How can we help?

We think these articles could help:

    See More
    Home > CrashPlan > Latest > Configuring > Security: Encryption And Password Options

    Security: Encryption And Password Options

    Applies to:
    • CrashPlan for Home
    • CrashPlan PRO
    • CrashPlan PROe

    Overview

    CrashPlan is engineered to provide the benefits of cloud backup without compromising data security and privacy. With three secure options for managing your archive encryption key, CrashPlan offers the flexibility needed to meet your data security needs. Common questions about CrashPlan security are answered below.

    How Archive Encryption And Decryption Work

    What is archive encryption and how does it protect my backup?

    Encryption is the process of converting information into a coded form that cannot be accessed without the key used to encode it. CrashPlan encrypts the files included in your backup before the data is sent to your destinations. Data encryption, combined with a secured encryption key, prevents unauthorized access to your information.

    Put simply, if someone ever accessed your backup archive, both your password and encryption key are needed to decrypt your files.

    What type of encryption does CrashPlan use?

    CrashPlan for Home, CrashPlan PRO, and CrashPlan PROe backups are encoded with the Blowfish encryption algorithm. Blowfish is a freely available, documented, and open method of encrypting data. Being open means that the processes it uses are public, tested by everyone, and proven to be secure.

    Starting with version 4.2, CrashPlan PROe private cloud deployments also have the option to encode backups using Advanced Encryption Standard (AES). AES is the National Institute of Standards and Technology (NIST) specification for encryption which is used by the US government and is a standard for businesses worldwide.

    How strong are the encryption keys that CrashPlan uses?

    The strength of the keys used to encrypt your files depends on which product you are using.

    Product Encryption Algorithm Key Strength
    CrashPlan for Home (without a subscription) Blowfish 128-bit
    CrashPlan for Home Blowfish 448-bit
    CrashPlan PRO Blowfish 448-bit
    CrashPlan PROe Blowfish 448-bit
    AES 256-bit*

    * Blowfish and AES key strength cannot be directly compared due to a difference in block sizes. For further comparison, more details are available at eFolder Blog.

    What happens with encryption when I upgrade from the free version of CrashPlan to CrashPlan for Home with a subscription?

    Each data block in your archive is identified by the type and level of encryption. So 448-bit encrypted blocks can be mixed with 128-bit encrypted blocks in the same backup. Backup continues where it left off and uses the stronger encryption for files going forward.

    How can I access my encrypted files?

    You can access your encrypted files by restoring them from the CrashPlan app or CrashPlan web app. CrashPlan will decrypt your files using your encryption key. The method CrashPlan uses to access your encryption key depends on how you restore your files and your security settings. Learn more about how file decryption works during restores.

    Archive Encryption Key Options And Storage

    Do Code42's servers create, maintain, or save my encryption key for me?

    CrashPlan offers three options for securing the archive encryption key for your backup. The answer depends on your Archive Encryption setting. 

    • Standard encryption (default): When you install the CrashPlan app, an encryption key is securely generated for your account. The key is escrowed on Code42's servers for authentication during web restores and installations on new devices. 
    • Archive key password: The key generated by the CrashPlan app is secured with a secondary password, known as your archive key password. Only the secured key is stored on Code42's servers for authentication during web restores and installations on new devices.
    • Custom key: The original encryption key generated by the CrashPlan app is replaced with an encryption key you choose. Code42's servers never escrow the encryption key when using a custom key. This means that if you lose or forget your encryption key, your backup data cannot be restored and our Customer Champions cannot assist with recovery.
    Should I upgrade my account security settings?

    The default settings satisfy the security needs for most users. However, you may want to consider upgrading your security settings if any of the following apply:

    • Your devices are highly mobile and/or are frequently at risk of exposure or theft
    • Your devices contain highly-sensitive business or medical information
    • Your devices must comply with medical or legal regulations that require an increased level of security

    Increasing the security setting for your account trades ease of use for enhanced archive security. Each additional level of protection also comes with risks and an increased need for password management. Please review your options carefully before upgrading your security. 

    Does my encryption key maintain its value even if I change my account password?

    Yes, the encryption key remains the same. If you use the default security option, then your encryption key is relocked with your new account password when your password is changed. If you use either the archive key password or custom key option, then changing you account password has no effect on how your encryption key is secured.

    Where is the encryption key stored?

    Refer to our detailed description for each security option in the Archive Encryption Key Security article for information on where your encryption key is stored. 

    Where does CrashPlan retrieve the data encryption key for decrypting the backup if I have reinstalled my operating system or formatted my hard drive?
    • Standard encryption: Upon reinstalling CrashPlan, your configuration settings are pulled from our server, including your secured key. Your account password is used to unlock the encryption key that allows you to restore.
    • Archive key password: Upon reinstalling CrashPlan, your configuration settings are pulled from our server, including your secured key. You are then prompted for your archive key password before restoring. The archive key password is used to unlock the encryption key that allows you to restore.
    • Custom key: Upon reinstalling CrashPlan, you must provide your custom key. You must also provide your custom key in order to restore.

    Upgraded Security Details

    Archive Key Password

    What's the difference between an account password and an archive key password?
    • Your account password is the password you entered when you installed the CrashPlan app. Combined with your email address, it links all the computers on your account together. You can update your Security settings to require your account password to access the CrashPlan app. Your account password is also required when accessing the CrashPlan web app.
    • An archive key password is an additional layer of security used to secure your archive encryption key. If you upgrade your security to archive key password, you must enter your key before you can restore files. The archive key password is never sent to Code42's servers. However, you may be asked to provide this password if you choose to use the web restore feature.

    You can reset your account password at any time. However, our Customer Champions cannot retrieve or restore the archive key password for you if you lose it.

    If I change my archive key password, what happens to the data already backed up?

    Your files are not actually encrypted with the archive key password or account password. Those passwords act as a way to lock or protect your encryption key. So if you change your archive key password, your data doesn’t need to be re-encrypted and your backup doesn’t need to start over. Rather, your encryption key is simply re-locked with the new archive key password. Your data encryption key never changes.

    Imagine you have your keys to your car locked in a safe. The archive key password is the key to the safe, not the keys to the car. You can still restore versions of files encrypted with the original archive key password and you don't need to start your backup over.

    What can I do if I forget my archive key password?

    For versions 3.6.1 and later, you have the option to enable an archive question. An archive question can be used to reset the archive key password in the event that the existing password is lost or forgotten. If you do not enable the archive question, or you are unable to answer the question correctly, then there is absolutely no way to help you recover the archive key password needed to restore your files. Our Customer Champions cannot help you recover an archive key password. Learn more about your password and account recovery options.

    Do I need to enter my archive key password on all my computers?

    Yes. Enabling the archive key password option affects ALL of the computers on your account. Setting the archive key password on one computer sets the same archive key password for all your computers. You need to enter this archive key password on all the computers in your account.

    Custom Key

    If I add or change my custom key, what happens to the data already backed up?

    Because you are changing the encryption key used to encode your data, your backup must start over if you upgrade to the custom key security option, or if you change your custom key.

    What can I do if I forget my custom key?

    There is absolutely no way for Code42 to recover your custom key. If you forget or lose your custom key, you must start over with a new account. Learn more about account recovery.

    Do I need to enter my custom key on all my computers?

    Enabling custom key security impacts ALL of the computers on your account. However, you can choose to use a different custom key for each computer.

    Transmission Security

    After my data is encrypted on the source computer, how is it transmitted to my destinations?

    Once your files are encrypted and secured with the security method of your choice, your backup transmission is sent to your destinations using 128-bit AES in-transit encryption. 

    If I use a setting in which Code42's servers maintain my encryption key, is it sent securely?

    Yes, it is transferred securely with the same encryption technology used to encrypt files during backup. The key itself is also locked or encrypted.

    Policies, Certifications, And Compliance Standards 

    What is your Privacy Policy?

    The information we collect from you is only for the purposes of providing you a backup service and communicating with you about the backup services we provide. Read our complete Privacy Policy.

    Are your data centers secure?

    Code42 ensures and monitors appropriate ISO27001 or SSAE16 certifications for its cloud data centers, and is an ISO27001-certified organization. Code42 continually strives to keep pace with evolving industry security standards.

    Archive Encryption And Encrypted Disks

    Can I use CrashPlan if my files are already encrypted?

    ​CrashPlan supports encrypted files, folders, drives, and filesystems that are run at a system level. In other words, they are not being configured and run in a user space. Learn more about backing up encrypted files and locations.

    You must to post a comment.
    Last modified
    07:55, 15 Jun 2015

    Tags

    Classifications

    CrashPlan User Guide