The Disk Safe where you store the backed up data can have the option to "Use Encryption." This option can be enabled while creating the Disk Safe.
Encryption of the Disk Safe can not be disabled later. Only the passphrase can be changed for the Disk Safe. If you no longer need encryption, you will need to create a new Disk Safe. After you click on the "Change Passphrase" button located on the Disk Safe edit page, the below box is displayed:
Disk Safes currently support encryption using 128-bit RSA Keys and the Blowfish Cipher for symmetric encryption. There are plans to add other encryption ciphers and key size options in the future. When the CDP Agent is first installed, a unique RSA Key and Symmetric Blowfish Cipher Key is generated. These Keys are used when encryption is enabled.
The default installation location for these files on the CDP Agent is
The PEM encoded RSA Key is
The Symmetric Blowfish Key is stored with a SHA-1 checksum and encrypted with the RSA Key.
When encryption is enabled for a new Disk Safe, an Encryption Setup Task is run. The Encryption Setup Task connects to the Agent and downloads a copy of the Agent's RSA Key and Backup Key over the encrypted socket established between the CDP Server and Agent. The RSA Key is stored in the Disk Safe and encrypted using the passphrase specified during Disk Safe creation. The RSA Key and Backup Key stored on the CDP Server are used to run MakeFileList Tasks and Restore encrypted files. They are also sent to the CDP Agent during a Bare-Metal Restore to decrypt your Disk Image. The RSA Key and Backup Key stored on the server are useless without the passphrase.
Righteous Backup has strong encryption. If the passphrase used to protect an encrypted Disk Safe is lost, there is no way to recover the data.
Check related articles from the Knowledge Base:
and more: label encryption.