Skip to main content
Code42 Support

Protect your Code42 server database with automatic secure keystore

Available in:

StandardPremiumEnterprise
Small Business
Applies to:

Overview

When automatic secure keystore is enabled, your Code42 servers must verify a specific cryptographic password on their file systems before starting up. If the file containing this password is not present, the Code42 server will not start. Likewise, the sensitive components of your Code42 server database cannot be accessed without the password file.

This article describes how to protect your Code42 server database by configuring automatic secure keystore.

Effects of automatic secure keystore

Automatic secure keystore mitigates a security risk: if your Code42 server database becomes publicly exposed, the sensitive information inside it cannot be accessed without the password file.

When you enable automatic secure keystore, sensitive components of your Code42 server database are encrypted using a password generated on your host server's file system. When your Code42 server starts, it uses the password to decrypt those encrypted components and begin normal operation. Secure keystore only encrypts the following:

  • Data keys
  • Secure data keys
  • System encryption key
  • Transport keys

When your Code42 server creates a database dump during daily maintenance, it also exports a copy of the cryptographic password file alongside the database dump. If you need to import the database dump for troubleshooting purposes, you must also have the password file in order to decrypt the encrypted database dump.

Considerations

  • You cannot disable automatic secure keystore after enabling it.
  • If the password file is missing or inaccessible, the Code42 server will not start, preventing almost all operations in your Code42 environment.
  • Automatic secure keystore prevents someone from using a copy of your Code42 server database to access sensitive information, provided they do not have the password file. However, because the password file is also stored on your host server's file system, automatic secure keystore does not protect against access by someone with read access to the host server's file system.
  • Customers using managed appliances or public cloud deployments must contact our Customer Champions for Code42 for Enterprise support in order to implement automatic secure keystore. Enabling automatic secure keystore requires access to the file system of your host server.
  • Using automatic secure keystore adds complexity to other Code42 server management tasks, such as:

Enable automatic secure keystore

Follow the steps below to enable automatic secure keystore for all Code42 servers in your Code42 environment.

Step 1: Enable automatic secure keystore

  1. Sign in to the administration console on your authority server.
  2. In the upper-left corner, double-click the Code42 logo to open the administration console command-line interface (CLI).
  3. Enter the following command (CONFIRM is case-sensitive):
    crypto keystore enable-automatic CONFIRM

The administration console CLI responds:
Secure KeyStore is enabled and unlocked automatically.

 

Step 2: Create a copy of your password file

We strongly recommend storing an extra copy of your password file in an offline, secured location, such as a flash drive stored in a restricted-access area.

  1. On your host server's file system, navigate to the password file, which is named ksp.
    Default locations for each operating system:
    • Linux: /var/opt/proserver/ksp
      Applies to Code42 servers installed as root on Ubuntu
    • Windows: C:\Program Files\CrashPlan PROe Server\data\ksp
  2. Copy the password file to an offline, secured location.

Verify automatic secure keystore

Use the administration console to verify that automatic secure keystore has been enabled in your Code42 environment.

  1. Sign in to the administration console on your authority server.
  2. Double-click the Code42 logo in the upper-left corner to open the administration console command-line interface (CLI).
  3. Enter the following command:
    crypto status

The administration console CLI responds:
Secure KeyStore is enabled and unlocked automatically.