AES-256 encryption, before it leaves your PC

When you back up to a cloud, an FTP server, or a NAS, you're trusting whoever runs that storage with the readable contents of your files. BackupKit closes that gap: every backup is encrypted on your machine, with your password, before a single byte goes over the network. The destination only ever holds an unreadable archive.

Encryption happens on your machine — nowhere else

Files are compressed and encrypted locally, before anything goes over the network. Whatever destination you chose — Google Drive, a NAS, an SFTP server — only ever sees ciphertext.

1. Files gathered — BackupKit reads your selected files locally.
2. Compressed & encrypted — zipped and encrypted with your password, on your machine.
3. Uploaded — the encrypted archive travels over a secure transport (TLS/SSH).
4. Stored, opaque — the destination only ever holds unreadable ciphertext.

Three encryption modes

Different threat models deserve different defaults — choose per backup. AES-256 is the default, and what we recommend for anything sensitive.

• Plain password — basic ZipCrypto. Fine for casual privacy; trivially crackable for a determined attacker.
• AES-128 — strong symmetric encryption, faster than AES-256 and still well beyond casual attack.
• AES-256 — the recommended default. The cipher banks and governments rely on; practically unbreakable with a strong password.

Only you hold the key

Your encryption password never leaves your PC. BackupKit has no master key, no account-recovery loophole, no way to decrypt your backups — even if we wanted to.

• No server-side storage of encryption passwords — nothing to leak if someone breaks into us.
• Provider credentials encrypted locally with Windows DPAPI, never stored in plaintext.
• Lose the password, lose the data — by design. That's what zero-knowledge costs.

Secure transport, open format