# Backup Encryption

When you choose an encryption key for your file and database backups, the resulting backup will be encrypted via **AES-256** and can only be decrypted using the same key you used.

Behind the scenes, OpenSSL is used and takes care of the encryption for you.

This works best when backups are also streamed ("Backup Streaming" is enabled) since it will happen on the fly and the backup output will not even exist unencrypted at any point in time during the backup state's transition.

## Encrypting your backup

Here's a step-by-step guide on how to generate a private key and obtain a PEM public key to use with SimpleBackups:

**1\. Create the private key**

To encrypt your backups, you need to generate a private key first. To do this, open the terminal on your computer and enter the following command:

```shell
openssl genrsa -aes256 -out private-key.pem 4096
```

This command generates an RSA private key that is 4096 bits long. The output file, `private-key.pem`, is encrypted with AES256. You'll be prompted to enter a password that will be used to protect your private key file. We recommend using a strong passphrase to ensure the security of your private key.

```plain
Generating RSA private key, 4096 bit long modulus... Enter pass phrase for private-key.pem:
```

**2\. Get the PEM public key to use**

Once you have generated the private key, you will need to obtain the corresponding PEM public key. To do this, run the following command:

```shell
openssl rsa -in private-key.pem -pubout > public-key.pem
```

This command generates a PEM public key file that you will use to encrypt your backups. The public key can be safely distributed, while the private key must be kept secret.

After running the command, you will need to copy and paste the contents of the `public-key.pem` file into SimpleBackups' encryption key field. To copy the public key straight to your clipboard, run the command for your operating system:

```shell
# macOS
cat public-key.pem | pbcopy

# Linux (X11, requires xclip)
cat public-key.pem | xclip -selection clipboard

# Windows (PowerShell)
Get-Content public-key.pem | Set-Clipboard
```

**3\. Save your private key**

It is important to keep your private key file safe and secure. We recommend storing it in a password-protected location, such as an encrypted USB device or a secure cloud storage service.

**4\. Encrypt your backups**

You can now use the PEM public key to encrypt your backups. Simply enter the contents of the `public-key.pem` file into SimpleBackups' encryption key field. When you run the backup, SimpleBackups will use the public key to encrypt your data.

ℹ️ To restore your backups, you will need to use the private key to decrypt the data. Make sure to keep your **private key** file safe and secure, and do not share it with anyone.

## Decrypting AES-encrypted backup

- Download your encrypted backup
- Download the AES encryption passphrase
- Decrypt the encryption passphrase using your RSA private key
- Decrypt your backup using the decrypted passphrase

![Backup Encryption screenshot 1](https://simplebackups.com/docs/docs-assets/media-helpkit-co/a09f1764bfbed79dac92.png)

Download the AES encryption passphrase

### Step 1. Decrypt Your Encryption Passphrase First Using The Following Command

```plain
cat encryption-passphrase.pass | base64 -d | openssl rsautl -decrypt -inkey private-key.pem -out decryption-passphrase.txt
```

Where **`private-key.pem`** is your private key (you never share it with anyone), **`encryption-passphrase.pass`** is the encrypted passphrase used to encrypt your backup via AES-256.

### Step 2. Finally, To Decrypt Your Backup, You Could Use The Following Command

```plain
openssl enc -d -aes-256-cbc -md sha512 -in encrypted-file-from-simplebackups.sql.gz -out decrypted-file.sql.gz -pass file:/home/path/decryption-passphrase.txt
```

Where **`encrypted-file-from-simplebackups.sql.gz`** is your encrypted SimpleBackups backup archive, **`decryption-passphrase.txt`** is the decrypted passphrase which will decrypt your backup.

👉 The **`encryption-passphrase.pass`** can only be decrypted using your RSA private key

👉 Your backup can only be decrypted using the decrypted **`encryption-passphrase.pass`**

👉 We store your **`encryption-passphrase.pass`** on our side, it is unique per backup run

👉 You are responsible for securing, and keep your **`private-key.pem`**, private

👉 No one can read or decrypt your encrypted backups, except you

👉 Once your backup has run, and you have a few logs, you cannot edit, remove or add an encryption key

## How backup encryption works?

We use AES-256 to encrypt your backups using your key via OpenSSL. Using this method is highly recommended, since you are the only one who can actually read your own backups, no one else can.

### High-level Overview

- Provide an RSA asymmetric public key
- SimpleBackups uses this RSA key to encrypt a random passphrase at runtime
- SimpleBackups, then, encrypts your backup on the fly on its way to your storage
- Files resting on your storage are encrypted by AES-256 and are unreadable
- Download your backup and decrypt it using your private key and the encryption passphrase

## What happens if I lose my private encryption key?

You will **LOSE** access to your encrypted backup, and will not be able to decrypt it. No one can help in this situation. It is extremely important that you keep your private key safe, and never lose it.

## Can I use an RSA SSH public key, not in PEM format?

No. You can use this command to convert a private SSH key into the public RSA PEM key:

```shell
ssh-keygen -f ~/.ssh/id_rsa -e -m pkcs8 > id_rsa.pem
```

**Info:**
You need the private SSH key. You cannot convert a public SSH key such as `id_rsa.pub` to PEM.

## Links

- How to generate an RSA PEM (asymmetric) key pair?
- [More about security and how your data is treated](https://simplebackups.com/security-first)
