How do we rotate backup encryption keys without making old backups unreadable?
Key rotation is best practice but done badly destroys backups. Trick: new backups under new key, old backups still readable under old key, you keep both until retention expires.
support/backups-recovery/backup-encryptie-key-rotatiesteps: 6
Try this first
- Inventory where keys live: backup tool itself, KMS (AWS, Azure, GCP), HashiCorp Vault, or password manager. Document per repo which key.
- Pick a rotation frequency matching risk. Yearly is common, half-yearly for regulated, faster only after suspected compromise.
- Generate a new key, configure the backup tool to encrypt new backups with it. Most tools (Veeam, Acronis, Restic, Duplicacy) support parallel keys.
- Keep the old key until the last backup made with it has aged past retention. Only then destroy it safely, not sooner.
- Store old and new keys in separate storage with version tag and use-date. Lose a key, lose the backup.
- After rotation, restore-test from one old-key backup and one new-key backup. Both must work before rotation is complete.
When to bring us in
Regulated environments (PCI-DSS, HIPAA-equivalent) have strict logging requirements and possibly HSM use. Get a security engineer, this is not DIY.
See also
- We have backups but we do not know if they workA backup that cannot be restored is not a backup. Testing matters as much as taking the backup.
- Suspected ransomware: what to do RIGHT NOWThe first 30 minutes are critical. One wrong move spreads the damage. Read before acting.
- Someone accidentally deleted an important folderUsually fine to recover. The trick: do not save anything new on that drive until you know how.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.