Wednesday, December 30, 2009

Encrypted Backups

Up until now, Windows Server Backup and Backup Assist couldn't encrypt backups.  And that hasn't changed at all!  :)  But what has changed is that the CRU Dataport 10 Secure and DataPort SecureDock devices (available through Datastor Australia) now work well with Backup Assist!

What this means is that using Backup Assist and a DataPort 10 Secure (or DataPort SecureDock) device, any backups written to the device are encrypted with 128-bit AES encryption - and this is whole drive encryption.  So if someone gets hold of a drive (ie, breaks into your house while you're at work and steals your offsite backup drives), then all they will see when they mount the drive in a computer is an uninitialized disk.  The only way to retrieve the data from the drive is through a DataPort 10 Secure or DataPort SecureDock device *and* using your hardware encryption token.

So, the upcoming Backup Assist 5.4, with its Hyper-V Granular Restore Console option and with the support for these secure CRU DataPort devices, will enably fully encrypted backups.  As a bonus, any additional data written to these drives, such as LOB database backups and/or accounting system backups will be AES encrypted!

This is great news for our clients - the reason I first spoke with Linus about this option was that we have a number of clients who have sensitive data (patient records, financial records, HR records, etc) that cannot really be stored offsite in an unencrypted format.  Previously, using Backup Assist, there was no real option to take this sort of data into account.  So I spoke with Linus, indicated the issue we have, worked with him on getting some DP 10 Secure devices to trial and then hounded him until he got it working!  (It didn't take much hounding, however, he's pretty responsive (and have I said yet that he's a nice bloke?) and easily saw the potential benefit.)

We've now got options.  We can use ShadowProtect where that's appropriate and Backup Assist where that's appropriate - we finally have real choice when it comes to fully encrypted backups!

Have a read of Linus' blog post on this enhancement to Backup Assist here.


The Outspoken Wookie
(Who is still supposed to be on holidays but has been working on this and a number of server sales - when this is all done today, he really, REALLY should take tomorrow and a few days after it off and have a real break!)

1 comment:

Chris Knight said...

Nice! Means I can get away from using TrueCrypt and keyfiles on USB keys.

Supposedly you can get Bitlocker and Windows Server Backup working together but it appears to be a non-trivial process.