Skip to main content

This article applies to version 6.

Available in:

StandardPremiumEnterprise
Small Business
Code42 Support

Manual secure keystore for server database

This article applies to version 6.

Available in:

StandardPremiumEnterprise
Small Business

Overview

On an authority server with manual secure keystore, all the encryption keys in the server's database are themselves encrypted and password protected. Restarting your authority server for any reason requires that you supply that password. This article describes the relative merits of manual secure keystore and the automatic alternative, and it describes how to implement manual secure keystore.

Considerations

In an on-premises installation, a secure keystore encrypts and password protects all the encryption keys stored in your authority server's database:

  • Data keys
  • Secure data keys
  • The system encryption key
  • Transport keys

Without the password, your server and database, or any leaked copy of them, are useless. You cannot run the server. Bad actors cannot access your data.

  • Secure keystore applies to Code42 environments using the default H2 database. It does not apply to the PostgreSQL database option.

Choose manual or automatic

Code42 offers two methods of keystore security, manual and automatic. Code42 recommends the manual method because it is more secure.

Recommended option: Manual secure keystore

Manual secure keystore means you provide the password and store it however you see fit. You must supply that password every time someone restarts your authority server.

Do not lose your password!
Losing the password means complete loss of your Code42 environment.
Your users' backup archives cannot be recovered.

Simpler alternative: Automatic secure keystore

Automatic secure keystore holds the password in a file on your authority server's file system, and automatically finds it whenever the server restarts.

  • The authority server generates the password.
  • Every database dump duplicates and re-stores the password file.
  • In managed appliance environments, your password is available to Code42 administrators.
  • Implementation requires access to the authority server's file system. For managed appliance environments, contact Code42 for Enterprise support.
Which secure keystore are you using now?
To determine your authority server's current state:
  1. In the administration console's command-line interface (CLI), type
    crypto status
  2. Read the response below the command line:
    Secure KeyStore is disabled means there is no secure keystore.
    Secure KeyStore is enabled and unlocked by admin indicates manual secure keystore.
    Secure KeyStore is enabled and unlocked automatically indicates automatic secure keystore.

How to implement manual secure keystore

Follow the steps below to implement manual secure keystore in your Code42 environment.

  1. Sign in to the administration console on your authority server.
  2. In the upper-left corner, double-click the Code42 logo to open the administration console's command-line interface (CLI).
  3. Enter the following command, replacing <password> and <retype password> with the password you want to set for manual secure keystore (do not include the brackets).
    A password needs eight or more characters, made up of numbers and both upper- and lower-case letters.
    crypto keystore enable <password> <retype password>
  4. Wait for the CLI to return the following response.
    The process takes roughly 1 minute for each 280 devices in your environment.
    Secure KeyStore is enabled and unlocked by admin.
    

How to restart a server that uses manual secure keystore

An authority server with a manual secure keystore cannot restart until you supply the password, as follows:

  1. Issue a restart command.
  2. Direct a browser to the authority server's address.
  3. The sign-in dialog prompts you for a user name and two passwords. Provide:
    • The username of an administrator.
    • The password for that username
    • The password for the secure keystore (labeled Server Password).

Secure keystore sign-in

How to change your keystore password

  1. Sign in to the administration console on your authority server.
  2. In the upper-left corner, double-click the Code42 logo to open the command-line interface (CLI).
  3. Enter the following command, replacing <old password> with the old manual secure keystore password, and <new password> and <retype new password> with the new password to use for manual secure keystore (do not include the brackets).
    crypto keystore change-password <old password> <new password> <retype new password>