Vault encryption, Vault administrators – Acronis Backup for Windows Server Essentials - User Guide User Manual
Page 182
182
Copyright © Acronis International GmbH, 2002-2014
Vault encryption
If you protect a vault with encryption, anything written to the vault will be encrypted and anything
read from it will be decrypted transparently by the storage node using a vault-specific encryption key
stored on the node. If the storage medium is stolen or accessed by an unauthorized person, the
malefactor will not be able to decrypt the vault contents without access to the storage node.
This encryption has nothing to do with the archive encryption specified by the backup plan and
performed by an agent. If the archive is already encrypted, the storage node-side encryption is
applied over the encryption performed by the agent.
To protect the vault with encryption
1. Select one of the following encryption algorithms from the drop-down list:
AES 128 – the vault contents will be encrypted using the Advanced Encryption Standard (AES)
algorithm with a 128-bit key
AES 192 – the vault contents will be encrypted using the AES algorithm with a 192-bit key
AES 256 – the vault contents will be encrypted using the AES algorithm with a 256-bit key.
2. In the Enter the word field, specify a word to be used for generating the encryption key.
Details. The word is case-sensitive. You will be asked for this word only when attaching the vault
to another storage node.
3. In the Confirm field, re-type the word you just entered.
4. Click OK.
The AES cryptographic algorithm operates in the Cipher-block chaining (CBC) mode and uses a
randomly generated key with a user-defined size of 128, 192 or 256 bits. The larger the key size, the
longer it will take for the program to encrypt the archives stored in the vault and the more secure the
archives will be.
The encryption key is then encrypted with AES-256 using a SHA-256 hash of the selected word as a
key. The word itself is not stored anywhere on the disk; the word hash is used for verification
purposes. With this two-level security, the archives are protected from any unauthorized access, but
recovering a lost word is not possible.
Vault administrators
Vault administrators can back up to the vault, view and manage any archive stored in the vault. By
default, the Administrators group on the storage node is added to the vault administrators.
To add a group or user accounts
1. Enter names of groups or users in the separate fields in accordance with the following patterns:
DisplayName (example: FirstName LastName).
UserName (example: User1).
ObjectName@DomainName (example: User1@Domain1).
DomainName\ObjectName (example: Domain1\User1).
2. Once the names are entered, click Check names. If the entered name is found, click OK (the OK
button is disabled until the name is found).
If no objects were found, delete the name and enter another one. If several objects for the
entered name were found, select one of them and click OK, or click Cancel and specify another
name.