> For the complete documentation index, see [llms.txt](https://helpcenter.gitprotect.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://helpcenter.gitprotect.io/backup-plans-and-features/encryption-and-data-security.md).

# Encryption & data security

**GitProtect implements advanced encryption and data security measures to ensure that sensitive information is protected both in transit and at rest. Data is encrypted using industry-standard algorithms before leaving endpoints, during transfer over networks, and while stored in datastores, providing organizations with robust protection against unauthorized access and data breaches.**

***

## General information

Encryption is the process of converting plain text or files into an unreadable format — it's recommended to use it when handling sensitive data, such as backups. **GitProtect** secures backups using two AES (Advanced Encryption Standard) modes:

1. **AES-CBC (Cipher Block Chaining)** is a symmetric encryption algorithm that protects data by transforming plaintext into ciphertext. It encrypts data in fixed-size blocks, where each block is combined with the previous block’s ciphertext before encryption. This “chaining” ensures that identical plaintext blocks produce different ciphertext, enhancing security.
2. **AES-GCM (Galois/Counter Mode)** is an advanced symmetric encryption mode that combines data encryption with authentication, providing confidentiality, integrity, and authenticity of data in a single process. This mechanism combines AES block encryption with an authentication function based on multiplication in the Galois field.

{% hint style="danger" %}
**The AES-GCM encryption algorithm is not supported on macOS.** Backup and restore tasks configured to use this encryption on **macOS** will fail.
{% endhint %}

***

## FIPS 140-3 compliant encryption

FIPS stands for Federal Information Processing Standards. These standards and guidelines are developed by the National Institute of Standards and Technology (NIST) for use by U.S. federal government agencies and organizations that work with government systems.

FIPS 140-3 is a specific standard titled Security Requirements for Cryptographic Modules. It defines requirements for the hardware, software, and firmware components that perform cryptographic functions, such as encryption, decryption, authentication, digital signatures, and key generation and management.

{% hint style="info" %}
Learn more about FIPS 140-3 in the [official OpenSSL documentation](https://openssl-library.org/post/2025-03-11-fips-140-3/).
{% endhint %}

**GitProtect** supports FIPS 140-3–compliant encryption for backup plans using AES-CBC encryption. When FIPS mode is enabled, the system ensures that encryption is performed by supported **Windows** backup agents using FIPS-validated cryptographic modules, providing enhanced security and compliance for regulated environments.

{% hint style="info" %}
The FIPS mode switch enables or disables FIPS compliance warnings. When enabled, users are notified about agents running unsupported operating systems, outdated versions, or encryption that is not FIPS compliant. When disabled, no notifications are displayed (however, newly installed **Windows** backup agents will still use FIPS-compliant encryption through a FIPS-validated cryptographic provider).
{% endhint %}

To use FIPS 140-3–compliant encryption, the following conditions must be met:

1. The backup agent must be running on a **Windows** operating system.

{% hint style="danger" %}
If a backup agent running on a **Linux** or **macOS** device is assigned as the default worker for a backup plan with FIPS mode enabled, the backup job summary will display a warning that FIPS-compliant encryption is not yet supported on that platform.
{% endhint %}

2. The backup plan must use AES-CBC encryption.
3. The backup agent version must be 2.3.0 or later.

{% hint style="danger" %}
If a **Windows** backup agent older than the minimum required version is assigned as the default worker for a backup plan with FIPS mode enabled, the backup job summary will display a warning that the agent version does not support FIPS-compliant encryption.
{% endhint %}

{% hint style="warning" %}
If a backup job is performed by a supported **Windows** backup agent and FIPS-compliant encryption fails, a warning is displayed in the backup job summary. The backup will still be encrypted using the default cryptographic provider.
{% endhint %}

***

## Enabling encryption for a backup plan

Encryption is available for all organizations integrated with **GitProtect**. It can be enabled in the backup plan settings during setup.

{% hint style="danger" %}
If a backup plan is created without encryption, it cannot be enabled later — **encryption settings cannot be changed in an existing plan**. Alternatively, you can clone an existing backup plan and modify it to include encryption.
{% endhint %}

{% hint style="success" %}
The **Use FIPS mode** setting can be changed on an existing plan. When the plan is cloned, the FIPS mode setting is retained.
{% endhint %}

When configuring a new backup plan, scroll down to **Advanced settings**, click **Edit**, and turn on the **Encryption** switch. You can then select the preferred encryption method (AES-CBC or AES-GCM) and choose one of the three available encryption levels from the drop-down list:

1. **Low:** the algorithm uses a 128-bit encryption key.
2. **Normal:** the algorithm uses a 192-bit encryption key.
3. **High:** the algorithm uses a 256-bit encryption key.

A password (encryption key) is required to perform the encryption operation to ensure that information is secured and stored in an inaccessible form. You can either select an existing encryption key from the **Password Manager** or create a new one.

<figure><img src="/files/dJVQD7N5PPonObfILxNy" alt=""><figcaption></figcaption></figure>

***

## Useful links and items

{% content-ref url="/pages/lxIW61pvPR0YmPI1xIqr" %}
[Replication](/backup-plans-and-features/replication.md)
{% endcontent-ref %}

{% embed url="<https://openssl-library.org/post/2025-03-11-fips-140-3/>" %}
