This article applies to Code42 CrashPlan version 5.
Other available versions:
Code42 CrashPlan uses different archive encryption depending on which version of CrashPlan you are using:
- Initial install of the Code42 server was version 4.1.x or earlier, and:
- Current server version is 5.0.x or 5.1.x: Your archives will use Blowfish encryption by default. Follow the steps in this tutorial to enable AES.
- Current server version is 5.2.x or later: Your archives will use AES encryption.
- Initial install of the Code42 server was version 4.2.x or later: Your archives use AES encryption by default.
- These steps apply only to Code42 servers upgrading from version 4.1 or earlier to version 5.0.x or 5.1.x.
- If you upgrade to version 5.2.x or later of the Code42 server, AES is enabled by default.
- Only users with the following roles can enable AES encryption:
- Server Administrator
cpc.cipherTypeAesproperty, which is used to enable AES encryption, is deprecated and can only be used by CrashPlan app version 4.4 or later.
- Version 4.2 or later of the CrashPlan app is required to access archives containing AES-encrypted data.
- Once AES is enabled, new files and versions are backed up with AES encryption. Any data backed up prior to enabling AES will remain encrypted with Blowfish. Existing backups do not need to start over; a single archive can contain AES-encrypted data and Blowfish-encrypted data.
- Only one encryption key exists for backup archives containing both Blowfish-encrypted data and AES-encrypted data. The first 256-bits of the encryption key are honored when restoring data encrypted with AES, and the full 448-bits are used when restoring data encrypted with Blowfish.
Once AES encryption is enabled in your Code42 environment, you cannot revert back to Blowfish encryption. Once enabled, reverting to Blowfish encryption is unsupported.
Our Customer Champions cannot assist you with unsupported processes, so you assume all risk of unintended behavior.
Before you begin
Upgrade all CrashPlan app clients to version 4.2 or later before proceeding. Earlier versions of the CrashPlan app cannot access archives containing AES encryption. Enabling AES before all CrashPlan app clients are upgraded may produce unexpected results.
Enable AES in your Code42 environment
Step 1: Update encryption property
- Sign in to the administration console on your master server as a user with the necessary permissions.
- Double-click the logo in the upper-left corner of the administration console to open the administration console command-line interface.
- Enter the following CLI command:
prop.set cpc.cipherTypeAes true save all
The CLI responds with a confirmation message.
CrashPlan app clients must reauthorize with the master server before they will begin using AES. It may take clients up to 24 hours to reauthorize with the master server. If you would like clients to reauthorize immediately, you can restart the master server by following the optional step below.
(Optional) Step 2: Restart master server
If you would like CrashPlan app clients to reauthorize with the master server and begin backing up with AES encryption immediately, you can restart the master server by following the steps below.
- Enter the following command to restart the master server from the CLI:
- The master server process restarts, and you are temporarily disconnected from the administration console.
After the clients reconnect to the master server, the CrashPlan app will use AES encryption.
(Optional) Create AES-only backup archives
When you switch from Blowfish to AES encryption, existing backups are not re-encrypted with AES. To create archives that use only AES encryption, backups must start over. We recommend creating a new destination for AES-encrypted backups to preserve your Blowfish-encrypted backups during the initial backup phase.
Creating a backup archive in a new destination does not retain existing version history or files in the archive that were deleted from the endpoint after being backed up. The existing versions and deleted files history are kept only in the original archive.
Follow the instructions below to create new AES-encrypted archives.
- Follow the steps above to enable AES encryption for your Code42 environment.
- Restart the master server and all storage servers to ensure that the AES system property is applied to all active devices in your Code42 environment.
- Add a storage server to your Code42 environment.
- Offer the new storage server as a destination.
- Allow backups to the new destination to complete.
- (Optional) Remove the original destination.