Encryption

<< Click to Display Table of Contents >>

Navigation:  Quick Start >

Encryption

 

SyncBackPro provides several ways to protect your data using encryption. You can encrypt backup files so they cannot be read without a password, encrypt data as it is transferred over a network, and encrypt the passwords and settings stored by SyncBackPro itself.

 

 

Encrypting Your Backup Files

 

When a profile uses compression, files are stored in Zip archives. These Zip archives can be encrypted with a password so that the files inside cannot be read or extracted without knowing the password. This is the primary way to protect the content of your backups.

 

Two encryption methods are available:

 

Old style: The traditional Zip encryption method. It is compatible with practically all third-party Zip programs. This is the only method available in SyncBackFree. While convenient, it provides weaker security than AES.

 

AES: A strong encryption standard used by governments and financial institutions. It is compatible with WinZip 9 and later, 7-Zip, and PKWare SecureZip. AES encryption is recommended when security is important.

 

When using AES encryption, you can also choose to encrypt and compress the filenames and file details within the Zip archive. This prevents anyone from seeing what files are stored in the archive, even without the password. Filename encryption is compatible with PKWare SecureZip (when using Deflate or BZip2 compression) or 7-Zip (when using LZMA2 compression). It is not compatible with WinZip filename encryption.

 

To configure backup file encryption, open the profile settings and go to the Compression page in Expert mode. You will need to enable compression before encryption options become available.

 

 

Why Encryption Requires Compression

 

A common question is why encryption is only available when compression is enabled. In SyncBackPro, file encryption is performed within the Zip archive format. The Zip container provides the framework for encrypting file data and, optionally, filenames. Without this container there is no mechanism to apply encryption to individual files during a backup. Using the Zip format also means your encrypted backups can be opened with widely available tools such as WinZip, 7-Zip, and PKWare SecureZip, rather than relying on a proprietary encryption format that would require specific software to decrypt.

 

If you want encryption but do not want your files to be compressed (for example, because they are already in a compressed format such as JPEG or MP4), you can set the compression level to zero on the Compression settings page. Files will be stored inside the Zip archive without compression but will still be encrypted. Note that if you enable filename encryption, the compression level must be greater than zero.

 

Compressing files before encrypting them is actually beneficial for security. Compressed data has higher entropy (it appears more random) than uncompressed data, which makes certain cryptographic attacks more difficult. In addition, compression removes patterns and redundancy from the data that an attacker could otherwise exploit. For this reason, compressing and then encrypting your backups provides both smaller file sizes and stronger protection.

 

 

Passwords

 

The encryption password can be up to 79 characters long. It is set on the Compression settings page. You can also choose to be prompted for the password each time the profile runs, although this means the profile cannot run unattended.

 

If you change the password, only newly compressed files will use the new password. Files that were encrypted with the old password will retain that encryption. To re-encrypt all files with the new password, you would need to delete the existing Zip archives and run a full backup.

 

warning

You are entirely responsible for remembering the password used. It is not possible under any circumstances for 2BrightSparks to recover lost passwords.

 

Instead of storing the password in the profile settings, SyncBackPro can retrieve it from an external Secrets Manager such as AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager, HashiCorp Vault, Infisical, or Windows Credential Manager. This avoids storing the password locally.

 

 

Encrypting Data in Transit

 

When transferring files over a network, the data can be encrypted during transmission to prevent eavesdropping:

 

FTP: FTP connections can use FTPS (FTP over TLS/SSL) to encrypt the control channel, and optionally the data channel. SFTP connections are always encrypted. See the FTP, Advanced settings page for details.

 

Cloud: All cloud storage connections use encrypted HTTPS connections. See the Cloud settings page for details.

 

SyncBack Touch: Communication with SyncBack Touch devices is encrypted by default. In V12, encryption is also supported when using Rapid Transfer.

 

Note that encrypting data in transit protects it while it travels over the network. It does not encrypt the files at their destination. To protect the content of the files themselves, use Zip encryption as described above.

 

 

Cloud Server-Side Encryption

 

sbpro-feature-16x16 Cloud server-side encryption is only available in SyncBackPro.

 

Some cloud storage providers, such as Amazon S3 and Backblaze B2, offer server-side encryption. This means the files are encrypted on the cloud server itself, providing an additional layer of protection. Amazon S3 can use its own managed encryption keys, or you can provide your own customer encryption keys (SSE-C). See the Cloud, Advanced settings page for details.

 

 

NTFS (EFS) File Encryption

 

Windows NTFS volumes support the Encrypting File System (EFS), which encrypts individual files at the operating system level. This is separate from Zip encryption and from the transmission encryption described above.

 

SyncBackPro can automatically decrypt NTFS-encrypted files when they are copied to the source or destination. This is useful when backing up EFS-encrypted files to a location that does not support EFS, such as a FAT32 drive or a network share. See the Decryption settings page for details.

 

 

Protecting Stored Passwords and Settings

 

SyncBackPro stores passwords and other sensitive settings (such as FTP, cloud, and email credentials) in its configuration files. By default, these are encrypted using a basic method. For stronger protection, you can enable 256-bit AES encryption for stored settings in the Global Settings. You can also use an external encryption key file or the Windows Data Protection API (DPAPI) to further secure your stored settings.

 

warning

If you use an external key file, keep it safe. If the key file is lost, all encrypted settings (including passwords and your serial number) will need to be re-entered. If you use the Windows Data Protection API, be aware that the encrypted settings are tied to your Windows user account and computer, and cannot be transferred.

 

 

Related Topics

 

Compression - configure Zip encryption method, password, and filename encryption

 

Decryption - NTFS (EFS) decryption settings

 

FTP, Advanced - FTP/FTPS transmission encryption

 

Cloud - cloud storage connections

 

Cloud, Advanced - server-side encryption settings

 

Global Settings - AES encryption for stored passwords and settings

 

Secrets Manager - retrieve passwords from external secrets managers

 

Ransomware Detection - detect ransomware-encrypted files before they overwrite your backups

 

 

 

All Content: 2BrightSparks Pte Ltd © 2003-2026