Key Management
Understand passphrase-derived keys, the gear table seed, managed recovery keys, and key rotation.
Key Hierarchy
BackupEngine uses a hierarchical key structure to separate concerns and enable features like key rotation without re-encrypting all stored data.
- •Master Key: Derived from your passphrase via Argon2id. This is the root of the key hierarchy and never leaves your device.
- •Data Encryption Key (DEK): A randomly generated AES-256 key used to encrypt backup chunks. The DEK is itself encrypted (wrapped) by the Master Key and stored server-side.
- •Gear Table Seed: A per-user random seed used to initialize the FastCDC gear hash table. This ensures that your chunking boundaries are unique, preventing cross-user deduplication analysis.
- •Chunk IVs: Each chunk is encrypted with a unique IV derived from a CSPRNG. IVs are stored alongside the encrypted chunk.
Key hierarchy structure
Passphrase (user-provided, never stored anywhere)
|
+-- Argon2id(passphrase, salt) --> Master Key (256-bit)
|
+-- Unwraps --> Data Encryption Key (256-bit, random)
| |
| +-- AES-256-GCM(DEK, IV, chunk) --> Encrypted chunk
|
+-- Unwraps --> Gear Table Seed (per-user CDC seed)
The DEK is wrapped (encrypted) by the Master Key and stored on the server.
The Master Key is never stored — it is re-derived from the passphrase each time.Managed Recovery Key
By default, BackupEngine operates in full zero-knowledge mode — if you lose your passphrase, your data is unrecoverable. For users who want a safety net, BackupEngine offers an optional managed recovery key.
- •When enabled, a second copy of the DEK is encrypted with a recovery key managed by BackupEngine.
- •The recovery key is stored in a hardware security module (HSM) with strict access controls.
- •Recovery requires identity verification: email confirmation, MFA, and a mandatory 48-hour waiting period.
- •The waiting period is a security measure to prevent unauthorized recovery if an attacker gains access to your account.
- •You can disable the managed recovery key at any time to return to full zero-knowledge mode.
⚠ Warning
Enabling the managed recovery key means that BackupEngine technically has the ability to decrypt your data (through the recovery process). If you require absolute zero-knowledge guarantees — for example, for legal or regulatory reasons — do not enable this feature.
Key Rotation
You can rotate your encryption keys without re-encrypting all stored backup data. BackupEngine's key hierarchy makes this efficient.
- •Passphrase change: Changing your passphrase re-derives the Master Key and re-wraps the DEK with the new Master Key. The DEK itself does not change, so no backup data needs to be re-encrypted.
- •DEK rotation: For maximum security, you can rotate the DEK. New backups use the new DEK. Existing backup data is gradually re-encrypted during subsequent backup runs.
- •Gear Table Seed rotation: Rotating the CDC seed changes chunking boundaries. This triggers a full re-chunk and re-upload of all data, so use this only if you suspect the seed has been compromised.
- •Rotation history: All key rotation events are logged in the security audit log.
Rotate passphrase via CLI
# Change your passphrase (re-wraps the DEK) backupengine security change-passphrase # Rotate the Data Encryption Key backupengine security rotate-dek # View key rotation history backupengine security key-history
💡 Tip
Rotate your passphrase periodically (every 6-12 months) as a best practice. Passphrase rotation is fast because it only re-wraps the DEK — no backup data is re-encrypted.
Gear Table Seed
The gear table seed is a unique-per-user random value that initializes the FastCDC rolling hash function. This ensures that your file chunking boundaries are unpredictable and unique to your account.
- •Without a per-user seed, identical files would produce identical chunk hashes across all users, enabling cross-user deduplication analysis.
- •The per-user seed makes your chunk boundaries unique, so even identical files produce different chunks and different hashes.
- •The seed is encrypted with your Master Key and stored server-side. It is decrypted on your device during backup.
- •In normal operation, you never need to interact with the gear table seed directly.