Backups are always encrypted with a unique secret key, whether or not you set a passphrase.
But for extra security, you can passphrase protect this secret key. Then when you restore, you'll be asked for the passphrase which is used to cryptographically unlock the secret key used to encrypt your backup.
To set or remove passphrase protection log into your appliance and execute the following in a command line:
# tklbam-passphrase (For no passphrase, just press Enter) Passphrase: Confirm passphrase: Updated passphrase - uploaded key to Hub.
You can do this before your first backup (I.e., highest security) or at any other time.
Note that the secret key is generated locally on your server. If you passphrase protect it and forget the passphrase nobody will be able to help you unless you have an escrow key!
To prevent data loss we recommend saving an escrow key in a safe place:
# tklbam-escrow --help
Syntax: /usr/bin/tklbam-escrow [-options] KEYFILE
Create a backup escrow key (Save this somewhere safe)
Arguments:
KEYFILE File path to save the escrow key (- for stdout)
Options:
-P --no-passphrase Don't encrypt escrow key with a passphrase
--random-passphrase Choose a secure random passphrase (and print it)