The Guide to Backup Encryption and Data Security

Every UK business that takes backups is making a fundamental commitment to data protection — the commitment that if the worst happens, critical data can be recovered and business operations can resume. But here is a question that surprisingly few businesses ask: if your backup data were stolen, intercepted, or accessed by an unauthorised person, what would the consequences be? If your backups contain unencrypted copies of customer records, financial data, employee information, and business-critical documents, then your backup system is not just a recovery tool — it is a concentrated, easily portable copy of your most sensitive data.

Backup encryption addresses this risk by ensuring that backup data is rendered unreadable to anyone who does not possess the decryption key. Even if a backup tape is lost in transit, a cloud backup account is compromised, or a backup server is stolen from your premises, the data remains protected. Without the encryption key, the backup is nothing more than a meaningless stream of random characters.

For UK businesses, backup encryption is not just a best practice — it is increasingly a legal and regulatory expectation. The UK General Data Protection Regulation explicitly requires organisations to implement appropriate technical measures to protect personal data, and the Information Commissioner's Office has been clear that encryption is one of the most fundamental of those measures. Several high-profile ICO enforcement actions have specifically cited the absence of encryption as an aggravating factor in data breach investigations.

Understanding Backup Encryption Types

Backup encryption operates at different stages of the backup process, and understanding these stages is important for ensuring comprehensive protection. The three key stages are encryption at rest, encryption in transit, and encryption at the source (also called client-side encryption). A robust backup encryption strategy should address all three.

Encryption at rest protects backup data while it is stored on the backup target — whether that is a local disk, a tape cartridge, a NAS device, or cloud storage. When backup data is encrypted at rest, anyone who gains physical access to the storage media (for example, by stealing a tape or accessing a storage account) cannot read the data without the decryption key. Most modern backup solutions support AES-256 encryption at rest as a standard feature.

Encryption in transit protects backup data while it is being transmitted from the source to the backup target. This is particularly important for cloud backups, where data traverses the public internet, and for offsite backup replication between locations. TLS 1.2 or 1.3 encryption should be used for all backup data in transit, ensuring that the data cannot be intercepted and read by a third party during transmission.

Client-side encryption (encryption at the source) encrypts the data before it leaves the server or workstation being backed up. This is the most secure approach because the data is encrypted before it enters the backup infrastructure, meaning that neither the backup server, the storage system, nor the cloud provider ever has access to the unencrypted data. Only the organisation holding the encryption key can decrypt and read the backup data. This is particularly important for cloud backups, where you may not fully trust the cloud provider's security or may have contractual or regulatory obligations to maintain exclusive control over data access.

Encryption Key Management

The encryption is only as secure as the key management. If your encryption keys are stored alongside the encrypted backups, compromising the backup storage also compromises the keys — rendering the encryption meaningless. Conversely, if encryption keys are lost or corrupted, the backup data becomes permanently irrecoverable, which defeats the purpose of having backups in the first place. Key management is therefore the most critical aspect of backup encryption and deserves careful planning.

Key storage: Encryption keys should be stored separately from the encrypted backup data. Options include a dedicated hardware security module (HSM), a cloud-based key management service (such as Azure Key Vault or AWS KMS), or a secure, encrypted key store on a separate system. Never store encryption keys on the same server, storage device, or cloud account as the encrypted backups.

Key rotation: Encryption keys should be rotated periodically — typically annually — to limit the impact of a potential key compromise. When a key is rotated, new backups are encrypted with the new key, but old backups encrypted with the previous key remain readable as long as the old key is retained. Most enterprise backup solutions support automated key rotation and manage the association between backups and their corresponding keys.

Key recovery: Establish a documented key recovery process and test it regularly. If the primary key store is lost or corrupted, you need a reliable way to recover the encryption keys — otherwise your backup data is lost. Options include key escrow (depositing a copy of the key with a trusted third party), split-key custody (dividing the key into multiple parts held by different individuals), and secure offline storage of key backups in a physical safe or bank vault.

Cloud Backup Encryption Considerations

Cloud backup services such as Microsoft Azure Backup, Veeam Cloud Connect, Datto, and Acronis all provide encryption capabilities, but the implementation details vary significantly between providers. Understanding these differences is essential for making an informed choice and ensuring that your cloud backup encryption meets your security and compliance requirements.

The most important question to ask any cloud backup provider is: who holds the encryption keys? Some providers manage the encryption keys on your behalf (provider-managed keys), whilst others allow you to bring your own key (customer-managed keys or BYOK). Provider-managed keys are simpler to operate but mean the provider has the theoretical ability to decrypt your data. Customer-managed keys give you exclusive control but add the responsibility of key management and the risk of key loss.

For UK businesses subject to GDPR, the distinction matters. If your cloud backup provider holds the encryption keys, they are technically capable of accessing your personal data, which has implications for your data processing agreements and risk assessments. Customer-managed keys provide a cleaner compliance position because you can demonstrate that only your organisation can access the backup data, regardless of the cloud provider's access to the storage infrastructure.

Microsoft Azure Backup supports both platform-managed keys and customer-managed keys stored in Azure Key Vault. Veeam supports encryption with customer-held passwords. Datto encrypts data with AES-256 and stores keys separately from backup data. When evaluating providers, request their encryption architecture documentation and verify that it aligns with your security requirements.

Ransomware and Backup Security

Modern ransomware attacks specifically target backup systems. Attackers understand that if they can encrypt or delete your backups alongside your production data, you have no recovery option other than paying the ransom. This makes backup security — including encryption — a critical component of your ransomware defence strategy.

Encryption alone does not protect backups from ransomware — an attacker who gains administrative access to your backup system can simply delete or overwrite the encrypted backup files. Comprehensive backup security against ransomware requires multiple layers of protection working together.

Immutable backups cannot be modified or deleted for a defined retention period, even by administrators. This ensures that even if an attacker gains full control of your backup infrastructure, they cannot destroy the backup data. Azure Blob Storage Immutability Policies and Veeam Hardened Repository both provide this capability.

Air-gapped backups are physically or logically disconnected from your production network, making them inaccessible to ransomware that spreads through network connections. This can be achieved through offline tape storage, removable disk storage, or cloud backup with separate, non-networked credentials.

The 3-2-1 rule remains the gold standard for backup resilience: maintain at least 3 copies of your data, on at least 2 different storage types, with at least 1 copy offsite. For ransomware protection, this is sometimes extended to 3-2-1-1-0: 3 copies, 2 media types, 1 offsite, 1 immutable or air-gapped, and 0 errors (verified through regular restore testing).

UK Compliance Requirements for Backup Encryption

Several UK regulatory frameworks either require or strongly recommend backup encryption. Understanding these requirements helps ensure compliance and provides justification for the investment in encryption infrastructure.

UK GDPR (Article 32) requires organisations to implement appropriate technical and organisational measures to ensure the security of personal data, including "as appropriate, the encryption of personal data." While the regulation does not mandate encryption in all cases, the ICO has made clear that encryption should be considered a baseline security measure for personal data, particularly data that is stored or transmitted outside your primary systems — which includes backups.

Cyber Essentials does not explicitly require backup encryption, but it does require that data at rest on mobile devices and removable media is encrypted. If your backup media includes portable devices, removable disks, or tapes that leave your premises, encryption is required for Cyber Essentials compliance.

ISO 27001 (Annex A.10) includes specific controls for cryptographic measures, requiring organisations to develop a cryptographic policy and implement encryption where appropriate to protect the confidentiality, integrity, and authenticity of information. Backup data containing sensitive information falls clearly within scope.

PCI DSS (for businesses handling payment card data) requires encryption of cardholder data wherever it is stored, including in backups. AES-256 or equivalent is required, and encryption keys must be managed securely with documented procedures for key generation, distribution, storage, rotation, and destruction.

Testing Your Encrypted Backups

An encrypted backup that cannot be successfully decrypted and restored is worse than no backup at all — it provides false confidence. Regular restore testing is essential for any backup strategy, but it is doubly important when encryption is involved because there is an additional point of failure: the encryption key and decryption process.

Schedule quarterly restore tests that exercise the full recovery workflow: retrieving the backup data from storage, locating and applying the correct decryption key, decrypting the data, and restoring it to a test environment. Verify that the restored data is complete, consistent, and usable. Document the test results, including any issues encountered and the time taken for each step. This documentation serves both as an operational record and as compliance evidence for auditors and regulators.

Pay particular attention to key management during restore tests. Can you locate the correct key for a backup that is six months old? What about twelve months old? If your key rotation process has created multiple keys over time, is the association between backups and keys clearly documented and reliably managed? A restore test that fails because the encryption key cannot be found exposes a critical gap in your key management process that must be addressed immediately.