For maximum protection, set backup encryption on an appliance or on a primary appliance for cluster-wide protection. You may encrypt a Safeguard Backup File (.sgb) with one of the following methods:

  • Standard (default): No password or GPG key is required.

  • Password: You can enter any password value. You must have the password to restore the backup.

    CAUTION: Make sure to save the password in a safe vault. There is no way to recover the password needed to restore the backup.

  • GNU Privacy Guard (GPG) public key (RSA only): You can upload a .txt file with the public key and meta data or copy and paste the public key and meta data to SPP. A backup file created with a GPG public key is encrypted when it is downloaded or archived. Only the private key holder can decrypt the backup file prior to the file being uploaded and restored. Once the private key holder decrypts the backup, the backup is the same as a backup generated when only appliance protection was selected.

    CAUTION: Make sure to save the GPG private key in a safe vault. There is no way to unencrypt the GPG protected file without the private key.

Once set, future backups created manually or automatically are protected.

SPP detects all attempted uploads of an invalid backup. If a backup is GNU Privacy Guard (GPG) encrypted, a message like the following displays: The uploaded file could not be validated as a genuine Safeguard backup image. It has been blocked from the appliance. An audit event is created for the failed backup load with the error reasons which include an invalid signature.

For details, see:

To configure backup protection

  1. If you will use GPG key protection, generate your public key file and create a .txt file to be uploaded or copy and pasted.
  2. Go to Backup and Restore:
    • web client: Navigate to Backup and Retention > Backup and Restore. Then, click Settings.
  3. From the Backup Settings dialog, select the type of backup protection for the appliance. The settings on a primary appliance are replicated to the cluster. The settings are read-only on each cluster node.
    • Appliance Protection Only: This is the default and includes no password or GPG Key protection of the backup. The backup is only encrypted as a Safeguard genuine backup.
    • Add Password Protection: Once selected, enter the password in the Backup Password text box. If a password already exists, a static number of dots display. You can type in a new password in place of the existing password and then confirm the password. The password you type in is used for backups made from the time the password is set until it is changed. Make sure to keep the password information in a safe vault.
    • Add GPG Key Protection: Once selected, do one of the following:
      • Click Browse to upload the public key file from a .txt file you created earlier.
      • Paste the public key information generated earlier into the text box.

      When you navigate back to this dialog, you will see the name, fingerprint, and the detail to identify the public key file.

      The GPG public key you submit is used for backups generated from the time protection is set until it is changed. Once a backup is generated while GPG is set, it will always be downloaded or archived with the GPG public key encryption, regardless of any settings changed on the appliance after it is generated. The GPG public key encryption stays with the backup metadata. In addition, if you upload the backup to another appliance, downloading the backup again will encrypt it with the same GPG public key originally provided.

  4. Click OK.