Encryption & TLS

NGBackup protects data in transit and at rest.

Data at rest

• AES-256-GCM encryption of backup data, performed by the File Daemon so data leaves the client already encrypted.
• PKI key management — each client has a master/data key pair; only holders of the private key can restore.
• Works together with deduplication and compression.

Data in transit

• TLS between every component (Director, Storage Daemon, File Daemon, Console).
• TLS Authenticate for mutual authentication between daemons.
• The deduplication wire protocol adds its own HKDF-SHA256 + ChaCha20-Poly1305 AEAD channel.

All TLS and PKI directives are in the Director, Client and Storage references.

Caution

Keep your PKI private keys safe and backed up separately — without them, encrypted backups cannot be restored. That is the point of strong encryption, and also its responsibility.