# Encryption & data security **GitProtect implements advanced encryption and data security measures to ensure that sensitive information is protected both in transit and at rest. Data is encrypted using industry-standard algorithms before leaving endpoints, during transfer over networks, and while stored in datastores, providing organizations with robust protection against unauthorized access and data breaches.** *** ## General information Encryption is the process of converting plain text or files into an unreadable format — it's recommended to use it when handling sensitive data, such as backups. **GitProtect** secures backups using two AES (Advanced Encryption Standard) modes: 1. **AES-CBC (Cipher Block Chaining)** is a symmetric encryption algorithm that protects data by transforming plaintext into ciphertext. It encrypts data in fixed-size blocks, where each block is combined with the previous block’s ciphertext before encryption. This “chaining” ensures that identical plaintext blocks produce different ciphertext, enhancing security. 2. **AES-GCM (Galois/Counter Mode)** is an advanced symmetric encryption mode that combines data encryption with authentication, providing confidentiality, integrity, and authenticity of data in a single process. This mechanism combines AES block encryption with an authentication function based on multiplication in the Galois field. {% hint style="danger" %} **The AES-GCM encryption algorithm is not supported on macOS.** Backup and restore tasks configured to use this encryption on **macOS** will fail. {% endhint %} *** ## Limitations Selecting the highest encryption mode provides the strongest level of cryptographic security but imposes certain limitations on specific **GitProtect** functions. The encryption and decryption processes depend on the available resources of the service performing the backup and restore operations, so a high level of encryption may affect backup and recovery times. {% hint style="success" %} Using 256-bit encryption **does not impact the accuracy or reliability of backup and recovery operations**. {% endhint %} *** ## Enabling encryption for a backup plan Encryption is available for all organizations integrated with **GitProtect**. It can be enabled in the backup plan settings during setup. {% hint style="danger" %} If a backup plan is created without encryption, it cannot be enabled later — **encryption settings cannot be changed in an existing plan**. Alternatively, you can clone an existing backup plan and modify it to include encryption. {% endhint %} When configuring a new backup plan, scroll down to **Advanced settings**, click **Edit**, and turn on the **Encryption** switch. You can then select the preferred encryption method (AES-CBC or AES-GCM) and choose one of the three available encryption levels from the drop-down list: 1. **Low:** the algorithm uses a 128-bit encryption key. 2. **Normal:** the algorithm uses a 192-bit encryption key. 3. **High:** the algorithm uses a 256-bit encryption key. {% hint style="warning" %} If an image-level backup is encrypted with a high encryption level (256-bit key length), it cannot be recovered using the iSCSI protocol via the iSCSI target recovery option, as granular data access is not available. {% endhint %} A password (encryption key) is required to perform the encryption operation to ensure that information is secured and stored in an inaccessible form. You can either select an existing encryption key from the **Password Manager** or create a new one.
*** ## Useful links and items {% content-ref url="replication" %} [replication](https://helpcenter.gitprotect.io/backup-plans-and-features/replication) {% endcontent-ref %}