Most people would probably agree that two areas of concern when implementing an encryption solution are performance and key management. Software-based encryption is notoriously slow, and if you lose track of your encryption keys, your encrypted data could be lost to you forever.

Thus, when Unitrends' customers started asking the maker of data backup and recovery solutions to add encryption to their disk backup units, the company looked for a way to add the protection without slowing backups and for a method to encourage customers to change keys regularly but not require them to remember old keys to unlock old data.

According to Mark Phillippi, VP of product management, Unitrends' small-to-midsized business (SMB) customers, many of which are banks, were already having trouble finishing backups at night on and on weekends--they couldn't afford to have encryption adding more time to their backup routines. Unitrends also felt strongly that its encryption solution should be tightly integrated into its backup solution and that the key management interface should be simple and elegant to meet the needs of SMBs that might not have security administrators with the expertise to manage a complex product.

Unitrends' InCrypt (Integrated Encryption) solution uses a coprocessor installed in Unitrends' Data Protection Units and Data Protection Vaults to encrypt all the data from a company's designated sources by using the Advanced Encryption Standard (AES) algorithm with a 256-bit key. After the data is encrypted, it remains so, whether it's backed up on a Data Protection Unit or sent across a WAN to a Data Protection Vault for offsite storage.

InCrypt's key management system is based on a table that contains the current passphrase key and all the previous keys, and the date each key was created. When the administrator creates a new key, InCrypt date-stamps it and adds it to the table. The table is encrypted with the new key. If the admin needs to recover data from two years earlier, encrypted with a different key, he or she needs to know only the current key to unlock the table, and InCrypt can then find the key used two years before and use it to unlock the data.

For more information, go to