diff --git a/src/apps.js b/src/apps.js
index 8730e66ce..a214a1ec6 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -1540,6 +1540,11 @@ function importApp(app, data, auditSource, callback) {
     testBackupConfig(function (error) {
         if (error) return callback(error);
 
+        if (backupConfig && 'password' in backupConfig) {
+            backupConfig.encryption = backups.generateEncryptionKeysSync(backupConfig.password);
+            delete backupConfig.password;
+        }
+
         const restoreConfig = { backupId, backupFormat, backupConfig };
 
         const task = {
diff --git a/src/backups.js b/src/backups.js
index 6c526526e..0e8eaddfe 100644
--- a/src/backups.js
+++ b/src/backups.js
@@ -140,6 +140,19 @@ function testConfig(backupConfig, callback) {
     api(backupConfig.provider).testConfig(backupConfig, callback);
 }
 
+// this skips password check since that policy is only at creation time
+function testProviderConfig(backupConfig, callback) {
+    assert.strictEqual(typeof backupConfig, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    var func = api(backupConfig.provider);
+    if (!func) return callback(new BoxError(BoxError.BAD_FIELD, 'unknown storage provider', { field: 'provider' }));
+
+    if (backupConfig.format !== 'tgz' && backupConfig.format !== 'rsync') return callback(new BoxError(BoxError.BAD_FIELD, 'unknown format', { field: 'format' }));
+
+    api(backupConfig.provider).testConfig(backupConfig, callback);
+}
+
 function generateEncryptionKeysSync(password) {
     assert.strictEqual(typeof password, 'string');
 
@@ -152,16 +165,6 @@ function generateEncryptionKeysSync(password) {
     };
 }
 
-function testProviderConfig(backupConfig, callback) {
-    assert.strictEqual(typeof backupConfig, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var func = api(backupConfig.provider);
-    if (!func) return callback(new BoxError(BoxError.BAD_FIELD, 'unknown storage provider', { field: 'provider' }));
-
-    api(backupConfig.provider).testConfig(backupConfig, callback);
-}
-
 function getByStatePaged(state, page, perPage, callback) {
     assert.strictEqual(typeof state, 'string');
     assert(typeof page === 'number' && page > 0);
diff --git a/src/provision.js b/src/provision.js
index 1c6e4f553..caca353f9 100644
--- a/src/provision.js
+++ b/src/provision.js
@@ -206,9 +206,14 @@ function restore(backupConfig, backupId, version, sysinfoConfig, auditSource, ca
         if (error) return done(error);
         if (activated) return done(new BoxError(BoxError.CONFLICT, 'Already activated. Restore with a fresh Cloudron installation.'));
 
-        backups.testConfig(backupConfig, function (error) {
+        backups.testProviderConfig(backupConfig, function (error) {
             if (error) return done(error);
 
+            if ('password' in backupConfig) {
+                backupConfig.encryption = backups.generateEncryptionKeysSync(backupConfig.password);
+                delete backupConfig.password;
+            }
+
             sysinfo.testConfig(sysinfoConfig, function (error) {
                 if (error) return done(error);