Getting Started with Backup Encryption

Topic

This article describes the agent encryption feature on Datto appliances.

Environment

  • Datto SIRIS
  • Datto ALTO XL

Description

Datto SIRIS and Datto ALTO XL can add additional security by requiring operators to enter an encryption key to access your backup data. You configure encryption on a per-agent basis.

Requirements

  • Agents can have their data encrypted on SIRIS and ALTO XL devices. Encryption is not supported on standard ALTO devices.
  • Encryption protection must be enabled for a dataset during the Protect process. This cannot be retroactively applied or removed once the agent has been paired.
  • The backup encryption is compatible with the following solutions:
    • Datto Windows Agent
    • Datto Linux Agent
    • Agentless Backups
    • Universal Backups
  • If you are re-adding a protected machine that is already on the Datto, you will need to either archive or remove the previous pairing before adding the agent back and take a new full encrypted image to be sent offsite.

Limitations

  • If the passphrase is lost, all backup data is rendered useless. In this situation, you must delete the encrypted backup chain and take a new full backup. Depending on the size of this full backup image, you may need to order a RoundTrip.
  • Network Attached Storage directories on a Datto are not encrypted.
  • Datto Technical Support can be provided unencrypted access to backups and restorations for a maximum of 6 hours, by providing Temporary Access.
  • Encrypted agent backups are not compressed and so may take up more space.
  • Restores of encrypted agents can take longer than non-encrypted agents.
  • Upon reboot, you will need to enter the passphrase for the agent to resume backups.
  • Any restore actions require the passphrase. Restore actions include file restores, Image exports, local virtualization, and bare metal restores.
  • Restorations of an encrypted agent using the Virtualize via Hypervisor feature may fail to re-create the NFS datastore if the host device is powercycled for any reason. This issue could potentially result in the destruction of the active dataset.

Using Encryption

  • Pair the protected machine with the Datto device after installing any applicable agent software. During the pairing process, you will enter a passphrase to encrypt local backups. A passphrase is required for encryption to be enabled.
  • The encryption passphrase will be required every time the dataset is unsealed for a restore operation.
  • If the Datto device is rebooted, the encryption passphrase must be entered for each agent before backups for these systems can resume. The passphrases can be entered on the Protect tab of the device GUI.

How Encryption Works

  • Backups are encrypted in AES 256-bit in XTS mode format.
  • A master key is used to decrypt the backups, and master keys are independent and unique to the passphrases given. The master key is encrypted itself and can only be decrypted by a user key and other metadata.
  • The user key is derived from the passphrase, but it cannot be individually decrypted without the passphrase and other metadata to decrypt it.

Working with Technical Support on Encrypted Production Machines

  • Datto Technical Support will never ask for a passphrase to decrypt backups. It is against policy and defeats the purpose of having encrypted backups.
  • Datto Technical Support cannot assist with troubleshooting any restoration unless the restoration has been decrypted from the device UI first.
  • Datto technicians cannot unmount and remount restorations for testing unless you decrypt each restoration first or grant temporary access through a Remote Web session.

NOTE  For security purposes, the Enable Temporary Troubleshooting Access feature is only available when logging into the Datto appliance through the Partner Portal.

FAQ

During the encrypted agent passphrase creation process, your Datto appliance will check for passphrase strength via zxcvbn (external link) and provide feedback about its complexity in the GUI. Passphrases must adhere to the following criteria:

  • A minimum length of 8 characters
  • A maximum length of 128 characters
  • A minimum score of 3 from zxcvbn
  • Passphrases cannot contain Datto-specific common terms (Datto, SIRIS, device, partner, etc.)

For issues involving either the device in general or unencrypted agents, Datto Support Technicians will still have access via Secure Shell (SSH) and Remote Web (SSL) sessions for troubleshooting. When an issue involves an encrypted agent, and decryption is required for Datto Support to troubleshoot, partners can to open a six-hour SSH session using their passphrase. The Datto Support Technician will then be granted access to that agent’s data for the six (6) hour window to perform the necessary maintenance.

NOTE   You can only open Secure SSH sessions from Remote Web (SSL) connections.

No. You will never need to share your password with Datto Support Technicians for any troubleshooting, support, or other device maintenance processes. If for whatever reason the passphrase is ever communicated to Datto, it will need to be reset by the partner immediately to ensure security standards are maintained.

To use encryption on an existing agent, you must remove and re-add it to the device. Removal will delete all the agent’s local and cloud backups. Datto recommends that local recovery points be exported to external media before you remove the agent. Copying this data ensures you have incremental backups capable of virtualization in case a restore is required. You should also encrypt the external media to maintain security for exported backups.

If you would like to keep an agent's existing recovery points on the local device and in the cloud, you can archive it rather than removing it entirely. See the Archived agents Knowledge Base article for more information.

Agent data will always stay in its encrypted state. Data remains encrypted when in transit to our off-site cloud (or a Private Cloud Node), while in the cloud, and while in one of our encrypted RoundTrip devices. Datto highly recommended that you utilize Datto’s RoundTrip drives to get encrypted agent data off-site.

No. Agent-level encryption is an optional tool to utilize when adding a new agent.

No. Datto does not possess a master decryption key for our encryption software. Should you ever lose your passphrase, the data associated with that agent will be permanently inaccessible. You must make this clear to your organization when enabling encryption on agents.

Yes, if an encryption passphrase is lost, although backup data is not retrievable, the agent can be removed by a user logged in via the Partner Portal.

Yes. You may change your encryption passphrase at any time. If you choose to do so, be sure to disseminate this information to the appropriate parties in your organization.

Additional Resources