Managing key files for encrypted backups
Published 06 February 2015
SQL HyperBac can encrypt your backup files using the popular Advanced Encryption Standard (AES), with options to use AES-128, AES-192, or AES-256 encryption.
This page describes how SQL HyperBac uses key files to encrypt your backup data, and explains why it is important that you manage and back up these key files.
For more information about backing up using SQL HyperBac's default encryption settings, see Worked example: backing up with encryption. For information about setting up encryption options, see Working with file paths, extensions, and processing options.
About key files and encryption
When SQL HyperBac detects that a backup operation requiring encryption has started, it will first check the 'keys' directory on the SQL Server (located at 'C:\Program Files\Red Gate\HyperBac\keys' by default) to look for a valid key file:
- If SQL HyperBac finds a key file, it uses this key file to encrypt the backup data
- If a key file does not exist, SQL HyperBac automatically generates a random key to encrypt the data, and saves the corresponding key file to the 'keys' directory.
You can think of the key file as equivalent to a password for accessing the encrypted backup data. If you lose the key file associated with an encrypted backup, the original backup data cannot be recovered.
Managing and backing up key files
You should ensure that you have a backup strategy for key files, and that key files are backed up and stored separately from the data they have been used to encrypt.
Your strategy for backing up and managing key files applies to all such files, whether the key files are automatically generated by SQL HyperBac, or are key files that you created.