Encryption Guide

AES Encryption Explained

The Advanced Encryption Standard protects classified government data, bank transactions, and your backup images. Learn how AES works, why AES-256 is the gold standard for backup encryption, and how Macrium Reflect uses it to keep your data safe.

What Is AES (Advanced Encryption Standard)?

The Advanced Encryption Standard (AES) is a symmetric-key block cipher adopted by the U.S. National Institute of Standards and Technology (NIST) as Federal Information Processing Standard (FIPS) 197 in November 2001. AES encrypts data in fixed-size 128-bit blocks using a secret key of 128, 192, or 256 bits. It is the most widely deployed encryption algorithm in the world, securing everything from classified government communications to the HTTPS connection you use to browse the web.

AES is a symmetric cipher, meaning the same key is used for both encryption and decryption. This distinguishes it from asymmetric algorithms like RSA, which use a public key for encryption and a private key for decryption. Symmetric encryption is orders of magnitude faster than asymmetric encryption, making AES the practical choice for encrypting large volumes of data such as disk images, backup files, and full-disk encryption.

The strength of AES lies in its mathematical foundation, its resistance to all known cryptanalytic attacks, and its efficiency in both software and hardware implementations. No practical attack against AES has been demonstrated since its adoption over two decades ago. The best known theoretical attack against AES-256 reduces the effective key strength from 2^256 to 2^254.4 operations — still a number so astronomically large that it would take longer than the age of the universe to brute-force using all the computing power on Earth.

History: From Rijndael to the Global Standard

By the late 1990s, the Data Encryption Standard (DES) — the previous federal encryption standard adopted in 1977 — had become vulnerable due to its short 56-bit key length. In 1997, NIST issued a public call for proposals to replace DES with a new encryption standard that would be secure, efficient, and freely available worldwide. The selection process was intentionally open and transparent, inviting cryptographers from around the world to submit and publicly analyze candidate algorithms.

Fifteen algorithms were submitted from twelve countries. After two rounds of public evaluation spanning three years, the field was narrowed to five finalists: Rijndael (Belgium), Serpent (UK/Israel/Norway), Twofish (USA), RC6 (USA), and MARS (USA). Each finalist was subjected to intensive cryptanalysis by the global cryptography community, evaluated for security margins, performance on a wide range of platforms, and implementation simplicity.

In October 2000, NIST selected Rijndael, designed by Belgian cryptographers Joan Daemen and Vincent Rijmen, as the AES algorithm. Rijndael was chosen for its combination of security, performance, and elegant mathematical structure. It performed exceptionally well on both 8-bit smartcard processors and 64-bit server CPUs, and its design was considered the most resistant to side-channel attacks among the finalists. NIST published the final AES standard as FIPS 197 on November 26, 2001, and AES became mandatory for encrypting all non-classified sensitive U.S. government data. In 2003, the NSA approved AES-256 for protecting information classified at the TOP SECRET level.

How AES Works: The Four Round Operations

AES processes each 128-bit block through a series of transformation rounds. Each round applies four distinct operations that together provide the confusion and diffusion necessary for strong encryption.

Step 1

SubBytes

Each byte in the state matrix is replaced with a corresponding value from a fixed substitution table called the S-box. The S-box is derived from the multiplicative inverse in GF(2^8) followed by an affine transformation. This non-linear substitution provides confusion — it obscures the relationship between the plaintext and ciphertext, making it resistant to linear and differential cryptanalysis.

Step 2

ShiftRows

The bytes in each row of the 4x4 state matrix are cyclically shifted to the left by different offsets. Row 0 is not shifted, row 1 shifts by 1 byte, row 2 by 2 bytes, and row 3 by 3 bytes. This transposition step ensures that the columns of the state are composed of bytes from different positions in the original block, providing diffusion across the block.

Step 3

MixColumns

Each column of the state matrix is treated as a polynomial over GF(2^8) and multiplied by a fixed polynomial c(x) = 3x^3 + x^2 + x + 2. This operation mixes the bytes within each column so that each output byte depends on all four input bytes of that column. MixColumns provides the primary diffusion mechanism — a single bit change in the input propagates to affect multiple bytes in the output.

Step 4

AddRoundKey

The state matrix is XORed with a 128-bit round key derived from the original cipher key via the key schedule algorithm. Each round uses a different round key, and this step is the only point where the secret key material enters the computation. The key schedule uses Rijndael's key expansion algorithm to generate a unique round key for each round from the original key.

The number of rounds depends on the key size: AES-128 performs 10 rounds, AES-192 performs 12 rounds, and AES-256 performs 14 rounds. The final round omits the MixColumns step. Each additional round increases the security margin by further diffusing the relationship between the key, plaintext, and ciphertext. The round structure is what makes AES a product cipher — security comes from the repeated application of relatively simple transformations, each building upon the previous round's output.

AES-128 vs AES-192 vs AES-256

AES supports three key lengths, each offering different levels of security and performance trade-offs.

128

AES-128

Key Length

128 bits

Rounds

10

Possible Keys

3.4 x 10^38

Security Level

Strong — approved for most government classifications

Performance

Fastest of the three variants; approximately 40% faster than AES-256 in software implementations

Common Use Cases

Consumer applications, web traffic (TLS), wireless networks (WPA2/WPA3)

192

AES-192

Key Length

192 bits

Rounds

12

Possible Keys

6.2 x 10^57

Security Level

Very strong — exceeds most current threat models

Performance

Moderate; roughly 20% slower than AES-128 due to additional rounds

Common Use Cases

Financial institutions, mid-tier government systems, enterprise VPN tunnels

256

AES-256

Key Length

256 bits

Rounds

14

Possible Keys

1.1 x 10^77

Security Level

Maximum — approved for TOP SECRET classification by NSA

Performance

Slowest of the three but still extremely fast on modern hardware with AES-NI instruction support

Common Use Cases

Military and intelligence systems, disk encryption, backup encryption, healthcare (HIPAA), financial compliance

Block Cipher Modes of Operation

AES encrypts data in 128-bit blocks. The mode of operation determines how these blocks are chained together to encrypt data larger than 128 bits, and each mode has different security and performance characteristics.

ECB (Electronic Codebook)

The simplest mode: each 128-bit block is encrypted independently with the same key. Identical plaintext blocks produce identical ciphertext blocks, creating recognizable patterns that leak information about the underlying data. ECB mode is considered insecure for encrypting data larger than a single block and should never be used for disk or backup encryption.

Insecure

CBC (Cipher Block Chaining)

Each plaintext block is XORed with the previous ciphertext block before encryption, creating a chain where each block depends on all preceding blocks. An Initialization Vector (IV) ensures that identical plaintexts produce different ciphertexts. CBC is widely used and well-understood, but it is inherently sequential — blocks cannot be encrypted or decrypted in parallel — which limits throughput on modern multi-core processors.

Secure
Used in Backup Encryption

CTR (Counter Mode)

Converts AES from a block cipher into a stream cipher by encrypting a sequence of incrementing counter values and XORing the result with the plaintext. CTR mode is fully parallelizable, enabling high throughput on multi-core CPUs and hardware AES accelerators. It does not provide authentication, so it is typically combined with a separate MAC (message authentication code) for integrity verification.

Secure

GCM (Galois/Counter Mode)

Combines CTR mode encryption with Galois field multiplication for built-in authentication. GCM provides both confidentiality and integrity in a single operation — authenticated encryption — making it impossible for an attacker to modify the ciphertext without detection. GCM is the gold standard for modern encryption and is used in TLS 1.3, IPsec, and SSH. It is fully parallelizable and benefits from hardware AES-NI and CLMUL instructions.

Secure
Used in Backup Encryption

Why AES-256 Is the Standard for Backup Encryption

Backup images present a unique security challenge: they contain complete snapshots of entire systems, including operating system files, application data, user documents, credentials stored in browser profiles, email archives, and database files. A single unencrypted backup image is a comprehensive data breach in a single file. If that backup is stored on a portable drive, a NAS accessible over the network, or in cloud storage, the attack surface is significant.

AES-256 is the preferred choice for backup encryption for several reasons. First, backup images have long lifespans — retention policies may keep backup images for months or years, during which time advances in computing power and cryptanalysis could weaken shorter key lengths. AES-256 provides the largest security margin against future attacks, including the theoretical threat of quantum computing. Grover's algorithm, which runs on quantum computers, could effectively halve the key strength of a symmetric cipher, reducing AES-256 to an effective strength of 128 bits — still considered secure — while reducing AES-128 to an effective 64 bits, which is not.

Second, regulatory frameworks including HIPAA, GDPR, and PCI-DSS either explicitly recommend or effectively require AES-256 for data-at-rest encryption. Using AES-256 from the outset ensures compliance without the need to re-encrypt existing backup archives when regulations tighten.

Third, the performance cost of AES-256 over AES-128 is negligible on modern hardware. Intel's AES-NI instruction set, available on all Intel processors since 2010 (Westmere) and all AMD processors since 2011 (Bulldozer), provides hardware-accelerated AES operations that process data at speeds exceeding 4 GB/s per core. At these speeds, AES-256 encryption adds less than 5% overhead to most backup operations, making the security-performance trade-off essentially free.

Implementation Details

How Macrium Reflect Implements AES Encryption

Macrium Reflect integrates AES encryption directly into the backup pipeline, encrypting data as it is read from the source disk before it is written to the backup image file. This inline encryption approach ensures that plaintext data never touches the backup destination — there is no temporary unencrypted file that could be intercepted or recovered from the destination media.

When you enable encryption on a backup definition, Macrium Reflect prompts for a password. This password is not used directly as the encryption key. Instead, Macrium uses PBKDF2 (Password-Based Key Derivation Function 2) to derive a 256-bit encryption key from your password. PBKDF2 applies a pseudorandom function (HMAC-SHA-256) to the password combined with a random salt, repeating the process for a configurable number of iterations. This key stretching serves two critical purposes: it converts a human-memorable password of arbitrary length into a fixed-length cryptographic key, and it dramatically slows down brute-force password guessing attacks by making each guess computationally expensive.

The salt — a random value generated uniquely for each backup image — ensures that identical passwords produce different encryption keys for different backups. This prevents an attacker who obtains multiple encrypted backup images from determining whether they share the same password by comparing the encrypted data. The salt is stored in the backup image header alongside the encryption metadata; it does not need to be kept secret because its purpose is to ensure uniqueness, not confidentiality.

Each backup image in a chain (full, incremental, or differential) is encrypted independently with its own salt and derived key. All images in the chain use the same password, but the actual encryption key differs for each image due to the unique salt. This means that compromising the encryption of one image in the chain does not automatically compromise the others.

Key Derivation: From Passwords to Encryption Keys

The weakest link in any password-based encryption system is the password itself. AES-256 requires a 256-bit key — a sequence of 32 random bytes with 256 bits of entropy. Human-chosen passwords, even strong ones, typically contain between 40 and 80 bits of entropy. The key derivation function bridges this gap by transforming a low-entropy password into a high-quality cryptographic key while simultaneously making brute-force attacks computationally expensive.

PBKDF2 (defined in RFC 8018) works by repeatedly applying HMAC-SHA-256 to the concatenation of the password and a random salt. Each iteration takes the output of the previous iteration as input, creating a chain of hash computations. With 100,000 iterations, an attacker attempting to guess the password must perform 100,000 HMAC operations per guess. On modern hardware, this means an attacker can test approximately 10,000 passwords per second per CPU core — compared to billions of operations per second for a direct brute-force attack on the raw AES key.

This computational cost is intentionally asymmetric. The legitimate user derives the key once when starting a backup or restore operation, experiencing a sub-second delay. An attacker who must test millions or billions of candidate passwords faces days, years, or centuries of computation depending on the password's entropy and the iteration count. Increasing the PBKDF2 iteration count directly increases the cost for attackers while adding only milliseconds for legitimate users.

Alternative key derivation functions such as Argon2 (winner of the Password Hashing Competition in 2015) and scrypt add memory-hardness — they require significant RAM in addition to CPU time, making them resistant to GPU-accelerated and ASIC-accelerated attacks. While PBKDF2 remains widely used and NIST-approved, Argon2 is increasingly recommended for new applications where hardware attack resistance is a priority.

Performance Impact of Encryption on Backup Speed

One of the most common concerns about enabling backup encryption is the potential impact on backup speed. In the era before hardware-accelerated AES, this concern was legitimate — software AES implementation could reduce backup throughput by 30-50%. Modern hardware has fundamentally changed this equation.

AES-NI (AES New Instructions) is a set of CPU instructions specifically designed to accelerate AES encryption and decryption. Introduced by Intel in 2010 with the Westmere microarchitecture and adopted by AMD in 2011 with the Bulldozer architecture, AES-NI is now present in virtually every x86 processor sold in the last decade. With AES-NI, a single CPU core can encrypt data at speeds exceeding 4 GB/s — significantly faster than most storage devices can read or write data.

In practice, this means that AES-256 encryption is rarely the bottleneck in a backup operation. The limiting factors are typically disk I/O (reading from the source and writing to the destination), network bandwidth (for network or cloud backup targets), and data compression (which is CPU-intensive but runs in parallel with encryption on multi-core processors). Macrium Reflect exploits hardware AES-NI when available, processing encryption in a dedicated pipeline stage that overlaps with disk I/O and compression.

Real-world benchmarks show that enabling AES-256 encryption in Macrium Reflect typically adds 3-10% to backup completion time when writing to a local SSD or NAS, and has no measurable impact when the destination is cloud storage (where upload bandwidth is the dominant constraint). For most users, the security benefit of encryption far outweighs this marginal time increase.

Compliance: Regulatory Requirements for Encrypted Backups

Multiple regulatory frameworks require or strongly recommend encryption for data at rest, including backup images.

HIPAA

Health Insurance Portability and Accountability Act

HIPAA's Security Rule (45 CFR 164.312) requires covered entities to implement a mechanism to encrypt electronic protected health information (ePHI) whenever it is stored or transmitted. While HIPAA does not mandate a specific algorithm, NIST SP 800-111 recommends AES-128 or AES-256 for data-at-rest encryption. Backup images containing patient records, diagnostic data, or billing information must be encrypted to satisfy the addressable specification for encryption under the Technical Safeguards.

How Macrium Reflect Helps

Macrium Reflect's AES-256 encryption applied to backup images ensures that ePHI stored in backup files is rendered unreadable to unauthorized parties, satisfying HIPAA's encryption requirements for data at rest.

GDPR

General Data Protection Regulation

GDPR Article 32 requires controllers and processors to implement appropriate technical measures to ensure a level of security appropriate to the risk, explicitly listing encryption as a recommended measure. Article 34 provides that encrypted data, if the key has not been compromised, does not require breach notification — a powerful incentive to encrypt all personal data at rest. Backup images containing EU resident personal data fall squarely within GDPR's scope.

How Macrium Reflect Helps

Encrypting backup images with Macrium Reflect provides the technical safeguard that GDPR Article 32 requires and can exempt an organization from breach notification obligations under Article 34 if backup media is lost or stolen.

PCI-DSS

Payment Card Industry Data Security Standard

PCI-DSS Requirement 3.4 mandates that stored cardholder data be rendered unreadable using strong cryptography with associated key management processes. AES-128 or AES-256 are explicitly listed as acceptable algorithms. Any backup image containing cardholder data — including system backups of payment processing servers — must be encrypted. Requirement 3.5 further mandates that encryption keys be protected against disclosure and misuse.

How Macrium Reflect Helps

Macrium Reflect's password-based AES-256 encryption with PBKDF2 key derivation satisfies PCI-DSS Requirements 3.4 and 3.5 for backup images containing cardholder data environments.

Best Practices for Backup Encryption Passwords

AES-256 is only as strong as the password used to derive the encryption key. Follow these practices to ensure your encrypted backups remain secure.

Use a passphrase of 16 or more characters

A passphrase like 'correct-horse-battery-staple-backup-2024' is both easier to remember and more secure than a short random string. Length is the single most important factor in password entropy. Each additional character exponentially increases the time required for a brute-force attack.

Never reuse your backup encryption password

If you use the same password for your backup encryption and your email account, a breach of your email provider exposes your backup encryption password. Use a unique password exclusively for backup encryption. Store it in a dedicated password manager or a physical safe.

Store the password separately from the backups

Writing the password on a sticky note attached to the backup drive defeats the purpose of encryption. Store the password in a password manager, a sealed envelope in a physical safe, or a separate secure location from the backup media. For business environments, use a split-knowledge scheme where two or more people each hold part of the password.

Document your password recovery procedure

Before you need it, document exactly how to retrieve the backup encryption password. If the password is in a password manager, ensure that the password manager itself is backed up and that someone else in the organization knows how to access it. Test the recovery procedure annually.

Do not change the password on existing backup chains

Each backup image is encrypted with the password that was set when it was created. Changing the password on a backup definition only affects future backups. Existing images in the chain still require the original password for restoration. Maintain a record of which password applies to which backup set.

Common Misconceptions About Encryption

Encryption is widely misunderstood. These are the most common myths we encounter, along with the technical reality.

Myth: AES-256 is twice as secure as AES-128

Reality: Security does not scale linearly with key length. AES-128 has a key space of 2^128, which is already computationally infeasible to brute-force with any conceivable technology. AES-256 provides a key space of 2^256, which is 2^128 times larger — an astronomically larger number, but both are effectively unbreakable. AES-256 provides a larger security margin against hypothetical future attacks, particularly quantum computing, but AES-128 is not 'half as secure' in any practical sense.

Myth: Encryption makes backups significantly slower

Reality: Modern Intel and AMD processors include AES-NI (AES New Instructions), dedicated hardware instructions that accelerate AES encryption and decryption. With AES-NI enabled, the performance overhead of AES-256 encryption is typically 5-15% on backup throughput — far less than the time required for disk I/O and compression. In many scenarios, AES encryption adds negligible time to the backup window.

Myth: A strong password is all you need for secure encryption

Reality: A strong password is necessary but not sufficient. The security of encrypted backups also depends on key derivation (PBKDF2 iteration count), the encryption mode (CBC vs GCM), proper initialization vector generation, and physical security of the machine where the password is entered. A 20-character password encrypted with a weak key derivation function may be less secure than a 12-character password with proper PBKDF2 key stretching.

Myth: Encrypted backups cannot be corrupted

Reality: Encryption protects confidentiality, not integrity. A corrupted encrypted backup cannot be decrypted correctly, and in many cases a single corrupted block renders the entire backup unrecoverable. This makes backup verification even more important when encryption is enabled. Macrium Reflect verifies every encrypted backup image after creation to ensure integrity.

Myth: If I forget my password, the backup vendor can recover my data

Reality: With properly implemented AES encryption, nobody — including Macrium — can recover data from an encrypted backup without the original password. There is no backdoor, master key, or recovery mechanism. The password is the sole input to the key derivation function, and without it, the encryption key cannot be reconstructed. This is why password management for backup encryption is critically important.

AES in the Age of Quantum Computing

The advent of quantum computing poses a potential future threat to some cryptographic algorithms, but its impact on AES is more nuanced than headlines suggest. Shor's algorithm, which runs on quantum computers, can efficiently factor large numbers and compute discrete logarithms, breaking RSA, Diffie-Hellman, and elliptic curve cryptography. However, Shor's algorithm does not directly apply to symmetric ciphers like AES.

The primary quantum threat to AES is Grover's algorithm, which provides a quadratic speedup for brute-force search. Grover's algorithm effectively halves the key length: AES-256 is reduced to an effective strength of 128 bits, and AES-128 to an effective 64 bits. A 64-bit effective key strength is considered insufficient for long-term security, which is why NIST and the NSA recommend AES-256 for data that must remain secure for decades — including backup archives with long retention periods.

Importantly, building a quantum computer capable of running Grover's algorithm against AES-256 at scale is an engineering challenge of staggering magnitude. Current quantum computers have fewer than 1,500 noisy qubits; running Grover's algorithm against AES-256 would require millions of stable, error-corrected logical qubits. Most cryptographers estimate that quantum computers capable of threatening AES-128 are at least 15-30 years away, and AES-256 may remain secure against quantum attacks for the foreseeable future.

By using AES-256 for backup encryption today, you are already implementing the NIST-recommended quantum-resistant symmetric key length. Your encrypted backup archives are protected against both current classical computers and the anticipated capabilities of future quantum computers.

Written by

Macrium Software Technical Team

The Macrium technical team has been developing industry-leading disk imaging and backup solutions since 2006. With deep expertise in Windows storage systems, NTFS, GPT/MBR disk structures, and enterprise backup architecture, our engineers write authoritative guides based on hands-on experience protecting data for over 10 million users worldwide.

Microsoft Certified PartnerPC Magazine Editor's Choice18+ Years of Expertise

Protect Your Backups with AES-256 Encryption

Download Macrium Reflect and enable AES-256 encryption on every backup image. Military-grade encryption, hardware-accelerated performance, and zero-compromise data protection — all in one tool.

Free edition includes full disk imaging, AES encryption, scheduling, and bootable rescue media.