You have the option of sending your files to UBI in an encrypted format. This is referred to as ‘client-side encryption’. You select the files you want encrypted using either the GUI client or the configuration file, and you must keep the encryption password on your own machine. Below are the instructions on how to do this.
It is important to note that Spectrum Protect software is not able to encrypt filenames or paths, so users must ensure that their filenames and paths do not contain sensitive information.
Users MUST note that, per AD95, “Data encryption is not a substitute for, and should be used in conjunction with, other information protection controls….” Even with client-side encryption enabled, our recommendation is that UBI be used for Level 1 and Level 2 data only. UBI was NOT designed to comply with all of the internal policies and external regulations required for storage of Level 3 and Level 4 data. Users must evaluate the policies and regulations for their specific data type and determine whether or not encryption by itself is sufficient to reach compliance.
Graphical User Interface (GUI)
When using the GUI, Spectrum Protect will create the encryption rules for you. However, you will need to specify every file individually. If you wish to encrypt a large number of files, you will want to follow the instructions for Editing configuration files instead.
Run the Spectrum Protect Client and go to Edit > Preferences > Include-Exclude. Then select Category ‘Backup’, Type Include.Encryption, and browse to the file that you want to encrypt and click Add.
Editing configuration files
Files can also be encrypted by adding lines to the configuration file.
At the end of the file, add lines specifying the files that you want to encrypt, beginning with include.encrypt. For example, to select the file c:\data\file.txt for encryption, add:
include.encrypt c:\data\file.txt
You need both a line that includes the file and a line that specifies encryption. The include and exclude lines are independent of the encryption rules. Without a line that includes a file, an include.encrypt line by itself does not include files for backup.
You must either select in the gui or specify in the configuration file encryptkey save. When you set Encryptkey to save, you are only prompted the first time you perform a backup for the Encryption password. The password is stored encrypted in the password file on your machine. Thereafter, you will not be prompted for this password, but Spectrum Protect will continue to use this key to encrypt data that qualifies for the encryption process. If this encryption password file is lost or overwritten, then the user will be prompted for the Encryption Key when next attempting a backup or restore of the qualifying data. If you cannot recall the key, the data cannot be decrypted.
You MUST AVOID setting Encryptkey to “generate” if you are attempting to store sensitive data. Encryptkey generate stores the encryption password on the UBI servers. This automatically grants the UBI administrators access to decrypt the node’s data. A malicious actor with access to the UBI servers would be able to extract any encryption passwords stored on the server and access the encrypted data.