# Encryption & data security **Xopero ONE implements advanced encryption and data security measures to ensure that sensitive information is protected both in transit and at rest. Data is encrypted using industry-standard algorithms before leaving endpoints, during transfer over networks, and while stored in datastores, providing organizations with robust protection against unauthorized access and data breaches.** *** ## General information Encryption is the process of converting plain text or files into an unreadable format — it's recommended to use it when handling sensitive data, such as backups. **Xopero ONE** secures backups using two AES (Advanced Encryption Standard) modes: 1. **AES-CBC (Cipher Block Chaining)** is a symmetric encryption algorithm that protects data by transforming plaintext into ciphertext. It encrypts data in fixed-size blocks, where each block is combined with the previous block’s ciphertext before encryption. This “chaining” ensures that identical plaintext blocks produce different ciphertext, enhancing security. 2. **AES-GCM (Galois/Counter Mode)** is an advanced symmetric encryption mode that combines data encryption with authentication, providing confidentiality, integrity, and authenticity of data in a single process. This mechanism combines AES block encryption with an authentication function based on multiplication in the Galois field. {% hint style="danger" %} **The AES-GCM encryption algorithm is not supported on macOS.** Backup and restore tasks configured to use this encryption on **macOS** will fail. {% endhint %} *** ## Limitations Selecting the highest encryption mode provides the strongest level of cryptographic security but imposes certain limitations on specific **Xopero ONE** functions. These limitations stem from the hardware performance of the machines used to perform real-time decryption of backup copies and to map those copies as iSCSI disks, or **VMware** virtual disks. The functionality limitations associated with using a high encryption level can impact: * Running a disk image copy as an iSCSI disk. * Running a virtual machine copy as an iSCSI disk. * Running a virtual machine copy in disaster recovery mode (**VMware**). {% hint style="success" %} Using 256-bit encryption **does not impact the accuracy or reliability of backup and recovery operations**. {% endhint %} *** ## Enabling encryption for a backup plan Encryption is available for all devices, virtual machines, and organizations integrated with **Xopero ONE**. It can be enabled in the backup plan settings during setup. {% hint style="danger" %} If a backup plan is created without encryption, it cannot be enabled later — **encryption settings cannot be changed in an existing plan**. Alternatively, you can clone an existing backup plan and modify it to include encryption. {% endhint %} When configuring a new backup plan, scroll down to **Advanced settings**, click **Edit**, and turn on the **Encryption** switch. You can then select the preferred encryption method (AES-CBC or AES-GCM) and choose one of the three available encryption levels from the drop-down list: 1. **Low:** the algorithm uses a 128-bit encryption key. 2. **Normal:** the algorithm uses a 192-bit encryption key. 3. **High:** the algorithm uses a 256-bit encryption key. {% hint style="warning" %} If an image-level backup is encrypted with a high encryption level (256-bit key length), it cannot be recovered using the iSCSI protocol via the iSCSI target recovery option, as granular data access is not available. {% endhint %} A password (encryption key) is required to perform the encryption operation to ensure that information is secured and stored in an inaccessible form. You can either select an existing encryption key from the **Password Manager** or create a new one.
*** ## Useful links and items {% content-ref url="replication" %} [replication](https://helpcenter.xopero.com/xopero-one-en/backup-plans-and-features/replication) {% endcontent-ref %}