GOST 28147-89 encryption in Acronis Backup 11.5

    Hi Habr, today we will talk about the encryption algorithm for data in backups and the features of its application in the Acronis product line. As follows from the title, we will talk about the standard GOST 28147-89 (hereinafter simply “standard”).



    At the moment, Acronis Backup 11.5 is one of the few, if not the only, backup solutions (physical and virtual machines) in the Russian market that supports encryption according to GOST 28147-89 without the need to install additional encryption modules (often these modules are separate and very significant money).


    image

    A bit of history


    The GOST 28147-89 algorithm was developed in the USSR and is the encryption standard of the Russian Federation describing the principles of cryptographic data conversion for transmission in computer networks, individual computer complexes or computers, their encryption and the creation of digital signatures.

    This algorithm is designed for both hardware and software encryption implementations. It satisfies the necessary global standards of cryptographic strength and does not impose restrictions on the level of secrecy of the protected information.

    This standard is mandatory for organizations and companies of the Russian Federation that use cryptographic protection for data downloaded and / or transmitted through computer networks, individual computer systems or personal computers. Therefore, the lack of support for this standard in software can be a serious obstacle to the use of this software in the enterprise. This is especially true for government organizations where compliance with standards is a key software requirement.

    The standard was translated into English and published in 1994, and is now widely used in software. Unlike his brother, the DES algorithm, adopted as the US federal standard, GOST 28147-89 (like AES) can be applied more widely due to the absence of restrictions on the level of secrecy of the protected information.

    This algorithm, like DES, works with 64-bit blocks, but this is where their similarities end and the differences follow:

    • GOST 28147-89 contains 32 conversion cycles, in contrast to 16 DES cycles.
    • Each cycle in GOST 28147-89 consists of simpler operations than in DES.
    • Unlike the DES standard with a 56-bit key, GOST 28147-89 uses a 256-bit key.
    • GOST 28147-89 works much faster than DES




    Encryption in Acronis Backup 11.5


    Acronis Backup 11.5 supports encryption of data in the backup, which helps protect user data from unauthorized access.

    AES encryption with a key length of 128/192 and 256 bits and encryption according to GOST 28147-89 with a key length of 256 bits are supported. This type of encryption is available only in the Russian version of Acronis Backup 11.5, intended for users in the Russian Federation and the CIS countries.

    All encryption algorithms use a randomly generated key of the size specified by the user (128, 192 or 256 bits if AES is selected and 256 bits if GOST 28147-89 is selected). The larger the key size, the longer the encryption of the archive will take and the higher the degree of data security. The encryption key is then encrypted using the AES-256 algorithm, using the hash of the user-entered SHA-256 password as the key. The password itself is not saved anywhere on the disk or in the backup file. The password hash is used for verification. This two-level protection scheme allows you to protect the backup data from unauthorized access, but recovering the lost password is impossible.

    The Acronis Backup 11.5 installer automatically installs all the components required for encryption. The data is encrypted directly on the computer on which the backup operation takes place, and then it is subsequently transferred to the backup storage: magnetic tape, network folder, etc.
    Along with encryption, data compression can also be used. In this case, the data is first compressed and then encrypted. At the same time, the backup procedure may increase slightly.

    To enable the archive encryption option according to GOST 28147-89, when creating a backup plan, the user must go to the "archive protection" section in the "backup options" window, enable the "set password for archive" checkbox and select the appropriate algorithm.



    Support for GOST standard is part of the Acronis AnyData ideology , which means the availability of encryption for any type of data in the backup - whether it be file archives, backups of physical or virtual machines, or application data.

    We are ready to answer your questions regarding the implementation of the GOST standard or other encryption algorithms in Acronis products. Write in the comments what aspects should be covered in more detail (including in future articles) if this topic is of interest to you.

    References


    1. Description of GOST 28147-89 on Habré: Part 1 | Part 2
    2. GOST 28147-89 encryption algorithm, its use and implementation for Intel x86 platform computers
    3. GOST algorithm stability
    4. Wiki

    Also popular now: