Previous Topic: Change the Current Encryption AlgorithmNext Topic: How Arcserve Backup Encrypts Data at the Agent Server


Arcserve Backup Data Encryption

Arcserve Backup provides the flexibility to use encryption to protect sensitive data during various stages of the backup process. Generally, during the backup process, the sooner the data encryption occurs, the more secure your information will be. However, speed, performance, and scheduling restrictions are also factors to consider when choosing the best approach to securing your data.

The three different ways to encrypt data in a backup job are:

These encryption options are accessible from the Encryption/Compression tab on the Global Options dialog for the Backup Manager. From this dialog you can choose to encrypt the data at the agent, at the backup server (during backup), or at the backup server (during migration).

You can also create a session encryption password that is saved to the Arcserve Backup database. This password is used to encrypt session data. For more information about passwords, see the topic How Password Management Works.

Note: Arcserve Backup will only encrypt data that is not already encrypted. If at any stage in the process Arcserve Backup detects that the data has already been encrypted, it will not attempt to encrypt it again. Since data deduplication is a form of encryption, you cannot encrypt data saved to a deduplication device.

In addition, there are also two basic methods for encrypting data; hardware encryption and software encryption. The advantages of hardware encryption are speed and improved CPU performance. Encryption using software is slower than encryption using hardware and can result in a larger backup window. By using hardware encryption, you can also avoid unnecessary CPU cycles on either the agent server or the backup server and the drive can compress the data before encrypting.

If you select to have your data encrypted during the backup or migration process, Arcserve Backup has the ability to detect if the final destination media (tape) is capable of hardware encryption and by default will automatically choose that hardware method if available.