Versioning and Encryption for file backups
How to make the best choice for you when backing up SharePoint Document Libraries and OneDrive for Business.
BackupAssist 365 can back up SharePoint and OneDrive for Business files in a variety of ways, depending on your use-cases and security requirements.
Two settings you can choose are encryption and versioning. Depending on the combination of these settings, your backup files will look different on the file system.
| Encryption off | Encryption on | |
| Versioning off | “Mirror” mode | “Encrypted mirror” mode |
| Versioning on | “Versioning” mode | “Encrypted versioning” mode |
Which mode should I use?
This matrix will help you decide the best mode for you.
Answer two questions for our recommendation:
|
Q1: Do you have sensitive data that needs securing under HIPAA, GDPR, and other similar data handling laws? |
|||
| No | Yes | ||
|
Q2: Do you run an additional backup system that provides versioning? |
No |
Use Versioning mode (Versioning, no encryption) |
Use Encrypted Versioning mode (Versioning, with encryption) |
| Yes |
Use Mirror mode (No versioning, no encryption) |
Use Encrypted Mirror mode (No versioning, with encryption) |
|
Now let’s look at each mode, what your backups will look like, and why you would use each mode.
Mirror mode
Your backup files are stored as a simple mirror (replica) of the source files.
Use this mode when:
- integrating this local mirror into another backup system that provides versioning. For instance, if you use BA 365 to pull your cloud files to a local server, and then use BackupAssist Classic or ER to back up that server.
As you can see from the screenshots below, the backup looks exactly like the source data:
Encrypted mirror mode
Your backup files will be stored in a cryptographic file system that encrypts both file contents and file names. Encryption is based on the AES-256 cipher, and is secured by a password that you enter into in BackupAssist 365.
Use this mode when:
- You do not need versioning, because another backup system handles versioning (see above)
- The data contains sensitive information, such as Personally Identifiable Information (PII), Health information, Credit card numbers, and commercial secrets.
Encryption provides protection for privacy and tampering. As long as the password is kept secret, all attackers, such as hackers and malicious employees, are locked out of reading and modifying the data even if they have access to the backup storage.
Your backup files are completely obfuscated by the encryption, which hides directory names, file names and file contents.
This is what your backup files will look like:
The characters in the file names are Unicode characters, representing encrypted file names and directory names. They might look like they are Chinese characters, but the characters are random and also includes Korean, Japanese, Latin, Greek, Mathematical Symbols, amongst many others.
Versioning mode
Versioning is useful when you want to keep
- past versions of files,
- deleted files and directories, and
- a record of the entire file system at a particular point in time.
This is most commonly used when using BackupAssist 365 as a standalone backup solution.
Your backup files will look slightly different when compared with mirror mode:
You will note that the files now contain a number of Unicode characters at the end. This extra information is called the “version suffix”, and it enables BackupAssist to keep track of past versions and perform point-in-time restores without needing any additional metadata or databases.
The version suffix encodes important information:
- modification time
- backup time – when the download took place
- file state – deleted or not
- writable or read-only
- length of file
Generally, we recommend performing restores through the BackupAssist 365 user interface. This enables you to pick a point-in-time and do a partial or full restore.
If you wish, it is also possible to copy the backup files and manually remove the Unicode characters to get back to the original file. We provide this ability as part of our philosophy on Data Accessibility – that you should be able to access your data even without BackupAssist 365 installed.
Over time, as multiple versions of a file are created, BackupAssist 365 keeps each version with a different version suffix.
In this example, these two screenshots show what the backup directory looks like when the file called “Trademark submission.docx” is updated and a second backup is run.
You will note that for each version, an additional copy of that file is placed in the same directory. For resilience, each version is standalone, rather than being stored as “diffs”. This means, if your hard disk has a bad sector that means a file cannot be read, it only affects one file, not multiple.
Encrypted versioning mode
This is similar to versioning mode, except all data is put inside a cryptographic file system. This results in the data being protected from privacy breach and tampering.
Your backup data now looks like this:
Did you find this helpful?
Sorry about that
Why wasn't this helpful? (check all that apply)
Thanks for your feedback.
Want to tell us more?
Support requests are not logged from this dialog. If you require technical assistance, please contact support.
Great!
Thanks for taking the time to give us some feedback.
Great!
Thanks for taking the time to give us some feedback.
Still need help?
Contact us via phone or email to get the support you need.
Our business hours are Monday - Friday 9am-5pm US Eastern Time.
© 2025. BackupAssist™ and the intellectual property contained
within this document is the property of Cortex IT Labs Pty Ltd.