Skip to main content
Code42 Support

Device Security Reference

Applies to:
  • CrashPlan PROe

Overview

Use the Security command on the Settings > Devices menu to set the default encryption key policy for all users (new and existing). After the encryption policy is upgraded, upgraded users can never downgrade their policy.

Considerations

  • NOTE: Changing your account password or private password does not require that you restart your backup.
  • IMPORTANT: Changing your data key requires that you restart your backup.

Auto

Device Security Settings - Require account password?

Item Description
a Require password to access desktop Checked - Requires that the user enters the correct password to open the app.
Unchecked - No password is required to open the app.
b Lock Locks this setting to prevent users from changing it in their personal settings.
c Push Indicates whether or not a change in this setting applies to existing users in addition to new users.

Archive encryption key

Device security settings, archive encryption key choice

Item Description
a 448-bit encryption (default) Users or administrators can restore files without providing an additional password.
b 448-bit encryption + password Users or administrators can restore files only by providing the correct password. This additional password cannot be reset if it is forgotten or lost. By default this password is the account password.
Users that sign in with SSO
Do not use the administration console to enable 448-bit encryption + password for users that sign in with SSO. Doing so prevents users from accessing their archives, resulting in data loss. Instead, make sure the Archive Encryption Key settings are unlocked, then instruct users to enable Archive key password from the CrashPlan app.
c 448-bit encryption + custom key Users or administrators can restore files only by providing the correct 448-bit key. The custom key cannot be reset if it is forgotten or lost and backup data is unrecoverable.
d Lock Locks this setting to prevent users from changing it in their personal settings.
e Push Indicates whether or not a change in this setting applies to existing users in addition to new users.
Archive encryption key considerations
  • Pushing and locking this setting simply enforces the designated security level. Locking this setting does not prevent users from changing their archive password, for example.
  • After you have upgraded a user's security level, you cannot downgrade the security level without restarting that user's backup.

Archive encryption key summary

Below is a description of the three encryption options for private key management and their main benefits and considerations.

448-bit encryption

Consideration Details
Configuration
  • Account password is the default encryption key security option
Management requirements
  • Users have only one password to remember
  • Lowest risk of losing ability to restore files
Key creation
  • Encryption key is generated upon user account creation
Key security & storage
  • Secured encryption key is:
    • locked with the salted hash of your archive key password hash
    • stored on the CrashPlan server for authentication during web restores and installations on new devices
Key storage for mobile devices
CrashPlan mobile app only
  • Encryption key is not stored on the device
  • Secured key is sent from the CrashPlan server during the sign-in process
  • Secured key is stored in the device's memory only while the CrashPlan mobile app is in the foreground and user is signed in
Web restore key access
  • Encryption key is escrowed on the CrashPlan servers for decryption
Administrator access
  • Administrators can access files backed up to cloud destinations without knowing user account password

448-bit encryption + password

Consideration Details
Configuration
  • Upgraded security
Management requirements
  • Users have two passwords to remember
  • Archive key password must be 8-56 characters in length
  • Increased risk of not being able to restore files if archive key password is forgotten
  • You can change your archive key password at any time without affecting backup data
  • Optional You can provide an archive question that, if answered correctly, can be used to reset your archive key password in the event that it is lost of forgotten
Key creation
  • Encryption key is generated upon user account creation
  • Your encryption key remains the same when you upgrade security to archive key password
Key security & storage
  • Unsecured encryption key exists only on source computer—not on the CrashPlan server
  • Secured encryption key is:
    • locked with the salted hash of your archive key password hash
    • stored on the CrashPlan server for authentication during web restores and installations on new devices
Key storage for mobile devices
CrashPlan mobile app only
  • Encryption key is not stored on the device
  • Secured key is sent from the CrashPlan server during the sign-in process and stored in the device's memory while the CrashPlan mobile app is in the foreground and you remain signed in
  • You must enter your archive key password to restore
  • If you enable Remember my private password, then the archive key password is stored in the device's memory as long as you remain signed in; the key and password are both removed when you sign out
Web restore key access
  • Secured encryption key is:
    • locked with the salted hash of your archive key password hash
    • stored on the CrashPlan server for authentication during web restores
  • You must supply your archive key password in order to restore files
Administrator access
  • Administrators cannot access files backed up to your destinations without knowing your archive key password
  • Administrators cannot access your archive key password
  • If the archive key password is lost, it can only be reset if an archive question was previously configured; otherwise, backup data is unrecoverable

448-bit encryption with custom 448-bit key

Consideration Details
Configuration
  • Highest level of upgraded security
Management requirements
  • 448-bit keys are nearly impossible to remember, with increased risk of not being able to restore files if custom key is lost
  • Users must start a completely new backup after upgrading to this security option; files backed up prior to upgrading are deleted from backup archives
  • Web restore, new installations, and push restores require that you provide the custom key
Key creation
  • The original encryption key generated upon account creation is replaced with a custom encryption key
  • You can choose to assign and manage a different custom key for each device
Key security & storage
  • Encryption key exists only on source computer
  • Your custom key is never cached at any remote location
Key storage for mobile devices
CrashPlan mobile app only
  • Custom key is only stored on your device if you enable Remember my custom key
  • Custom key is removed when you sign out of the app
Web restore key access
  • You must supply your custom key in order to restore files
  • The custom key is held in memory for the purpose of restoring files; it is never written to disk
  • The custom key is flushed from memory once files are restored
Administrator access
  • Administrators cannot access files backed up to your destinations without knowing your custom key
  • Administrators cannot access your custom key