How can I encrypt backups before I upload them?

As of version 3.6, BackWPup Pro offers the option to encrypt backups for upload to the backup target – a great feature for the security of your data and that of your customers and users.

And – because of the GDPR regulations – an absolute must for all those that store personal information in their backups and are based in the EU or have personal data of users residing in the EU in their WordPress installation.

What exactly is an encrypted backup and why should you make use of the feature?

Whenever you create a backup with BackWPup or any other backup plugin, the result is usually uploaded to a backup target. That could be your FTP server, Google Drive, or any other cloud service.

In the event that someone gains access to the backup target, they are able to read the data in your backup without any problem. Unencrypted backups are a security gap and run the risk of your data and that of your customers and users falling into the wrong hands.

Encrypting a backup means that the data is made unreadable by way of an encryption process. You will have to generate a key (or a key pair) before encrypting. This key must then be kept in a safe place. The key is needed in the encryption algorithm to render the data unreadable and to decrypt the data as well. Only those in possession of the key are able to make the backup readable again.

Caution: You will no longer be able to access the data if you lose the key.

Encryption procedure

BackWPup offers two procedures for encryption: one symmetrical and one asymmetrical procedure.

The symmetrical procedure works with a single key and is based on the popular AES 256 procedure (AES = Advanced Encryption Standard). The same key is used for encrypting and decrypting.

The asymmetrical procedure uses the RSA algorithm and the AES procedure. Here we generate a random AES-256 key, which is then used for the encryption. Additionally, the AES key itself is then encoded using the RSA procedure (hybrid procedure).

The RSA procedure requires a key pair consisting of a public key and a private key. These can be generated via BackWPup Pro. The private key must be kept in a safe place and must only be known to you.

If you aren’t sure which of the two procedures to use – here are their advantages and disadvantages:

  • The symmetric procedure is easier to use because we simply store the key in the BackWPup Pro database once it has been generated. You don’t have to worry about keeping the key safe: you can copy-paste the key value that is available in the BackWPup Pro → Settings in the Encryption tab. But anyway we always strongly suggest creating and keeping a copy of your key. Your backup is safe as long as the database of your WordPress installation doesn’t become compromised: if your database is damaged, you could lose the key, and so you could not be able anymore to decrypt your backup unless you have a copy of the key. So, after the key is generated in your system, it has to be downloaded using the related button, otherwise the encryption cannot be properly activated.
  • The asymmetrical procedure is the safer option because it uses two keys. You are the only one in possession of one of those two keys. Disadvantage: You have to ensure the safekeeping of the private RSA key. You will no longer be able to access your data if you lose the key. Also in this case the download of the private key is required after the generation.

Generating encryption keys

You will first have to generate the key before you can create an encrypted backup with BackWPup Pro:

  1. Go to BackWPup Pro → Settings and then select the Encryption tab.
  2. Select the encryption procedure you want to use: symmetrical or asymmetrical.
  3. Click Generate Key.
    • If you have selected the symmetric method, a single key will be generated and stored in BackWPup Pro. You should also save it to another location to be on the safe side.
    • If you have selected the asymmetric method, BackWPup generates an RSA key pair. Both keys will be offered to you for download. You should download the private key at least. Next, click Use these keys.
  4. Click Save Changes.
Generate encryption key - symmetric (AES) or asymmetric (RSA)
Generate encryption key – symmetric (AES) or asymmetric (RSA)

Encrypting the backup during creation

For each backup job you can decide individually whether to create the backups with or without encryption. Simply check the Encrypt Archive box when creating or editing a backup job.

Activate encryption for backups

Restoring an encrypted backup

A backup is there to be able to restore your site in case of an emergency. Our BackWPup Pro Restore feature can restore both encrypted and unencrypted backups. Simply follow our BackWPup Restore instructions.

Decrypting a backup

In the event that you want to decrypt an encrypted backup, please download it from the backend of your WordPress installation as follows:

  1. Go to BackWPup Pro → Backups.
  2. Hover the mouse over the desired backup.
  3. Click Download.
  4. The backup is decrypted. If you have chosen the asymmetric method for encryption, you must enter your private RSA key in the window that opens, otherwise, you have to enter the symmetric key.

Note: You will need BackWPup Pro to decrypt the backup. You will not be able to decrypt the backup with any other tool.