Location encryption

If you protect a location with encryption, anything written to the location will be encrypted and anything read from it will be decrypted transparently by the storage node, by using a location-specific encryption key stored on the node. If the storage medium is stolen or accessed by an unauthorized person, the malefactor will not be able to decrypt the location contents without access to the storage node.

This encryption has nothing to do with the backup encryption specified by the protection plan and performed by an agent. If the backup is already encrypted, the storage node-side encryption is applied over the encryption performed by the agent.

To protect the location with encryption

1. Specify and confirm a word (password) to be used for generating the encryption key.

   The word is case-sensitive. You will be asked for this word only when attaching the location to another storage node.

2. Select one of the following encryption algorithms:

   • AES 128 – the location contents will be encrypted by using the Advanced Encryption Standard (AES) algorithm with a 128-bit key.
   • AES 192 – the location contents will be encrypted by using the AES algorithm with a 192-bit key.
   • AES 256 – the location contents will be encrypted by using the AES algorithm with a 256-bit key.
3. Click OK.

The AES cryptographic algorithm operates in the Cipher-block chaining (CBC) mode and uses a randomly generated key with a user-defined size of 128, 192 or 256 bits. The larger the key size, the longer it will take for the program to encrypt the backups stored in the location and the more secure the backups will be.

The encryption key is then encrypted with AES-256 using a SHA-256 hash of the selected word as a key. The word itself is not stored anywhere on the disk; the word hash is used for verification purposes. With this two-level security, the backups are protected from any unauthorized access, but recovering a lost word is not possible.