All customer backup data managed by Altaro Office 365 Backup is protected by AES 256-bit encryption at rest with each customer having a dedicated encryption key for their backup data. Each block is encrypted using the randomly defined encryption key and a standard Initial Vector (IV) defined within the product.
In addition, data stored on Azure storage accounts is encrypted at REST with AES 256-bit. Each customer dedicated backup encryption key is stored in a dedicated Azure Key Vault and only the Altaro Office 365 Backup application and restricted, high-privilege Altaro personnel have access to Azure KeyVault. Each individual set of Office 365 Backup data is logically segregated, uniquely identified and mapped back to the original account.
How is the encryption key used upon restoring?
When restoring, Office 365 Backup, restore workers grab the customer backup data from storage, decrypts the data using the customer backup encryption key retrieved from Azure KeyVault and restores the content to the customers selected destination. If the customer selected PST or ZIP restores, the restore is additionally password protected and passed to Altaro CMC UI for the user to keep safely. ZIP/PST restores are uploaded to a public blob storage and retained for 5 days.