encrypted. Think of this as transparent data encryption with no passwords to remember. It’s an added layer of encryption that involves a click (or in the case of Google, nothing). The best example of its value is this: You put an important business document in cloud storage, but you do not perform any source-side encryption. Maybe you need to access the file as-is from external sources or maybe you simply forgot to enable source-side data encryption. In either case, server-side encryption automatically encrypts the file and stores it on disk – transparently to you. If someone should break into the cloud storage facility and steal a hard drive, the data is safe – even without you applying your own encryption. Anyone with raw data access will not have access to the service controlled encryption keys and will not be able to do anything with the raw data on disk. Your file is safe.
But if you're encrypting your backup data first, is there a need to also use server-side encryption? The short answer is, yes. It’s an added layer of protection, it’s free, and it’s transparent. So why not? It’s better to have two layers of encryption than one – especially if one comes with no administrative overhead or cost.
In CloudBerry Backup and CloudBerry Managed Backup, we support client-side encryption for cloud storage using AES 256-bit for cloud and local backup targets. We also support Server-Side Encryption on Amazon S3. With Microsoft Azure, you can enable storage service encryption with a single click. In Google, it’s automatic.
Let us know your thoughts in the comments below.