← Back to Knowledge Base

KB #240139: Third Party Backup Software

⏱️ 4 min read

Type:

Information

Summary:

You are using third-party backup software to backup your databases, and want to know the impact on Encryptionizer. Or you are using a third-party backup solution and are finding that your backups are not encrypted with Encryptionizer.

Additional Information:

Encryptionizer can provide automatic encryption of database backups when using native backup processes to the database systems, such as native MSSQL backup.  However, some of our clients choose to use third-party backup solutions. Depending on how the third party solution performs the backup, those backups may or may not be encrypted with the Encryptionizer keys.  We have not seen any situations however where the backups solution is completely incompatible with Encryptionizer.

First a little bit more about how Encryptionizer works:

  • When you secure a service or process (such as MSSQL Server or MySQL) using the Administration Wizard or BLDCMD (CLI), you are indicating to Encryptionizer drivers that this process should be monitored to determine if encryption activity is authorized. A setting you use when securing a service or process is to indicate that backups should be encrypted. This is not on by default.
  • Encryptionizer drivers sit between the secured process and the file system layer. In the case of backups, if Encryptionizer is configured to encrypt new backups, as write commands are made from the secured process, those write commands are intercepted by Encryptionizer and data is automatically encrypted when written to disk.
  • Similarly when the secured process requests data, the read is intercepted by the Encryptionizer drivers and the data is read from the disk and decrypted in memory as it is passed backup up to the secured process. In the case of SQL Server, by the time that it reaches SQL process the data are already decrypted.
  • Any I/O to and from the disk that are made by processes that are not secured will not have any interception of I/O to the file system.

We have found 3rd party backup products in three categories.

  1. Product authenticates to Database Management System (DBMS), such as MSSQL, and grabs changes are they are made to tables, structures – the process then writes to its own file system using its own process executable.
  2. Product inserts itself into the I/O stream – as SQL writes blocks of data to the hard drive, the process grabs the stream and copies it off to its own file system using its own process.
  3. Product is a file backup utility which inspects file contents already stored to the hard drive and takes full copies or delta snapshots of the files on the hard drive.

Encryptionizer itself is not too dissimilar from the second category.

How do Encryptionizer processes impact the Backup product categories above?

Category A. Compatible – but backup created by 3rd party process is not encrypted.
If the third party backup product logs into the DBMS and then grabs updates from the DBMS itself, that data is in an unencrypted state in memory by the time it reaches the DBMS. The backup process takes that data and copies it off to its own file system unencrypted.  It is compatible, no issues with it – but the resulting backup data is not encrypted by Encryptionizer, regardless of Encryptionizer settings.

Category B. Uncertain
If the product inserts itself into the I/O stream – this is less certain of the encrypted state. It depends on where in the I/O stream it inserts itself.
If the data moves from the DBMS –> 3rdPartyBackup –> Encryptionizer –>Hard drive – then the data is taken off before it is encrypted.
If it inserts itself later in the stream DBMS –> Encryptionizer –> 3rdPartyBackup –> Hard drive – the data will already be encrypted since it has passed through the Encryptionizer drivers.
This could result in complete incompatibility.  We recommend testing Encryptionizer with your product.

Category C. Compatible
Generally, these products are scanning the hard drive for changed blocks. Since data is always encrypted before being written to disk by Encryptionizer, these tend to be compatible with Encryptionizer and result in encrypted backups that were encrypted with Encryptionizer.

In conclusion:

If you are using a third party backup solution, your backups might not be encrypted by Encryptionizer.  However, in terms of compatibility, we have not seen issues in the field where the use of one product prevents the use of the other. If the third party backup solution results in backups that are not encrypted by Encryptionizer, investigate if the third party tool provides the ability to encrypt the backups through their software.

Related Topics:

240046: Backup not encrypted even though “encrypt new” flag was set

240101: Test the encryption state of a SQL database or backup

      Was this article helpful?

      Related Articles

      KB #240143: Windows does not start after Encryptionizer installed

      Type: Information Summary: You have installed Encryptionizer and Windows does not start properly on boot.…

      KB #240142: How to transfer an Encryptionizer license from one machine to another (v2201.1.0 and later)

      Type: Information Summary: You are upgrading or otherwise need to migrate an installation of Encryptionizer…

      KB #240058: Event ID for the system log entries for nlemsql are “not found”

      Type: Known Issues Summary: You have secured your SQL instance with Encryptionizer and have selected…

      Still need help?

      Our support team is here to assist you.

      Contact Support 📞 1-877-367-1177
      NetLib Security
      AI Assistant · Online
      Hi! I'm the NetLib Security assistant. I can answer questions about our encryption solutions, HIPAA compliance, Encryptionizer, and more. How can I help you today?