# Encryption & data security

**GitProtect implements advanced encryption and data security measures to ensure that sensitive information is protected both in transit and at rest. Data is encrypted using industry-standard algorithms before leaving endpoints, during transfer over networks, and while stored in datastores, providing organizations with robust protection against unauthorized access and data breaches.**

***

## General information

Encryption is the process of converting plain text or files into an unreadable format — it's recommended to use it when handling sensitive data, such as backups. **GitProtect** secures backups using two AES (Advanced Encryption Standard) modes:

1. **AES-CBC (Cipher Block Chaining)** is a symmetric encryption algorithm that protects data by transforming plaintext into ciphertext. It encrypts data in fixed-size blocks, where each block is combined with the previous block’s ciphertext before encryption. This “chaining” ensures that identical plaintext blocks produce different ciphertext, enhancing security.
2. **AES-GCM (Galois/Counter Mode)** is an advanced symmetric encryption mode that combines data encryption with authentication, providing confidentiality, integrity, and authenticity of data in a single process. This mechanism combines AES block encryption with an authentication function based on multiplication in the Galois field.

{% hint style="danger" %}
**The AES-GCM encryption algorithm is not supported on macOS.** Backup and restore tasks configured to use this encryption on **macOS** will fail.
{% endhint %}

***

## Enabling encryption for a backup plan

Encryption is available for all organizations integrated with **GitProtect**. It can be enabled in the backup plan settings during setup.

{% hint style="danger" %}
If a backup plan is created without encryption, it cannot be enabled later — **encryption settings cannot be changed in an existing plan**. Alternatively, you can clone an existing backup plan and modify it to include encryption.
{% endhint %}

When configuring a new backup plan, scroll down to **Advanced settings**, click **Edit**, and turn on the **Encryption** switch. You can then select the preferred encryption method (AES-CBC or AES-GCM) and choose one of the three available encryption levels from the drop-down list:

1. **Low:** the algorithm uses a 128-bit encryption key.
2. **Normal:** the algorithm uses a 192-bit encryption key.
3. **High:** the algorithm uses a 256-bit encryption key.

{% hint style="warning" %}
If an image-level backup is encrypted with a high encryption level (256-bit key length), it cannot be recovered using the iSCSI protocol via the iSCSI target recovery option, as granular data access is not available.
{% endhint %}

A password (encryption key) is required to perform the encryption operation to ensure that information is secured and stored in an inaccessible form. You can either select an existing encryption key from the **Password Manager** or create a new one.

<figure><img src="/files/rrIN8cjmmq9qmuGZDsn4" alt=""><figcaption></figcaption></figure>

***

## Useful links and items

{% content-ref url="/pages/lxIW61pvPR0YmPI1xIqr" %}
[Replication](/backup-plans-and-features/replication.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://helpcenter.gitprotect.io/backup-plans-and-features/encryption-and-data-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.