RAID encryption allows you to protect data stored on the CFA from being accessed offline. For example, if you replace a failed disk in the RAID, you don’t need to worry about someone recovering your sensitive data from it.


RAID encryption isn’t a default feature, and it should be enabled only for an empty CFA, that is the CFA set up for the first time with its RAID containing no backups yet. Otherwise, this will erase everything stored on the RAID.

Encryption doesn’t apply to the CFA boot disk and SSD.

Boot disk contains only the operating system, while SSD holds the block map (index) for DDFS on the RAID, and the CFA catalog database:

  • DDFS block map contains the hash of each stored block, and metadata about the block (reference count, address, etc.).

  • Catalog database stores metadata about each backup job (name, date started and ended, size, etc.). For File and Folder backup jobs, it also includes metadata about each file in a job (file name and size, permissions, timestamps, etc.). It doesn’t contain actual job data.

How it works

CFA RAID is encrypted with LUKS, an industry standard hard disk encryption system build into Linux. It uses the AES algorithm with a 256-bit key in CBC-ESSIV mode. The key is generated randomly, encrypted with another key (master key), and stored in one of the key slots provided by LUKS.

When writing to or reading from the RAID, the system encrypts/decrypts data on the fly using the master key, which is derived by PBKDF2 from a user-defined passphrase stored on the CFA boot disk.