ReStore supports enterprise-grade AES-256-GCM encryption to secure your backups with password protection. This feature is available for both file backups and system backups.
- Algorithm: AES-256-GCM (Galois/Counter Mode) - provides both confidentiality and authentication
- Key Derivation: PBKDF2-SHA256 with 1,000,000 iterations for secure password-based key generation
- Hybrid Architecture: Each backup uses a unique Data Encryption Key (DEK) that is encrypted with a Key Encryption Key (KEK) derived from your password
- Authenticated Encryption: Built-in authentication prevents tampering with encrypted backups
- Artifact Format:
- User-file backups: encrypted deterministic chunk objects referenced by snapshot manifests
- System backups: encrypted
.encarchives with.enc.metametadata files
Via GUI (Recommended):
- Open the Settings page
- Expand the Encryption section
- Click Enable Encryption
- Enter a strong password (minimum 8 characters)
- Confirm the password
- View the password strength indicator (Weak/Medium/Strong with color coding)
- Click Enable Encryption to save
Important: Store your encryption password securely - it CANNOT be recovered if lost!
Via Configuration File:
Edit %USERPROFILE%\ReStore\config.json:
{
"encryption": {
"enabled": true,
"salt": "base64_encoded_salt_will_be_generated",
"keyDerivationIterations": 1000000,
"verificationToken": "base64_encoded_verification_token_will_be_generated"
}
}When you first enable encryption, the application will generate a random salt and a verification token automatically. Note: Do NOT change the salt after enabling encryption, as it is required for key derivation.
- First Time Setup: When you enable encryption, you set a master password and a random salt is generated
- During Backup:
- A KEK is derived from your password + salt
- User-file backups are chunked and chunks are encrypted deterministically using AES-256-GCM-derived per-chunk material
- Snapshot manifests reference encrypted chunk objects
- System backups continue to use encrypted archives (
.enc) with metadata (.enc.meta)
- During Restore:
- You're prompted for your password
- The KEK is derived from your password + stored salt
- User-file restore decrypts and validates chunks before reconstructing files
- System backup restore decrypts archive payloads and then restores content
- Minimum 8 characters
- Recommended: Mix of uppercase, lowercase, numbers, and special characters
- The GUI provides real-time strength feedback with color indicators:
- Red (Weak): Basic password, easy to crack
- Orange (Medium): Decent password, consider adding more complexity
- Green (Strong): Excellent password with good complexity
What Gets Encrypted:
- All user-file snapshots: Full, Incremental, and ChunkSnapshot backup modes
- System component backups:
- Installed programs list and Winget restore scripts
- Environment variables (user and system)
- Windows registry settings (personalization, taskbar, File Explorer, etc.)
- Everything: Once encryption is enabled, all new backups (file and system) are automatically encrypted
Restoration:
- Encrypted backups (
.encfiles) automatically trigger password prompts - Both GUI and CLI support decryption during restore
- Password is only required when restoring encrypted backups
To disable encryption:
- Open Settings > Encryption
- Click Disable Encryption
- Confirm the action
Note: Disabling encryption only affects new backups. Existing encrypted backups will still require the password to restore.
- Use a strong, unique password - Don't reuse passwords from other services
- Store your password securely - Use a password manager like Bitwarden or KeePass
- Backup your password - Write it down and store it in a secure physical location
- Test restoration - Verify you can decrypt and restore backups before you need them
- Multiple storage locations - Keep encrypted backups in multiple places (local + cloud)
- Regular password updates - Consider changing your encryption password periodically
- Secure your config - The salt is stored in
config.json- keep this file secure
- Overhead: Minimal impact on backup speed due to efficient AES-256-GCM implementation
- Compression First: Files are compressed before encryption for optimal storage efficiency
- Large Files: Encryption uses streaming with small chunks, ensuring low memory usage even for very large files
Scenario 1: Config file lost, but snapshot manifests and system .enc.meta files intact
- Existing encrypted snapshots and system backups remain recoverable (salt/metadata is present in artifacts)
- New encrypted backups require re-establishing encryption settings in config
Scenario 2: Required metadata or chunk artifact is missing
- Missing system
.enc.metafiles make corresponding encrypted system archives unrecoverable - Missing snapshot chunk objects make corresponding files unrecoverable
Scenario 3: Config salt modified accidentally
- Existing encrypted backups remain restorable if artifact metadata is intact
- New backups may be created with incompatible key material
- This is a data corruption scenario