Skip to main content
Arius encrypts all data before it leaves your machine. Azure Blob Storage never receives plaintext content. Encryption is always on — there is no opt-out.

Transformation pipeline

Each file (or TAR bundle of small files) passes through the following stages in order: 
Original file


   GZip (compression)


  AES-256-CBC (encryption)


  Azure Blob Storage
Compression happens first so that AES operates on already-compressed bytes, which is both more efficient and more secure than compressing ciphertext.

Cipher details

Arius uses AES-256-CBC with PKCS7 padding, derived via PBKDF2-SHA256 — identical to the default behaviour of openssl enc -aes-256-cbc -pbkdf2. This means any blob stored by Arius can be decrypted with the standard openssl CLI, with no dependency on Arius itself.
ParameterValue
AlgorithmAES-256-CBC
Key size256 bits
Block size128 bits
Key derivationPBKDF2-SHA256, 10,000 iterations
Salt8 bytes, randomly generated per encryption
PaddingPKCS7
FormatOpenSSL-compatible (Salted__ prefix + salt + ciphertext)
A fresh random salt is generated for every encryption operation, so two encryptions of identical content produce different ciphertext.

Setting the passphrase

Pass the passphrase with the --passphrase flag on every archive and restore invocation: 
arius archive /data \
  --accountname myaccount \
  --accountkey  "<key>" \
  --passphrase  "my secret passphrase" \
  --container   arius
The passphrase is used as input to PBKDF2 to derive the AES key and IV. It is never stored anywhere — not locally, not in Azure.
If you lose your passphrase, your data cannot be recovered. There is no key escrow, no recovery mechanism, and no way to brute-force a strong passphrase from the stored ciphertext. Store your passphrase securely before archiving any data.
Store the passphrase in a password manager (such as Bitwarden or 1Password) and, separately, in printed form kept in a physically secure location. Treat it with the same care as a private key or seed phrase.

Manual decryption with OpenSSL

Because the format is OpenSSL-compatible, you can decrypt any Arius blob without installing Arius. This is useful for disaster recovery when only the raw blobs are available.
1

Download the blob from Azure

Use Azure Storage Explorer or the Azure CLI to download the encrypted blob from the chunks/ folder in your container.
az storage blob download \
  --account-name myaccount \
  --container-name arius \
  --name chunks/<BinaryHash> \
  --file encrypted.blob
2

Decrypt with OpenSSL

openssl enc -d -aes-256-cbc \
  -in  encrypted.blob \
  -out original.file.gz \
  -pass pass:"my secret passphrase" \
  -pbkdf2
3

Decompress with gzip

gzip -d original.file.gz -f
The file original.file is now the restored binary, identical to what was archived.

Encryption in the archive pipeline

Encryption is applied at the end of the upload pipeline in both the large-file path and the small-file TAR path:
  • Large files: Original file → GZip → AES256 → Blob Storage
  • Small files (TAR batches): Multiple files → TAR → GZip → AES256 → Blob Storage
In both cases the encrypted stream is written directly to Azure without touching disk in plaintext form.

Build docs developers (and LLMs) love

Get started for freeTalk to us