DRAFT
Asking why encrypt backups is like asking the same question about laptops. Why do we encrypt them? To protect your data in the event of theft or loss.
Now, imagine you lose or have your backup disk stolen - it's the same thing. If the backup data isn't encrypted, it's like having your laptop stolen.
Even worse, imagine you lose your NAS backup disk, or someone steals it as you left your car’s door open. All your organization's key data in one place, most importantly, unsecured. If we protect our networks from outside intrusion, we also need to ensure that when our data is outside the secure perimeter, on a backup disk, that backup disk is itself secured.
Let's start with computer backups.
If you use CrashPlan for an online backup to an external disk, you're already secure without any further action on your part. CrashPlan encrypts everything it backs up, including external disks. CrashPlan encrypts your data using your SIL identity.
If you're using a program other than CrashPlan, you need to make sure you encrypt your backups. The location for this feature varies depending on the software.
In Acronis Cyber Protect, you'll find it in the advanced options of the backup job.
If you use Veeam agent for Microsoft Windows you find the option at the Local Storage stage, under Advanced
Then on the Storage tap, you can enable backup file encryption
With SyncBackFree, encryption can be found in the Expert view, under Compression.
Whatever software you choose, make sure it supports encryption.
Let's continue with NAS backups.
Synology implements encryption at various stages. You can encrypt a shared folder (the data is then encrypted on the NAS itself should anybody steal it). If you schedule C2 for cloud backups, it will encrypt data in transit (so that nobody can spy on the traffic during backup).
Your Synology NAS also supports backup encryption. You must set up when you create the backup task.
If you tick the option and provide a password it displays the following notification:
This is especially important! Without the password you cannot decrypt and access your backup. This is obviously what you are seeking to achieve to protect your data from robbers. But this also prevents anyone, including you, your colleagues, those who will replace you in case something happens to you or if you leave the company later on.
Should you enable backup encryption, you must make sure to store the password in a safe place that remains accessible to IT staff in the future.
After the next page (Rotation Settings), when you click “Done” on the “Summary” page, it will automatically create and download the PEM file, which is the certificate.
This certificate will be needed to access your backup in case you can no longer provide the password.
Make sure to store the certificate in a safe place.
You can take the module Secure Your Data in the SIL Information Security Training for End Users training to know more about secure backups.