59950: Acronis Cyber Backup 12.5 and 12: security guidelines

Also read in:

use Google Translate

Last update: 03-09-2020

This article covers the guidelines you should consider to ensure that the communication between components and your data remain secure.

In general, Acronis does not have any specific requirements and recommends you follow the software and hardware hardening guidelines of your organization’s security policies.

However, two recommended configurations will ensure improved security when it comes to your backup infrastructure.

1. Securing Data

To secure your data, we recommend encrypting all backups using AES, especially if they are stored offsite, for example, in the cloud.

The AES cryptographic algorithm operates in the Cipher-block chaining (CBC) mode and uses a randomly generated key with a user-defined size of 128, 192 or 256 bits. The larger the key size, the longer it takes for the program to encrypt the backups and the more secure your data is.

The encryption key is then encrypted with AES-256 using an SHA-256 hash of the password as a key. The password itself is not stored anywhere on the disk or in the backups; the password hash is used for verification purposes. With this two-level security, the backup data is protected from any unauthorized access, but recovering a lost password is not possible.

Important: There is no way to recover encrypted backups if you lose or forget the password.

Per-backup encryption

To enable per-backup encryption, specify the encryption settings when creating a backup plan. After a backup plan is applied, the encryption settings cannot be modified. To use different encryption settings, create a new backup plan.

To specify the encryptions settings, check this topic.

We recommend using AES-256 for securing your data.

Per-machine encryption

If you need to enforce encryption of backups regardless of the backup plan encryption settings, save the encryption settings on each machine individually. The backups will be encrypted using the AES algorithm with a 256-bit key.

For more information on how to enable encryption per machine, check this topic.

2. Securing Connections

Most of the communication between Acronis components is already encrypted and secure.

However, the default link between your Web browser and the Acronis Management Server works through standard HTTP connection and is vulnerable to an attack.

To secure this communication channel, we recommend enabling SSL encryption and forceing HTTPS in the Web interface.

See this article for detailed instructions.