Encryption at rest for backups
Demonstrate that all backup data is encrypted at rest using approved cryptographic algorithms with properly managed encryption keys that are stored separately from the backup media.
Description
What this control does
Encryption at rest for backups ensures that all backup data stored on disk, tape, cloud storage, or other media is protected using strong cryptographic algorithms (e.g., AES-256) before being written to the storage medium. This control applies to full, incremental, and differential backups across all systems, databases, and applications, and requires secure key management practices to protect encryption keys separately from the encrypted backup data. It prevents unauthorized access to sensitive information if backup media is lost, stolen, improperly disposed of, or accessed by unauthorized parties.
Control objective
What auditing this proves
Demonstrate that all backup data is encrypted at rest using approved cryptographic algorithms with properly managed encryption keys that are stored separately from the backup media.
Associated risks
Risks this control addresses
- Theft or loss of unencrypted backup tapes, drives, or media during transport or offsite storage exposes sensitive data to unauthorized parties
- Unauthorized physical access to backup storage locations by insiders or external attackers allows exfiltration of unprotected backup data
- Improper disposal or decommissioning of backup media without encryption results in data leakage through discarded or resold storage devices
- Compromise of backup storage infrastructure (cloud accounts, NAS, SAN) grants attackers immediate access to plaintext backup contents
- Legal and regulatory non-compliance due to failure to protect personal, financial, or health information stored in backups
- Data breaches resulting from ransomware actors exfiltrating unencrypted backups before encryption, enabling double-extortion attacks
- Insider threats where privileged users with storage access exfiltrate backup data without detection or cryptographic barriers
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all backup solutions, systems, and storage locations including on-premises storage, cloud repositories, tape libraries, and offsite facilities.
- Review backup system configuration files, policies, and administrative console settings to identify encryption-at-rest settings and cryptographic algorithms in use.
- Select a representative sample of recent backups across different backup types (full, incremental, differential) and system categories (databases, file servers, applications, virtual machines).
- Verify that each sampled backup job configuration explicitly enables encryption at rest and specifies approved encryption algorithms (AES-256 or equivalent).
- Examine encryption key management procedures including key generation, storage location, access controls, rotation schedules, and separation from backup data.
- Perform technical verification by accessing backup storage directly or through storage APIs to confirm that backup files are stored in encrypted format and cannot be read without decryption keys.
- Test a restore operation from encrypted backups to validate that decryption keys are properly managed, accessible to authorized restoration processes, and functionally decrypt the backup data.
- Review backup system logs and encryption reports for the past 90 days to confirm continuous encryption across all backup operations without failures or exceptions.
Where this control is tested