Creating encryption keys

Last published : Apr 02, 2026
When you create an encryption key, you select the type of encryption to use.
To create an encryption key
  1. Click the Backup Exec button, select Configuration and Settings, and then clickBackup Exec Settings.
  2. In the left pane, select Network and Security.
  3. Click Manage Keys.
  4. Click New.
  5. In the Key name field, type a unique name for this key. The name can include up to 256 characters.
  6. In the Encryption type field, select the encryption type to use for this key. Your choices are 128-bit AES,256-bit AES (SHA-2), or256-bit AES (PBKDF2). 256-bit AES (SHA-2) was earlier known as 256-bit AES.
The default type is 256-bit AES PBKDF2. The 256-bit AES encryption provides a stronger level of security than 128-bit AES encryption. However, backup jobs may process more slowly with 256-bit AES encryption than with 128-bit AES encryption. Hardware encryption that uses the T10 standard requires 256-bit AES.
  1. In the Pass phrase field, type a pass phrase for this key. You can use only printable ASCII characters.
For 128-bit AES encryption, the pass phrase must be at least eight characters. For 256-bit AES encryption, the pass phrase must be at least 16 characters.
It is recommended that you use more than the minimum number of characters. For 256-bit AES PBKDF2, the pass phrase must have at least one upper case, one lower case, one number, and one special character.
Warning: If an encryption key that is used in a backup is no longer available, you must provide the pass phrase during restore. Without the pass phrase, the data cannot be accessed.
  1. In the Confirm pass phrase field, type the pass phrase again to confirm it.
  2. (Optional) Select the check box and then enter the Salt to recreate the same or missing encryption key again.
If Backup Exec cannot find the encryption key in the database during restore or cataloging, then you need to create the same key again. If the key is created using 256-bit AES PBKDF2, you must enter the Salt. Ensure that you only enter the Salt given by Backup Exec. Salt information would be displayed in a Backup Exec alert during catalog operation.
  1. In the Encryption key type group box, select whether you want to create a common or restricted encryption key.
If a key is common, any user of this installation of Backup Exec can use the key to back up and restore data. If a key is restricted, anyone can use the key to back up data. But only the key owner or a user who knows the pass phrase can use the restricted key to restore the encrypted data.
  1. Click OK.
More Information
Encryption key management
Using encryption with Backup Exec
Related information