Skip to main content
Code42 Support

Archive encryption key security

Available in:

StandardPremiumEnterprise
Small Business
Applies to:

Overview

Code42 apps encrypt all user data before it leaves endpoint devices for storage in Code42 backup archives. No one can decrypt a user's data without that user's archive encryption key. To protect the keys, Code42 offers three levels of security. For administrators, this article describes those levels and how to implement each one. However, Code42 strongly recommends that administrators keep to the default, standard level of security, and lock it so that users cannot change it.

Users seeking to upgrade key security at their Code42 apps should see two other articles:

Step 1: Choose a security option

Administrators have three options for securing users' encryption keys. The recommended option allows administrative access to user data. The second and third options put the keys entirely under user control; administrators cannot access user data. Read the following to make an informed decision.

Recommended option: Standard security, the default

Account password security, the standard, default configuration, is the simplest option. It provides multiple layers of safety and is adequate for most security requirements.

  • No user data can be restored or decrypted without the owner's Code42 account name and password.
  • Administrators with advanced console access can reset names and passwords, and decrypt and restore user data.
  • Code42 app encrypt user data with the AES-256 algorithm, the standard adopted by the U.S. National Institute of Standards and Technology (NIST).
  • In the Code42 cloud:
    • Code42 client-server communications use signed certificates and TLS security.
    • Code42 stores the keys in a dedicated Vault keystore, separate from all other user and administrative data.
    • Administrators may further secure keys by storing them in their own private Vault keystore.
  • In an on-premises Code42 environment:

Option 2: Archive key password security

Users create private passwords, preventing administrative access.

  • Users define a key password, a recovery question, and the answer. 
  • The user's encryption key is itself encrypted; only the user's key password can decrypt it.
  • The recovery question and answer allow the user/owner to reset the password.
  • The same password protects all devices on a user's Code42 account.
  • Only the user/owner has access to the password, the recovery answer, and the encryption key.
    They are stored on Code42 servers, but are hashed and encrypted.

Warnings

  • Users must configure and remember passwords and recovery answers.
  • Returning to standard security requires starting over with new account names and new backups.
  • Code42 administrators cannot:

Option 3: Custom key security

This option puts security entirely in users' hands.

  • Users define their own data encryption keys before data leaves their devices.
  • Only the owner/user has the key.
  • Users can define unique keys for each of their devices.
  • Code42 does not store the key anywhere outside a user's device.

Warnings

This option comes with all the same warnings as archive key password security.
It also poses the greatest risk of users losing their data archives.

  • When you implement custom key security for a device, Code42 deletes any existing backup for that device. A new backup archive starts from scratch.
  • No backup activity occurs for the device until the user defines the new key.
  • If a user loses a key, the user's backup data is irretrievable.
  • A key cannot be reset or recovered.
  • The only recourse for a lost key is to change the account name and start a new backup.

Step 2: Implement a security option

Set security for individual devices
The instructions below describe security settings for organizations. You can also set security options for individual devices. In the administration console, select the device, then edit its backup settings.

Recommended option: Lock standard account password security

Account password security is the default. But until you lock it, users can change their security through their Code42 apps. For most environments, Code42 recommends locking security as follows:

  1. Sign in to the administration console.
  2. Go to Administration > Organizations > Active.
  3. Select your Code42 environment's top-level organization.
    The organization details view opens.
  4. From the action menu in the upper-right, select Device Backup Defaults...
  5. Select Security.
  6. Uncheck Use default archive encryption key setting.
  7. Make sure Standard is selected.
  8. Click the lock icon. lock button
    device backup security standard
  9. In the confirmation dialog, select All organizations, I understand, and OK.
    Standard security is now locked for all your organizations. Users cannot change it.
    Advanced security does not revert to standard
    Any device or child organization that was previously set to user-controlled security will retain that setting. The operation above cannot revert an organization or device to standard security.
  10. Click Save.
    Users may still open a Code42 app desktop interface, and navigate to Tools > Options > Security.
    But they will have no access to upgrade security.

    CrashPlan app locked security

Option 2: Implement archive key password security

  1. Sign in to the administration console.
  2. Go to Administration > Organizations > Active.
  3. Select the organization whose users will have key password security.
    The organization details view opens.
  4. From the action menu in the upper-right, select Device Backup Defaults...
  5. Select Security.
    device security password
  6. Uncheck Use default archive encryption key setting.
  7. Select Archive key password.
  8. Click the lock icon. lock button
  9. In the confirmation dialog, select All organizations, I understand, and OK.
  10. In the second confirmation dialog, read and acknowledge the warnings, click OK.
    Key password security now applies to all devices in the current organization and in its child organizations.
    console confirm key password
    Custom key security does not revert to key password security
    Any device or child organization that was previously set to custom key security will retain that setting. The operation above cannot revert an organization or device to key password security.
  11. Advise users to open the Code42 app on their desktops.
    The Code42 app prompts the user to provide a password, a reset question, and an answer.
    client key password

Option 3: Implement custom key security

  1. Sign in to the administration console.
  2. Go to Administration > Organizations > Active.
  3. Select the organization whose users will have custom key security.
    The organization details view opens.
  4. From the action menu in the upper-right, select Device Backup Defaults...
  5. Select Security.
    device security custom
  6. Uncheck Use default archive encryption key setting.
  7. Select Custom Key.
  8. Click the lock icon. lock button
  9. In the confirmation dialog, select All organizations, I understand, and OK.
  10. In the second confirmation dialog, read and acknowledge the warnings, click OK.
    Custom key security now applies to all devices in the current organization and in its child organizations.
    console confirm custom key
  11. Advise users to open the Code42 app on their desktops.
    The Code42 app prompts users to define an encryption key. They may:
    • Import a key from a file.
    • Paste a key from the clipboard.
    • Enter a passphrase
    • Let the Code42 app generate a key.
    Tell users to save their keys
    Impress upon each user the importance of copying a key to a safe place. If a user loses the key, the user's backup data is lost as well.
    CrashPlan app custom key
  • Was this article helpful?