Data Encryption

On This Page

• Overview
• Using Encryption
• Passwords
• Encryption Algorithm and Implementation

Overview

Firestreamer-RM can encrypt your sensitive data with the strong FIPS-197 Advanced Encryption Standard (AES) algorithm, which is recommended for use by U.S. Government organizations and sufficient to protect classified information up to the TOP SECRET level. For more information, see Encryption Algorithm and Implementation and Frequently Asked Questions.

Firestreamer-RM encrypts every piece of media with a unique encryption key derived from a user password. The same password and encryption key are used for all backups on the same piece of media.

The encryption password is applied to a medium when the medium is created or overwritten. You can view the encryption status of the current medium on the Media tab of the Firestreamer-RM Control Panel.

NOTE: Encrypted backups may take longer to complete.

Using Encryption

To enable Firestreamer-RM data encryption, follow the steps below.

1. Open the Firestreamer-RM Control Panel.
2. Click the Settings tab.
3. Select the encryption Algorithm. Currently, the only supported algorithm is FIPS-197 (AES) CTR 256bit.
4. Click Set to set the password.
5. Enter the password twice and click OK. To prevent the password from being displayed as you type, select the Hide password option. To delete the current password from computer memory, leave the textboxes empty. You can generate a random password with the Random password button.
   
6. If you want Firestreamer-RM to remember the password between system restarts (this may be useful for scheduled backups), select Remember password.
7. Click Apply at the bottom of the Firestreamer-RM Control Panel.

If at the time you changed the password Firestreamer-RM was connected to a media drive, then you need to do one of the following to apply the password to the current medium:

• Reinsert the medium, or
• On the Backup tab of the Firestreamer-RM Control Panel, click Disable, and then click Enable.

If the current password does not match the medium password, you will not be able to overwrite the medium by performing a new backup, because the Backup Utility will fail trying to verify the current medium content. To overcome this, you need to move the medium to the Free media pool before performing a backup.

Passwords

You can enter the password in a binary form or as a text passphrase. The whitespace characters in the entered password are ignored.

The password is considered a binary one if it contains only hexadecimal digits 0-9, A-F. Every hexadecimal digit adds 4 bits to the password length. You can enter up to 2048 hexadecimal digits. The recommended binary password length is 64 hexadecimal digits (256 bit).

If the password contains at least one character that is not a hexadecimal digit, it is considered a text passphrase. The text passphrase is a set of Unicode characters, the leading bytes of which are ignored. Every character in a passphrase adds approximately 5 bits to the effective password length. You can enter up to 2048 characters. The recommended minimum text passphrase length is 52 characters (~256 bit).

The Random password button on the New Password dialog box generates a binary 256 bit password using a cryptographically secure random number generator.

IMPORTANT:

• You should memorize your password or write it down and keep it in a safe place. It is virtually impossible to recover your encrypted data if the password is lost.
• The Remember password option on the Settings tab of the Firestreamer-RM Control Panel saves the password in the system registry. Even though the password is saved in an encrypted form, it can be relatively easily recovered. Do not use this option if you encrypt critical data, and there is a chance that your computer may be compromised.

Encryption Algorithm and Implementation

The Firestreamer-RM data encryption is implemented according to the following.

• All data blocks received from the Backup Utility are encrypted, except of the first block, which usually contains the tape label.
• Encryption algorithm: FIPS-197 (AES) in the counter mode (CTR).
• Encryption key length: 256 bit.
• Every piece of media is encrypted with a unique encryption key.
• Every encryption block across all pieces of media is encrypted with a unique 128 bit counter.
• Encryption keys are derived from a user password with an algorithm based on the PBKDF1 key derivation function according to RFC-2898. The hash function: SHA-256; salt: 64 bit; iteration count: 2000. The maximum user password length: 16384 bit.
• Cryptographically secure random number generator: Windows Kernel Mode Cryptographic Module.

You can find more information on the encryption algorithms utilized in Firestreamer-RM by visiting the following links:

• The Computer Security Division of the Information Technology Laboratory at the US National Institute of Standards and Technology.
• Federal Information Processing Standards Publication 197. Specification for the ADVANCED ENCRYPTION STANDARD (AES).
• Announcing Approval of Federal Information Processing Standard (FIPS) 197.
• CNSS Policy No. 15, Fact Sheet No. 1.
• NIST Special Publication 800-38A. Recommendation for Block Cipher Modes of Operation.
• Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption.
• Federal Information Processing Standards Publication 180-2. Specifications for the SECURE HASH STANDARD.
• RFC-2898 PKCS #5: Password-Based Cryptography Specification Version 2.0.

The source code of the utility that reads Firestreamer-RM media with the standard Windows Crypto API is available for download and can be verified by independent experts.