Docs / Backups & Restore / Encrypted Backup Options

Encrypted Backup Options

Published · Last updated: May 2026 · 2 min read

Who this is for

Users who want to ensure their backup data is protected at rest, especially when storing backups in cloud storage or on shared servers.

Why Encrypt Backups?

Backup files may contain:

  • Database contents (user data, passwords, personal information)
  • Application source code
  • Configuration files with API keys or credentials

If a backup file is accidentally exposed (wrong bucket permissions, compromised server), encryption ensures the data remains unreadable.

How Backup Encryption Works

When Encrypted is enabled:

  1. CloudAIPilot generates a unique Data Encryption Key (DEK) for each backup.
  2. The DEK is used to encrypt the backup file using AES-256-GCM.
  3. The DEK itself is encrypted with CloudAIPilot's master Encryption Key and stored securely.
  4. The encrypted backup file is stored on the server (and optionally uploaded to cloud storage).

When you download an encrypted backup:

  • CloudAIPilot decrypts the DEK automatically.
  • Streams the decrypted backup file to your browser.
  • You receive a standard, readable .tar.gz file.

How to Enable Encryption

When creating an on-demand backup or a backup schedule:

  • Toggle Encrypted to ON.

That is the only required step. Encryption and decryption are handled automatically by CloudAIPilot.

Encrypted Backup + Cloud Storage

Encrypted backups can be uploaded to cloud storage as usual. The file stored in S3/GCS/Azure Blob is the encrypted version. Only CloudAIPilot (via the platform's encryption key) can decrypt and download it.

Considerations

  • You cannot decrypt an encrypted backup outside of CloudAIPilot without the DEK and the master encryption key. If you need the backup to be portable (usable by other tools), leave encryption disabled.
  • Encryption adds a small overhead to backup creation time (typically <5% for most backup sizes).
  • All of CloudAIPilot's credential storage uses the same AES-256-GCM encryption scheme. The same security applies to backup encryption.

What Success Looks Like

The backup appears in the Backups list with an Encrypted indicator. When you click Download, the file downloads as a normal (decrypted) .tar.gz file. No decryption key entry is required — CloudAIPilot handles this.

Related Articles