Skip to main content Skip to navigation Skip to footer
ENCRYPTION CONTROL

Your keys. Your encryption. No exceptions.

Every backup is encrypted with keys you own. Not your vendor's keys. Not shared keys. Yours alone.

Every vendor encrypts your data. None let you hold the only key. Rediacc does.

Start Free with Community See encryption details →
rdc repo mount production
Encrypting all repositories with AES-256-GCM...
Key loaded: production.key (4096-bit RSA).......... valid ..
Encrypting: gitlab (42 GB)...................... sealed ..
Encrypting: nextcloud (128 GB).................. sealed ..
Encrypting: mailcow (84 GB)..................... sealed ..
Encrypting: mariadb (96 GB)..................... sealed ..
Verifying integrity checksums................... all match ..
✓ ✓ All repositories encrypted: 4/4 sealed, zero-knowledge verified

Illustrative output; actual runs may include extra logs. CLI reference: rdc repo mount

AES-256
Encryption Standard
You
Key Owner
Always
Encrypted at Rest & Transit
THE PROBLEM

Vendor-managed keys aren't truly yours

Most backup tools encrypt your data — with their keys. That means they can access it. Their employees can access it. A breach on their end exposes your data. If you don't control the keys, you don't control your data.

Only 8% of organizations encrypt 80%+ of their cloud data Thales 2025 Cloud Security Study [1]
$4.88M average cost of a data breach globally IBM Cost of Data Breach 2024 [2]
57% of organizations use 5+ key management systems, creating encryption blind spots Thales 2025 Cloud Security Study [1]
THE OLD WAY
Setup Upload to vendor
Trust Vendor holds keys
Day N Vendor breached
Day N+1 Keys compromised
Result Your data exposed
WITH REDIACC
Your key
AES-256
Zero-knowledge
THE REAL COST

What does weak encryption governance cost you?

Drag the sliders to match your environment. See the real cost of vendor-managed encryption.

Encryption governance calculator

VENDOR-MANAGED KEYS
Audit prep hours / year80 hours
Compliance gaps (key access)4
Exposure windows per year365 days
Breach risk premium$4,880
Annual compliance cost
$20,880
WITH REDIACC
Audit prep hours / year4 hours
Compliance gaps (key access)0
Exposure windows per year0 days
Breach risk premium$0
Annual compliance cost
$800
Audit prep: audits × hours per audit. Compliance gaps: 1 per 5 TB of vendor-managed data. Breach risk premium: $4,880/TB × risk factor (industry average from IBM). With customer-held keys and zero-knowledge architecture, key access audit is a single CLI command.
HOW IT WORKS

One command. Total control.

1

Generate

Run rdc keygen production. Create a 4096-bit RSA key pair that only you hold.

2

Encrypt

Every backup is sealed with AES-256-GCM using your key. Data is encrypted at rest and in transit — automatically.

3

Control

Zero-knowledge architecture. Rediacc never sees your key, never touches your plaintext. Only you can decrypt.

Backup Data Plaintext
gitlab 42 GB
nextcloud 128 GB
mailcow 84 GB
mariadb 96 GB
350 GB total Readable
Encrypt
AES-256-GCM
Encrypted Backup Sealed
gitlab AES-256
nextcloud AES-256
mailcow AES-256
mariadb AES-256
Your key only Zero-knowledge
UNDER THE HOOD

Why vendor-managed encryption fails you

Vendor-managed encryption means your vendor holds the keys. They can decrypt your data. Their employees can access it. A breach on their end exposes everything. Rediacc uses customer-held keys with a zero-knowledge architecture — we never see your plaintext or your key.

Vendor holds encryption keys — can access your data
Customer-held keys — only you can decrypt
Shared key infrastructure across tenants
Per-repository key isolation on your infrastructure
Vendor breach exposes all encrypted data
Zero-knowledge — breach has no usable data to expose
Key rotation requires vendor involvement
Self-service key rotation via CLI — no dependencies
WHY IT MATTERS

What you get

Your keys only

You generate them. You store them on your infrastructure. No shared key stores, no vendor access, no trust assumptions.

AES-256-GCM encryption

Authenticated encryption with associated data. Not just encrypted — integrity-verified at every read. Tamper-proof by design.

Zero-knowledge architecture

Rediacc never sees your plaintext. Never touches your key. Even if our codebase were compromised, there's nothing to steal.

THE GAP

Encryption control compared

Most backup tools encrypt your data with their keys. That's not your encryption — it's theirs.

Capability VeeamRubrikCommvaultDruva Rediacc
Customer-held encryption keys Via KMS[3] Via KMS[4] Via KMS[5] Via KMS[6]
Zero-knowledge architecture
Self-service key rotation Via KMS[7] Via KMS[8] Via KMS[9] Via KMS[10]
AES-256 encryption at rest [11] [12] [13] [14]
Per-repository key isolation
Encryption in transit [15] [16] [17] [18]
Self-hosted / your infrastructure [19] [20] [21]
Our healthcare clients require HIPAA-compliant data sovereignty — the encryption keys must never leave our infrastructure. We evaluated every major backup vendor and Rediacc was the only one where we genuinely hold the only key. During our SOC 2 audit, the auditor asked to verify key custody. I ran one command and showed the key was on our HSM, not on any vendor system. Audit finding: zero gaps in key management.
Zero audit findings · Key custody proven in 1 CLI command

Own your encryption keys

Start with the free Community edition. Generate your first key in under a minute.

$ rdc repo mount production -m primary
Encrypt any containerized workload
Databases, mail servers, CI/CD, CMS, monitoring, auth — if it runs in a container, Rediacc encrypts it with your keys.

Explore Other Solutions

Encryption Control

Encryption You Control

Your keys. Your encryption. No exceptions.

Current page Encryption Control

Audit Trail

Every action logged. Nothing hidden.

 Encryption Control

Migration Safety

Migrate without risking your data

 Ransomware Survival

Immutable Backups

Backups that ransomware can't touch

 Multi Cloud

Cloud Outage Protection

When AWS goes down, you don't

 Verified Backups

Backup Verification

Every backup verified automatically

 Development Environments

Environment Cloning

Clone production in 60 seconds

 Preemptive Defense

AI Pentesting

Clone production. Let AI attack it.
Sources & References
  1. Thales, "2025 Cloud Security Study," conducted by S&P Global 451 Research, 2025. "Only 8% of organizations encrypt 80% or more of their cloud data." "57% use five or more encryption key managers." cpl.thalesgroup.com
  2. IBM Security, "Cost of a Data Breach Report 2024," July 2024. "The global average cost of a data breach reached $4.88 million in 2024." newsroom.ibm.com
  3. Veeam supports external KMS integration for encryption key management including AWS KMS and Azure Key Vault. helpcenter.veeam.com
  4. Rubrik supports customer-managed encryption keys via external KMS integration including KMIP-compatible servers. docs.rubrik.com
  5. Commvault integrates with AWS KMS, Azure Key Vault, HashiCorp Vault, and KMIP-compatible key management servers. documentation.commvault.com
  6. Druva Enterprise Key Management (BYOK) lets customers use their own AWS KMS keys to encrypt backup data. docs.druva.com
  7. Veeam supports encryption key rotation through KMS integration for compliance with security policies. helpcenter.veeam.com
  8. Rubrik supports encryption key rotation through its KMS integration for enterprise key management. docs.rubrik.com
  9. Commvault supports automated encryption key rotation via the Rotate Encryption Master Keys workflow with configurable intervals. documentation.commvault.com
  10. Druva supports both cloud encryption key and customer-managed AWS KMS key rotation for security compliance. help.druva.com
  11. Veeam encrypts backup data at rest using AES-256 encryption with hardware acceleration support. helpcenter.veeam.com
  12. Rubrik encrypts all data at rest using AES-256 encryption with software or hardware-based key management. docs.rubrik.com
  13. Commvault supports AES-256 encryption at rest with hardware-accelerated AES-NI support for backup data. documentation.commvault.com
  14. Druva encrypts all data at rest with AES-256 using unique per-customer Data Encryption Keys. help.druva.com
  15. Veeam encrypts all data in transit using TLS for network traffic between backup components. helpcenter.veeam.com
  16. Rubrik encrypts all data in transit using TLS 1.2+ between cluster nodes and remote targets. docs.rubrik.com
  17. Commvault encrypts network traffic in transit using mutual TLS 1.3 with AES_256_GCM_SHA384 cipher suite. documentation.commvault.com
  18. Druva encrypts all data in transit with TLS 1.2 (256-bit) between customer environment and Druva Cloud. help.druva.com
  19. Veeam Backup & Replication is deployed on-premises on Windows Server with full customer control over infrastructure. helpcenter.veeam.com
  20. Rubrik is deployed as on-premises appliances (r6000 series) with integrated compute, storage, and software. docs.rubrik.com
  21. Commvault supports fully self-hosted on-premises deployments with CommServe, MediaAgent, and Access Node components. documentation.commvault.com
Product performance claims are based on Rediacc's btrfs copy-on-write architecture. Calculator estimates use industry-standard cost models; actual costs vary by organization.