How can we help?

We think these articles could help:

    See More
    Home > CrashPlan > Latest > Configuring > Security: Encryption & Password Options

    Copyright (c) 2006-2014 MindTouch Inc.

    This file and accompanying files are licensed under the MindTouch Master Subscription Agreement (MSA).

    At any time, you shall not, directly or indirectly: (i) sublicense, resell, rent, lease, distribute, market, commercialize or otherwise transfer rights or usage to: (a) the Software, (b) any modified version or derivative work of the Software created by you or for you, or (c) MindTouch Open Source (which includes all non-supported versions of MindTouch-developed software), for any purpose including timesharing or service bureau purposes; (ii) remove or alter any copyright, trademark or proprietary notice in the Software; (iii) transfer, use or export the Software in violation of any applicable laws or regulations of any government or governmental agency; (iv) use or run on any of your hardware, or have deployed for use, any production version of MindTouch Open Source; (v) use any of the Support Services, Error corrections, Updates or Upgrades, for the MindTouch Open Source software or for any Server for which Support Services are not then purchased as provided hereunder; or (vi) reverse engineer, decompile or modify any encrypted or encoded portion of the Software.

    A complete copy of the MSA is available at

    Security: Encryption & Password Options

    Table of Contents
    Applies to:
    • CrashPlan for Home
    • CrashPlan PRO
    • CrashPlan PROe


    CrashPlan provides you with three secure options for archive encryption, which are described in detail in the Archive Encryption Key Security article. Common questions about CrashPlan security are answered below.

    Security FAQs

    What type of encryption does CrashPlan for Home use?

    CrashPlan for Home without a subscription uses 128-bit Blowfish to encrypt your files. CrashPlan for Home with a subscription uses 448-bit Blowfish encryption, which is much stronger than the 128-bit encryption that online banking and most businesses use.

    Blowfish is an encryption algorithm. It's a freely available, documented, and open method of encrypting data. Being open is very important. This means that the processes it uses are public and can be tested by everyone and are proven to be secure. Blowfish was invented by a security expert named Bruce Schneier and more information is available on his website

    448-bit refers to the length of the key. The longer the key, the harder it is to decrypt data.

    Put simply, if someone ever accessed your backup archive, both your password and encryption key are needed to decrypt your files.

    Read more about archive encryption.

    What happens with encryption when I upgrade from the free version of CrashPlan to CrashPlan for Home with a subscription?

    Each data block in your archive is identified by the type and level of encryption. So you can have 448-bit encrypted blocks mixed with 128-bit encrypted blocks in the same backup. Backup continues where it left off and uses the stronger encryption for files going forward.

    What's the difference between an account password and an archive key password?

    Your account password is the password you entered when you installed the CrashPlan app. Combined with your email address, it links all the computers on your account together.

    You can update your Security settings to require your account password in order to run the CrashPlan app. You'll also use the account password to access your CrashPlan account online.

    An archive key password is an additional layer of security used to prevent someone else from restoring your files. If you have upgraded your security to 448-bit encryption + password, you must supply your archive key password before you can restore files. The archive key password is never sent to CrashPlan. However, you may be asked to provide this password if you choose to use the web restore feature.

    CrashPlan Support cannot retrieve or restore the archive key password for you if you lose it.

    If I change my archive key password, what happens to the data already backed up?

    The data backed up before you changed your archive key password remains backed up.

    Imagine you have your keys to your car locked in a safe. The archive key password is the key to the safe, not the keys to the car. You can still restore versions of files encrypted with the original archive key password and you don't need to start your backup over.

    Your files are not actually encrypted with the archive key password or account password. Those passwords act as a way to lock or protect the actual key used to encrypt data. So if you change your archive key password, we do not have to re-encrypt your data or start the back up over. We just re-lock the encryption key with the new archive key password. Your data encryption key never changes.

    What can I do if I forget my archive key password?

    For versions 3.6.1 and later, you have the option to enable an archive question. An archive question can be used to reset the archive key password in the event that the existing password is lost or forgotten.

    Note: You must know your existing archive key password in order to set the archive question. The question cannot be set if the archive key password has already been lost of forgotten. Code42 Customer Champions​​ cannot set an archive question for you, or recover the answer to an archive question in the event that it is lost or forgotten.

    If you do not enable the archive question, or you are unable to answer the question correctly, then there is absolutely no way to help you recover the archive key password needed to restore your files. Our Customer Champions cannot help you recover an archive key password.

    The only way to fix this is to start your backup again under a new account, since you won't be able to decrypt the files that have already been backed up. Please contact our Customer Champion team for assistance.

    Do CrashPlan's servers create, maintain, or save my encryption key for me?

    CrashPlan for Home with subscription, CrashPlan PRO, and CrashPlan PROe:

    • CrashPlan's servers escrow the encryption key when using 448-bit encryption or 448-bit encryption + password option.
    • CrashPlan's servers do not escrow the encryption key when using a custom 448-bit key. This means that if you lose or forget your encryption key, your backup data cannot be restored and our Customer Champions cannot assist with recovery.

    CrashPlan for Home without a subscription:

    • CrashPlan's servers escrow the encryption key when using 128-bit encryption or 128-bit encryption + password option.
    • CrashPlan's servers do not escrow the encryption key when using a custom 128-bit key.  This means that if you lose or forget your encryption key, your backup data cannot be restore and our Customer Championscannot assist with recovery.
    Where is the encryption key stored?

    Refer to our detailed description for each security option in the Archive Encryption Key Security article for information on where your encryption key is stored. 

    Where does CrashPlan retrieve the data encryption key for decrypting the backup if I have reinstalled my OS or formatted my hard drive?
    • Encryption + account password: Upon reinstalling CrashPlan, your configuration settings are pulled from our server, including your secured key. Your account password is used to unlock the encryption key that allows you to restore.
    • Encryption + archive key password: Upon reinstalling CrashPlan, your configuration settings are pulled from our server, including your secured key. You are then prompted for your private data password before restoring. The private data password is used to unlock the encryption key that allows you to restore.
    • Encryption custom key: Upon reinstalling CrashPlan, you must provide your custom key. You must also provide your custom key in order to restore.
    Does this encryption key maintain its value even if I change my account password?

    Yes, we relock the data encryption key with the new password when it is changed.

    If Code42's servers maintain this encryption key, is it sent over SSL?

    Yes, it is transferred securely. Not necessarily SSL but with the same encryption technology used to encrypt files during backup. The key itself is also locked or encrypted.

    Do I need to enter my archive key password on all my computers?

    Yes. Enabling the archive key password option affects ALL of the computers on your account. Setting the archive key password on one computer sets the same archive key password for all your computers. You need to enter this archive key password on all the computers in your account.

    How do I use CrashPlan and FileVault together?

    FileVault 2 (OS X version 10.7+) is full disk encryption and no special configuration or action is required to use CrashPlan with FileVault 2.

    To use CrashPlan and FileVault (Mac OS X version 10.4-10.6) together, you have two choices:

    1. Back up the giant file vaults - these are virtual disks. If you choose this option, you must restore the vaults in their entirety, never a specific file.
    2. Remove the CrashPlan app and reinstall. When installing, use the Customized mode to install CrashPlan as a specific user. We currently support only one filevault per computer. You can only back up when you're logged into your computer, because that is the only time CrashPlan is able to see individual files.
    What is your Privacy Policy?

    The information we collect from you is only for the purposes of providing you a backup service and communicating with you about the backup services we provide. Read our complete Privacy Policy.

    Is CrashPlan SAS 70 Compliant?

    There are two types of SAS 70 certifications: Type I and Type II.

    All CrashPlan data centers are SAS 70 Type II certified.

    Detailed SAS 70 compliance information.

    You must to post a comment.
    Last Modified
    17:33, 11 Feb 2014



    CrashPlan User Guide