Carbonite Support > Encryption

Encryption

  • This article is for Windows only

Carbonite Safe Server Backup (CSSB) offers encryption options that provide 100% privacy of your backup data. CSSB supports two different types of encryption:

You can view these encryption options within the Advanced section of the backup set.

Advanced Options
Auto encryption is enabled by default.

To add a private key, click the link for Add Private Key with 256-bit encryption. Additional information is provided in the section below.

The sections below are collapsed. Please click the section title to open / close a particular section.

Private Key Encryption

With Private Key Encryption, each user will create a unique key generated from a passphrase. The encryption key or passphrase is required in order to restore data.

Private Encryption Keys will encrypt your backups using AES 256-bit encryption. AES 256-bit encryption is trusted worldwide.

If Private Key Encryption is chosen, you are responsible for safe and secure storage of your encryption keys. Carbonite does not store your encryption keys or passphrase anywhere. Replacement keys can be created if you remember your chosen passphrase. If you lose your private encryption key AND forget your passphrase, neither you nor Carbonite will be able to decrypt your encrypted backup data.

Creating a New Private Encryption Key

You need to first create a private encryption key. To create the key:

  1. Navigate to the Advanced section of the backup set.
  2. Click Add Private Key with 256-bit encryption.
  3. A new window will appear.
  4. Enter a Key Name. This will be the name of the file stored on disk.
  5. Choose a passphrase.
    1. The passphrase must be at least four characters in length.
  6. Confirm the passphrase.
  7. Choose a location to save your encryption key to.
    1. A copy of the key must remain in this location in order to encrypt your backups.
  8. Click OK. A new window will appear to confirm that the encryption key was created.
  9. Click OK in the new window.
  10. Save the backup set. All future backups for this backup set, local and cloud, will be encrypted using your Private Encryption Key.
    1. Past backups, if they exist, are not retroactively encrypted.

Adding an Existing Private Encryption Key

You may use an already-existing Private Encryption Key with other backup sets.

  1. Navigate to the Advanced section of the backup set.
  2. Click Add Private Key with 256-bit encryption.
  3. A new window will appear and ask you if you wish to use the existing key.
  4. Click Enable.
  5. Save the backup set. All future backups for this backup set, local and cloud, will be encrypted using your Private Encryption Key.
    1. Past backups, if they exist, are not retroactively encrypted.

Deleting an Existing Private Encryption Key

To delete an encryption key:

  1. Select any backup set for which Private Key Encryption is enabled.
  2. Navigate to the Advanced section of the backup set.
  3. Click Delete Key.
  4. A window will appear to confirm your deletion and warn you that a copy of the key should be kept for decryption purposes.

Existing Private Encryption Keys cannot be modified. To change a key, first delete a key and create a new one.

Auto Encryption

Carbonite Safe Server Backup will automatically encrypt your backups on the cloud using AES 128-bit or better encryption. Transfer of your backup data to the cloud is secure using the Transport Layer Security (TLS) protocol. The encryption itself takes place server-side on the cloud.

Auto Encryption only applies to backups stored on the cloud. Local backups will not be encrypted. If encryption of locally-stored backups is required, you must use the Private Key Encryption option.

Restoring Encrypted Backups

No additional steps are required to restore backups that are encrypted with the Auto Encryption option. All encryption and decryption is done automatically.

For Private Key Encryption, a copy of the encryption key is required. Without that key, your data cannot be decrypted, but your passphrase can be used to generate a new copy of the encryption key.

There are two fields on the Restore page pertaining to private encryption keys. Both are found in the Choose your private key for decryption section.

  • Name of available private key(s) for decryption: This dropdown box is populated by all existing keys in the folder selected above.
    • In most cases, there will be no need to select a key from this folder. CSSB will automatically pick up the correct key for the restore.
    • If the correct key does not exist, you may create a new one by selecting Create a Private Key for Decryption from this dropdown box.
  • Create a Private Key for Decryption: This dropdown will enable you to create a private key for decryption. Additional information is provided in the section on How to Create a Private Key for Decryption.

How to Create a Private Key for Decryption

If you have lost, deleted, or are otherwise unable to locate the Private Encryption Key(s) used for backup, you may recreate the key for decryption purposes.

  1. On the Restore page, select the backup set to restore.
  2. After making your selection, find the Choose your private key for decryption field.
  3. Click on the dropdown box.
  4. Choose Create a Private Key for Decryption from the dropdown box.
  5. A menu will appear.
  6. Give the new key a name.
    • It is not required that you use the same name for the Decryption key as the original Encryption key. CSSB will identify the key based on its content, not its name.
  7. Provide the exact passphrase as was used for the original key.
    • You must type the exact same passphrase.
    • If the passphrase has any differences from the original (including capitalization, spaces, and punctuation, etc), decryption will fail.
  8. Keys created through this option are only used for decryption.
    • To create a key for encryption, please Create a New Private Encryption Key as described above.
Feedback