Skip to content

Guide

How to Create an Encrypted Backup

A backup you cannot trust with your secrets is a backup you will hesitate to make. How to build encrypted backups that survive both disk failure and prying eyes.

By SecretPNG TeamReviewed by SecretPNG Security TeamPublished 2026-07-14Updated 2026-07-14

Backups protect you from loss; encryption protects you from exposure. A good backup strategy needs both, because backup copies tend to live in the least protected places you own: a USB drive in a drawer, an external disk in a closet, a folder synced to a cloud account with a years-old password.

Encrypting a backup means that losing physical control of the copy no longer means losing control of the data. The drive can be stolen, the cloud account breached, and the backup remains an opaque block without the password.

Start with the 3-2-1 shape

The widely recommended baseline is three copies of your important data, on two different types of media, with one copy kept offsite or offline. Guidance from CISA's ransomware resources emphasizes the offline copy in particular: a backup that is always connected can be encrypted by the same ransomware that hits the original. Encryption fits into this picture as the property that makes the offsite and offline copies safe to place anywhere.

Building the encrypted set with SecretPNG

SecretPNG's encrypted vault tool packages files and folders into a single encrypted container in your browser. Data is encrypted with AES-256-GCM in 1 MiB chunks; the key is derived from your password with PBKDF2-HMAC-SHA-256 at 600,000 iterations and a unique random salt. Filenames and folder structure are encrypted too, so the vault reveals nothing about its contents. Everything happens locally, and nothing is uploaded.

The output is a .svault file in a documented, versioned format, which matters for backups specifically: years from now, the format specification will still describe exactly how to decrypt your data, independent of any one website or vendor.

Handle the keys like part of the backup

An encrypted backup shifts the survival question from the data to the credentials. Treat the password and recovery key as components of the backup itself.

  • Use a strong generated passphrase, stored in your password manager.
  • Record the recovery key when it is displayed at creation; it is shown once and cannot be regenerated later.
  • Keep the recovery key physically separate from the backup media, for example a printed recovery sheet with your important documents.
  • Never store the only copy of the password inside the vault it unlocks.

Verify, then verify on a schedule

An unverified backup is a hope, not a plan. After creating a vault, open it and restore a few files to confirm the round trip works. Then repeat a small restore test periodically, and whenever you change password managers, computers, or browsers. Verification catches every failure mode that matters at once: media corruption, forgotten passwords, and misplaced recovery keys.

Refresh the backups themselves on a schedule too. A perfect backup of your files from three years ago will not save this year's records; encrypt and store new vaults as your data changes, and periodically recopy media that sits in storage.

Limitations to keep in mind

  • An encrypted backup is unrecoverable if both the password and recovery key are lost; credential loss is the main new risk encryption introduces.
  • Encryption does not protect against media failure; you still need multiple copies on independent media.
  • Browser-based vault creation is practical for personal document sets; very large system-level backups are better served by dedicated backup software.

Sources