Skip to main content Skip to navigation Skip to footer
Limited time: Design Partner Program — BUSINESS plan free for life
ENCRYPTION CONTROL

Your keys. Your encryption. No exceptions.

Every backup is encrypted with keys you own. Not your vendor's keys. Not shared keys. Yours alone.

Every vendor encrypts your data. None let you hold the only key. Rediacc does.

Claim Design Partner See encryption details →
rdc repo mount production
Encrypting all repositories with AES-256-GCM...
Key loaded: production.key (4096-bit RSA).......... valid ..
Encrypting: gitlab (42 GB)...................... sealed ..
Encrypting: nextcloud (128 GB).................. sealed ..
Encrypting: mailcow (84 GB)..................... sealed ..
Encrypting: mariadb (96 GB)..................... sealed ..
Verifying integrity checksums................... all match ..
✓ ✓ All repositories encrypted: 4/4 sealed, zero-knowledge verified

Illustrative output; actual runs may include extra logs.

AES-256
Encryption Standard
You
Key Owner
Always
Encrypted at Rest & Transit
THE PROBLEM

Vendor-managed keys aren't truly yours

Here's the part nobody tells you. Most backup tools encrypt your data with their keys, not yours. So they can open it. Their staff can open it. If they get hacked, your data is wide open. Don't control the keys? Then you don't control your data.

Only 8% of companies encrypt 80%+ of their cloud data Thales 2025 Cloud Security Study [1]
$4.88M average cost of a data breach globally IBM Cost of Data Breach 2024 [2]
57% of companies juggle 5+ key systems, leaving blind spots Thales 2025 Cloud Security Study [1]
THE OLD WAY
Setup Upload to vendor
Trust Vendor holds keys
Day N Vendor breached
Day N+1 Keys compromised
Result Your data exposed
WITH REDIACC
Your key
AES-256
Zero-knowledge
THE REAL COST

What does weak encryption governance cost you?

Drag the sliders to match your environment. See the real cost of vendor-managed encryption.

Encryption governance calculator

VENDOR-MANAGED KEYS
Audit prep hours / year80 hours
Compliance gaps (key access)4
Exposure windows per year365 days
Breach risk premium$4,880
Annual compliance cost
$20,880
WITH REDIACC
Audit prep hours / year4 hours
Compliance gaps (key access)0
Exposure windows per year0 days
Breach risk premium$0
Annual compliance cost
$800
Audit prep: audits × hours per audit. Compliance gaps: 1 per 5 TB of vendor-managed data. Breach risk premium: $4,880/TB × risk factor (industry average from IBM). With customer-held keys and zero-knowledge architecture, key access audit is a single CLI command.
HOW IT WORKS

One command. Total control.

1

Generate

Run rdc keygen production. This makes your own 4096-bit key pair. Only you hold it. No one else gets a copy.

2

Encrypt

Every backup gets locked with AES-256-GCM using your key. Your data stays encrypted on disk and on the move. It happens automatically.

3

Control

We never see your key. We never see your raw data. Only you can unlock it. That's what zero-knowledge means: we hold nothing.

Backup Data Plaintext
gitlab 42 GB
nextcloud 128 GB
mailcow 84 GB
mariadb 96 GB
350 GB total Readable
Encrypt
AES-256-GCM
Encrypted Backup Sealed
gitlab AES-256
nextcloud AES-256
mailcow AES-256
mariadb AES-256
Your key only Zero-knowledge
UNDER THE HOOD

Why vendor-managed encryption fails you

When your vendor holds the keys, they can open your data. Their staff can too. One breach on their side and everything spills out. We do it the opposite way. You hold the keys. We never see your raw data or your key. Honestly, that's how it should have always worked.

Vendor holds the keys, so they can open your data
You hold the keys, so only you can open it
Keys shared across many customers
A separate key for each app, on your servers
One vendor breach exposes all the data
Zero-knowledge, so a breach finds nothing usable
Changing keys needs the vendor's help
Change your keys yourself with one command
WHY IT MATTERS

What you get

Your keys only

You make them. You keep them on your own servers. No shared key vaults. No vendor access. Nothing you have to take on trust.

AES-256-GCM encryption

AES-256-GCM does two jobs at once. It locks your data and checks that nothing has been touched. Every read is verified. If someone tampers with it, you know.

Zero-knowledge architecture

We never see your raw data. We never touch your key. So even if someone hacked our own code, there's nothing here to steal.

THE GAP

Encryption control compared

Most backup tools encrypt your data with their keys. That's not your encryption. That's theirs.

Capability VeeamRubrikCommvaultDruva Rediacc
You hold the encryption keys Via KMS[3] Via KMS[4] Via KMS[5] Via KMS[6]
Zero-knowledge architecture
Change your keys yourself Via KMS[7] Via KMS[8] Via KMS[9] Via KMS[10]
AES-256 encryption on disk [11] [12] [13] [14]
A separate key per app
Encryption while data moves [15] [16] [17] [18]
Self-hosted on your own servers [19] [20] [21]
Our healthcare clients require HIPAA-compliant data sovereignty — the encryption keys must never leave our infrastructure. We evaluated every major backup vendor and Rediacc was the only one where we genuinely hold the only key. During our SOC 2 audit, the auditor asked to verify key custody. I ran one command and showed the key was on our HSM, not on any vendor system. Audit finding: zero gaps in key management.
BEFORE
3 gaps
AFTER
0 gaps
Zero audit findings · Key custody proven in 1 CLI command

Own your encryption keys

Start with the free Community edition. Generate your first key in under a minute.

Claim Design Partner
$ rdc repo mount production -m primary

Short on time?

Skip the deep-dive. Grab the five-minute version your team can read at a stand-up.

Download short brief (PDF)
Encrypt any app you run in a container
Databases, mail servers, CI/CD, CMS, monitoring, login systems. If it runs in a container, Rediacc encrypts it with your keys.

Explore Other Solutions

Encryption Control

Encryption You Control

Your keys. Your encryption. No exceptions.

Current page Encryption Control

Audit Trail

Every action logged. Nothing hidden.

 Encryption Control

Migration Safety

Migrate without risking your data

 Ransomware Survival

Immutable Backups

Backups that ransomware can't touch

 Multi Cloud

Cloud Outage Protection

When AWS goes down, you don't

 Verified Backups

Backup Verification

Every backup verified automatically

 Development Environments

Environment Cloning

Clone production in 60 seconds

 Preemptive Defense

AI Pentesting

Clone production. Let AI attack it.
Sources & References
  1. Thales, "2025 Cloud Security Study," conducted by S&P Global 451 Research, 2025. "Only 8% of organizations encrypt 80% or more of their cloud data." "57% use five or more encryption key managers." cpl.thalesgroup.com
  2. IBM Security, "Cost of a Data Breach Report 2024," July 2024. "The global average cost of a data breach reached $4.88 million in 2024." newsroom.ibm.com
  3. Veeam supports external KMS integration for encryption key management including AWS KMS and Azure Key Vault. helpcenter.veeam.com
  4. Rubrik supports customer-managed encryption keys via external KMS integration including KMIP-compatible servers. docs.rubrik.com
  5. Commvault integrates with AWS KMS, Azure Key Vault, HashiCorp Vault, and KMIP-compatible key management servers. documentation.commvault.com
  6. Druva Enterprise Key Management (BYOK) lets customers use their own AWS KMS keys to encrypt backup data. docs.druva.com
  7. Veeam supports encryption key rotation through KMS integration for compliance with security policies. helpcenter.veeam.com
  8. Rubrik supports encryption key rotation through its KMS integration for enterprise key management. docs.rubrik.com
  9. Commvault supports automated encryption key rotation via the Rotate Encryption Master Keys workflow with configurable intervals. documentation.commvault.com
  10. Druva supports both cloud encryption key and customer-managed AWS KMS key rotation for security compliance. help.druva.com
  11. Veeam encrypts backup data at rest using AES-256 encryption with hardware acceleration support. helpcenter.veeam.com
  12. Rubrik encrypts all data at rest using AES-256 encryption with software or hardware-based key management. docs.rubrik.com
  13. Commvault supports AES-256 encryption at rest with hardware-accelerated AES-NI support for backup data. documentation.commvault.com
  14. Druva encrypts all data at rest with AES-256 using unique per-customer Data Encryption Keys. help.druva.com
  15. Veeam encrypts all data in transit using TLS for network traffic between backup components. helpcenter.veeam.com
  16. Rubrik encrypts all data in transit using TLS 1.2+ between cluster nodes and remote targets. docs.rubrik.com
  17. Commvault encrypts network traffic in transit using mutual TLS 1.3 with AES_256_GCM_SHA384 cipher suite. documentation.commvault.com
  18. Druva encrypts all data in transit with TLS 1.2 (256-bit) between customer environment and Druva Cloud. help.druva.com
  19. Veeam Backup & Replication is deployed on-premises on Windows Server with full customer control over infrastructure. helpcenter.veeam.com
  20. Rubrik is deployed as on-premises appliances (r6000 series) with integrated compute, storage, and software. docs.rubrik.com
  21. Commvault supports fully self-hosted on-premises deployments with CommServe, MediaAgent, and Access Node components. documentation.commvault.com
Product performance claims are based on Rediacc's btrfs copy-on-write architecture. Calculator estimates use industry-standard cost models; actual costs vary by organization.