This article applies to CrashPlan PROe version 4.
Other available versions:
Beginning with version 4.2 of the Code42 platform, new Code42 environments are configured to encrypt CrashPlan backup archives with 256-bit AES (Advanced Encryption Standard) by default. AES is the National Institute of Standards and Technology (NIST) specification for encryption.
If you upgrade an existing Code42 environment to version 4.2, then AES is not enabled by default. This article explains how to enable AES after upgrading to version 4.2 of the Code42 platform.
- AES encryption is enabled for backup archives by default in new installations of the Code42 environment using version 4.2 and later of the Code42 platform.
- Only users with the following roles can enable AES encryption:
- Server Administrator
cpc.cipherTypeAesproperty, which is used to enable AES encryption, is deprecated and can only be used by CrashPlan app version 4.4 or later.
- Version 4.2 or later of the CrashPlan app is required to access archives containing AES-encrypted data.
- Once AES is enabled, new files and versions are backed up with AES encryption. Any data backed up prior to enabling AES will remain encrypted with Blowfish. Existing backups do not need to start over; a single archive can contain AES-encrypted data and Blowfish-encrypted data.
- Only one encryption key exists for backup archives containing both Blowfish-encrypted data and AES-encrypted data. The first 256-bits of the encryption key are honored when restoring data encrypted with AES, and the full 448-bits are used when restoring data encrypted with Blowfish.
Once AES encryption is enabled in your Code42 environment, you should not revert back to Blowfish encryption. Once enabled, reverting to Blowfish encryption is unsupported.
Our Customer Champions cannot assist you with unsupported processes, so you assume all risk of unintended behavior.
Before you begin
Upgrade all CrashPlan app clients to version 4.2 or later before proceeding. Earlier versions of the CrashPlan app cannot access archives containing AES encryption. Enabling AES before all CrashPlan app clients are upgraded may produce unexpected results.
Enabling AES in your Code42 environment
Step 1: Update encryption property
- Sign in to the administration console on your master server as a user with the necessary permissions.
- Double-click the logo in the upper-left corner of the administration console to open the administration console command-line interface.
- Enter the following CLI command:
prop.set cpc.cipherTypeAes true save all
The CLI responds with a confirmation message.
CrashPlan app clients must reauthorize with the master server before they will begin using AES. It may take clients up to 24 hours to reauthorize with the master server. If you would like clients to reauthorize immediately, you can restart the master server by following the optional step below, Restart Master server.
(Optional) step 2: Restart Master server
If you would like CrashPlan app clients to reauthorize with the master server and begin backing up with AES encryption immediately, you can restart the master server by following the steps below.
- Enter the following command to restart the master server from the CLI:
- The master server process restarts, and you are temporarily disconnected from the administration console.
After the clients reconnect to the master server, the CrashPlan app will use AES encryption.
(Optional) creating AES-only backup archives
When you switch from Blowfish to AES encryption, existing backups are not re-encrypted with AES. To create archives that use only AES encryption, backups must start over. We recommend creating a new destination for AES-encrypted backups to preserve your Blowfish-encrypted backups during the initial backup phase.
Creating a backup archive in a new destination does not retain existing version history or files in the archive that were deleted from the endpoint after being backed up. The existing version and deleted files history is kept only in the original archive.
Follow the instructions below to create new AES-encrypted archives.
- Follow the steps above to enable AES encryption for your Code42 environment.
- Restart the master server and all storage servers to ensure that the AES system property is applied to all active devices in your Code42 environment.
- Add a storage server to your Code42 environment.
- Offer the new storage server as a destination.
- Allow backups to the new destination to complete.
- (Optional) Remove the original destination.