Carbonite Support > Encryption

Encryption

  • This article is for Windows only

Carbonite Safe Server Backup (CSSB) offers encryption options that provide 100% privacy and security to your backup data. CSSB supports two different types of encryption:

Within the Advanced backup settings section of the user interface, you can view these encryption options.

Advanced Backup Settings

Click the Edit button to view and modify your encryption options for your backup. By default, Auto Encryption is enabled for all backups to the cloud.

Encryption

The sections below are collapsed. Please click the section title to open / close a particular section.

Private Key Encryption

With Private Key Encryption, each user will create a unique key generated from a passphrase. The encryption key or passphrase is required in order to restore data.

Private Encryption Keys will encrypt your backups using AES 256-bit encryption. AES 256-bit encryption is trusted worldwide.

If Private Key Encryption is chosen, you are responsible for safe and secure storage of your encryption keys. Carbonite does not store your encryption keys or passphrase anywhere. Replacement keys can be created if you remember your chosen passphrase. If you lose your private encryption key AND forget your passphrase, neither you nor Carbonite will be able to decrypt your encrypted backup data.

Creating a New Private Encryption Key

You need to first create a private encryption key. To create the key:

  1. Click the Edit button to the right of the Advanced backup settings panel.
  2. Click Add Private Key with 256-bit encryption.
  3. A new window will appear.
  4. Enter a Key Name. This will be the name of the file stored on disk.
  5. Choose a passphrase.
    1. The passphrase must be at least four characters in length.
  6. Confirm the passphrase.
  7. Choose a location to save your encryption key to.
    1. A copy of the key must remain in this location in order to encrypt your backups.
  8. Click OK. A new window will appear to confirm that the encryption key was created.
  9. Click OK in the new window.
  10. Save the backup set. All future backups for this backup set, local and cloud, will be encrypted using your Private Encryption Key.
    1. Past backups, if they exist, are not retroactively encrypted.

Adding an Existing Private Encryption Key

You may use an already-existing Private Encryption Key with other backup sets.

  1. Click the Edit button to the right of the Advanced backup settings panel.
  2. Click Add Private Key with 256-bit encryption.
  3. A new window will appear and ask you if you wish to use the existing key.
  4. Click Enable.
  5. Save the backup set. All future backups for this backup set, local and cloud, will be encrypted using your Private Encryption Key.
    1. Past backups, if they exist, are not retroactively encrypted.

Deleting an Existing Private Encryption Key

To delete an encryption key:

  1. Select any backup set for which Private Key Encryption is enabled.
  2. Click the Edit button to the right of the Advanced backup settings panel.
  3. Click Delete Private Key.
  4. A window will appear to confirm your deletion and warn you that a copy of the key should be kept for decryption purposes.

Existing Private Encryption Keys cannot be modified. To change a key, first delete a key and create a new one.

Auto Encryption

Carbonite Safe Server Backup will automatically encrypt your backups on the cloud using AES 128-bit or better encryption. Transfer of your backup data to the cloud is secure using the Transport Layer Security (TLS) protocol. The encryption itself takes place server-side on the cloud.

Auto Encryption only applies to backups stored on the cloud. Local backups will not be encrypted. If encryption of locally-stored backups is required, you must use the Private Key Encryption option.

Restoring Encrypted Backups

No additional steps are required to restore backups that are encrypted with the Auto Encryption option. All encryption and decryption is done automatically.

For Private Key Encryption, a copy of the encryption key is required. Without that key, your data cannot be decrypted, but your passphrase can be used to generate a new copy of the encryption key.

There are two fields on the Restore page pertaining to private encryption keys. Both are found in the Review your restore settings section. Click the Edit button to reveal encryption-related settings.

  • Available Private Key(s) for Decryption: This dropdown box is populated by all existing keys in the folder selected above.
    • In most cases, there will be no need to select a key from this folder. CSSB will automatically pick up the correct key for the restore.
    • If the correct key does not exist, you may create a new one by selecting Create a Private Key for Decryption from this dropdown box.
  • Decryption Key Folder: This is the folder that contains your Private Encryption Keys.
    • Alter this field only if your encryption key has been moved, deleted, or otherwise lost.

How to Create a Private Key for Decryption

If you have lost, deleted, or are otherwise unable to locate the Private Encryption Key(s) used for backup, you may recreate the key for decryption purposes.

  1. On the Restore page, find the Available Private Key(s) for Decryption field inside the Review your restore settings section.
  2. Click on the dropdown box.
  3. Choose Create a Private Key for Decryption from the dropdown box.
  4. A menu will appear.
  5. Give the new key a name.
    • It is not required that you use the same name for the Decryption key as the original Encryption key. CSSB will identify the key based on its content, not its name.
  6. Provide the exact passphrase as was used for the original key.
    • You must type the exact same passphrase.
    • If the passphrase has any differences from the original (including capitalization, spaces, and punctuation, etc), decryption will fail.
  7. Keys created through this option are only used for decryption.
    • To create a key for encryption, please Create a New Private Encryption Key as described above.
Feedback