Encryption Key Management
Backup encryption protects your data at rest. Breeze manages encryption keys that are used when writing snapshots to storage. Each snapshot references the key it was encrypted with, so keys must be available for restore operations.
Managing Keys
Section titled “Managing Keys”Go to Operations > Backup > Encryption to see your encryption keys.
The key list shows:
- Key name
- Key type (AES-256 or RSA-2048)
- Status: Active (green), Rotated (gray), or Deactivated (red)
- Created date
- Expiry date (if set)
Creating a Key
Section titled “Creating a Key”- Click Create New Key.
- Enter a descriptive name (e.g., “Production AES Key 2026”).
- Select the key type:
- AES-256 — symmetric encryption, recommended for most use cases
- RSA-2048 — asymmetric encryption, useful for scenarios where separate encrypt/decrypt permissions are needed
- Click Create.
- The key’s fingerprint (SHA-256 hash) is displayed. Record this for your records.
Rotating a Key
Section titled “Rotating a Key”Key rotation creates a new key version while keeping the old version available for decrypting existing snapshots. New backups use the rotated key.
- Click the Rotate action on an active key.
- Confirm the rotation.
- The old key moves to Rotated status. A new active key is created.
You can configure automatic rotation (every 30, 60, or 90 days) in the storage configuration wizard.
Deactivating a Key
Section titled “Deactivating a Key”Click Deactivate on a key to prevent it from being used for new backups. Deactivated keys remain available for decrypting existing snapshots.
How Encryption Works
Section titled “How Encryption Works”- In transit — all backup data is transferred over HTTPS (TLS 1.2+)
- At rest — snapshots are encrypted using the assigned key before being written to storage
- Each snapshot stores a reference to its encryption key ID, so the correct key is used automatically during restore
- Keys themselves are stored encrypted in the Breeze database with access scoped to the organization