IT security is arguably more important than it has ever been. As such, administrators have been conditioned to encrypt data whenever possible. Even so, the "encrypt everything" plan might not always be the best course of action, especially when it comes to your backups.
Before I begin debating the advantages and disadvantages of backup encryption, it is important to point out that there are many different forms of backup encryption. Backup encryption could refer to disk-based storage encryption, encrypted backup tapes, network transport encryption, or a number of other encryption types. For the purposes of this article, I will focus on encrypting backup tapes.
The advantages of backup tape encryption
The main argument in favor of encrypting your backup tapes is that encryption helps prevent data leakage. Best practices for tape backups dictate shipping your backup tapes (or at least a copy of each backup tape) offsite. In many cases, this means having a courier service physically move data on tape from your data center to a secure location. The result is that the data is out of your direct control. The only way to adequately protect that data is through encryption.
Protecting sensitive data against prying eyes may be compelling enough to warrant backup encryption. However, federal regulations may also come into the picture. HIPAA, for example, requires companies to protect sensitive data against exposure. As such, an unencrypted backup tape could possibly be considered a direct violation of these requirements, even if the backup tape is not handed over to a third party.
The down side to backup encryption
Encryption is designed to keep the bad guys from being able to access your data. In some situations, however, encryption can keep you from being able to access your data as well. This is especially true for backup tape encryption.
Consider, for example, the way that encryption works for some LTO tape drives. LTO versions from LTO-4 to LTO-6 support 256-bit AES encryption at the hardware level. Each vendor has its own way of doing things, but generally speaking, the encryption process works by transmitting a symmetric key to the tape drive at the beginning of the backup operation. This key is used to encrypt the data as it is written to tape.
To ensure that the data remains secure, the encryption key itself is never written to the tape. Tape drive vendors also typically refrain from storing the encryption key in the tape drive for any longer than is absolutely necessary. Otherwise, a disgruntled employee might be able to read an encrypted backup tape simply by stealing the tape drive that was used to write the data to the tape.
While this method of protecting encrypted data goes a long way toward preventing data leakage, it can also be problematic in the event of a large-scale disaster. If the organization's backup servers are destroyed, then there is a good chance that the encryption keys will also be destroyed, which would mean that there is no way to decrypt the data. Encrypted data without the encryption keys is really no different than corrupt data. If you don't have the encryption keys then your backups are useless.
That isn't to say that there is no way to protect the encryption keys. There are plenty of best practices for encryption key management. It's just that key management adds extra layers of complexity to the backup and restoration process. If a major disaster should strike, the process of retrieving the keys and adding them to a new backup server could increase the time that it takes to get started with the recovery operation.
Having a key management system in place isn't enough. Administrators must come up with a comprehensive plan for protecting the key management system. Typically, this means backing it up separately from everything else and storing those backups in a way that makes it easy to retrieve the keys in the event of a large-scale disaster.
So should you be encrypting your backups? In some cases, regulatory requirements, or the sensitivity of the data that is being backed up, make encryption an absolute must. In other cases, deciding whether to encrypt your backups means weighing the security benefits against the risk of encryption-related data loss. If you do decide to encrypt your backups, it is extremely important to store copies of the encryption keys off-premise so that the keys can be retrieved.