diff --git a/backend/app/service/cronjob_helper.go b/backend/app/service/cronjob_helper.go
index b6947e604..412fce462 100644
--- a/backend/app/service/cronjob_helper.go
+++ b/backend/app/service/cronjob_helper.go
@@ -161,7 +161,7 @@ func handleTar(sourceDir, targetDir, name, exclusionRules string, secret string)
 	commands := ""
 
 	if len(secret) != 0 {
-		extraCmd := "| openssl enc -aes-256-cbc -salt -k " + secret + " -out"
+		extraCmd := "| openssl enc -aes-256-cbc -salt -k '" + secret + "' -out"
 		commands = fmt.Sprintf("tar --warning=no-file-changed --ignore-failed-read -zcf %s %s %s %s", " -"+excludeRules, path, extraCmd, targetDir+"/"+name)
 		global.LOG.Debug(strings.ReplaceAll(commands, fmt.Sprintf(" %s ", secret), "******"))
 	} else {
@@ -186,7 +186,7 @@ func handleUnTar(sourceFile, targetDir string, secret string) error {
 	}
 	commands := ""
 	if len(secret) != 0 {
-		extraCmd := "openssl enc -d -aes-256-cbc -k " + secret + " -in " + sourceFile + " | "
+		extraCmd := "openssl enc -d -aes-256-cbc -k '" + secret + "' -in " + sourceFile + " | "
 		commands = fmt.Sprintf("%s tar -zxvf - -C %s", extraCmd, targetDir+" > /dev/null 2>&1")
 		global.LOG.Debug(strings.ReplaceAll(commands, fmt.Sprintf(" %s ", secret), "******"))
 	} else {
diff --git a/backend/app/service/snapshot.go b/backend/app/service/snapshot.go
index 79168da7e..463b703ce 100644
--- a/backend/app/service/snapshot.go
+++ b/backend/app/service/snapshot.go
@@ -389,7 +389,7 @@ func (u *SnapshotService) handleUnTar(sourceDir, targetDir string, secret string
 	}
 	commands := ""
 	if len(secret) != 0 {
-		extraCmd := "openssl enc -d -aes-256-cbc -k " + secret + " -in " + sourceDir + " | "
+		extraCmd := "openssl enc -d -aes-256-cbc -k '" + secret + "' -in " + sourceDir + " | "
 		commands = fmt.Sprintf("%s tar -zxvf - -C %s", extraCmd, targetDir+" > /dev/null 2>&1")
 		global.LOG.Debug(strings.ReplaceAll(commands, fmt.Sprintf(" %s ", secret), "******"))
 	} else {
diff --git a/backend/app/service/snapshot_create.go b/backend/app/service/snapshot_create.go
index 56d8f2a16..9649326c0 100644
--- a/backend/app/service/snapshot_create.go
+++ b/backend/app/service/snapshot_create.go
@@ -256,7 +256,7 @@ func handleSnapTar(sourceDir, targetDir, name, exclusionRules string, secret str
 	}
 	commands := ""
 	if len(secret) != 0 {
-		extraCmd := "| openssl enc -aes-256-cbc -salt -k " + secret + " -out"
+		extraCmd := "| openssl enc -aes-256-cbc -salt -k '" + secret + "' -out"
 		commands = fmt.Sprintf("tar --warning=no-file-changed --ignore-failed-read -zcf %s %s %s %s", " -"+exStr, path, extraCmd, targetDir+"/"+name)
 		global.LOG.Debug(strings.ReplaceAll(commands, fmt.Sprintf(" %s ", secret), "******"))
 	} else {
diff --git a/backend/utils/files/tar_gz.go b/backend/utils/files/tar_gz.go
index bf11a3976..8a1691abf 100644
--- a/backend/utils/files/tar_gz.go
+++ b/backend/utils/files/tar_gz.go
@@ -20,7 +20,7 @@ func (t TarGzArchiver) Extract(filePath, dstDir string, secret string) error {
 	var err error
 	commands := ""
 	if len(secret) != 0 {
-		extraCmd := "openssl enc -d -aes-256-cbc -k " + secret + " -in " + filePath + " | "
+		extraCmd := "openssl enc -d -aes-256-cbc -k '" + secret + "' -in " + filePath + " | "
 		commands = fmt.Sprintf("%s tar -zxvf - -C %s", extraCmd, dstDir+" > /dev/null 2>&1")
 		global.LOG.Debug(strings.ReplaceAll(commands, fmt.Sprintf(" %s ", secret), "******"))
 	} else {
@@ -47,7 +47,7 @@ func (t TarGzArchiver) Compress(sourcePaths []string, dstFile string, secret str
 	path += fmt.Sprintf("- -C %s %s", aheadDir, itemDir)
 	commands := ""
 	if len(secret) != 0 {
-		extraCmd := "| openssl enc -aes-256-cbc -salt -k " + secret + " -out"
+		extraCmd := "| openssl enc -aes-256-cbc -salt -k '" + secret + "' -out"
 		commands = fmt.Sprintf("tar -zcf %s %s %s", path, extraCmd, dstFile)
 		global.LOG.Debug(strings.ReplaceAll(commands, fmt.Sprintf(" %s ", secret), "******"))
 	} else {