Operation Manual
35 Copyright © Acronis International GmbH, 2002-2016
Encryption as a machine property
This option is intended for administrators who handle backups of multiple machines. If you need a
unique encryption password for each machine or if you need to enforce encryption of backups
regardless of the backup plan encryption settings, save the encryption settings on each machine
individually.
Saving the encryption settings on a machine does not affect the currently applied backup plans, but
will override the encryption settings of all backup plans applied later. Any backup created by these
backup plans will be encrypted, even if encryption is disabled. After the settings are saved, they
cannot be modified, but you can reset them as described below.
This option is available for machines running Windows or Linux. It is not supported for OS X.
This option can be used on a machine running Agent for VMware. However, be careful if you have
more than one Agent for VMware connected to the same vCenter Server. It is mandatory to use the
same encryption settings for all of the agents, because there is a kind of load balancing among them.
To save the encryption settings on a machine
1. Log on as an administrator (in Windows) or the root user (in Linux).
2. Run the following script:
In Windows: <installation_path>\PyShell\bin\acropsh.exe -m manage_creds
--set-password <encryption_password>
Here, <installation_path> is the backup agent installation path. By default, it is
%ProgramFiles%\BackupClient in 32-bit Windows and %ProgramFiles(x86)%\BackupClient
in 64-bit Windows.
In Linux: /usr/sbin/acropsh -m manage_creds --set-password <encryption_password>
The backups will be encrypted using the AES algorithm with a 256-bit key.
To reset the encryption settings on a machine
1. Log on as an administrator (in Windows) or root user (in Linux).
2. Run the following script:
In Windows: <installation_path>\PyShell\bin\acropsh.exe -m manage_creds --reset
Here, <installation_path> is the backup agent installation path. By default, it is
%ProgramFiles%\BackupClient in 32-bit Windows and %ProgramFiles(x86)%\BackupClient
in 64-bit Windows.
In Linux: /usr/sbin/acropsh -m manage_creds --reset
Important After you reset the encryption settings on a machine, the backups of this machine will fail. To
continue backing up the machine, create a new backup plan.
How the encryption works
The AES cryptographic algorithm operates in the Cipher-block chaining (CBC) mode and uses a
randomly generated key with a user-defined size of 128, 192 or 256 bits. The larger the key size, the
longer it will take for the program to encrypt the backups and the more secure your data will be.
The encryption key is then encrypted with AES-256 using an SHA-256 hash of the password as a key.
The password itself is not stored anywhere on the disk or in the backups; the password hash is used
for verification purposes. With this two-level security, the backup data is protected from any
unauthorized access, but recovering a lost password is not possible.