Skip to main content
Code42 Support

Device Backup - Security reference

Applies to:
  • CrashPlan PRO
  • Code42 CrashPlan (previously CrashPlan PROe)

Overview

In the Device Backup Security settings you can require users to enter their account password when opening the CrashPlan app. You can also set the security level of the archive encryption key for users' backup archives.

Device backup security settings

Navigate to Settings > Device Backup > Security to change the account password setting and the security level of the archive encryption key for user backups.

Device Backup Security Settings

Item Description
a Require account password to access CrashPlan app Selected - Requires that the user enters the correct password to open the CrashPlan app.
Deselected - No password is required to open the CrashPlan app.
b Lock Locks this setting to prevent users from changing it in their personal settings.
c Push Pushes a change in this setting to existing users.
d

Standard

(default) Users or administrators can restore files without providing an additional password.
e

Archive key password

Users or administrators can restore files only by providing the correct archive key password. This additional password cannot be reset if it is forgotten or lost. By default, this password is the account password.

Users who sign in with SSO
Do not use the administration console to enable archive key password for users who sign in with SSO. Doing so prevents users from accessing their archives, resulting in data loss. Instead, make sure the Archive Encryption Key settings are unlocked, then instruct users to enable Archive key password from the CrashPlan app.
f

Custom key

Users or administrators can restore files only by providing the correct custom key. If a user forgets or loses the custom key, the user's backup data becomes unrecoverable and the key cannot be reset. Adding or changing the custom key requires users to restart their backups.

Archive encryption key considerations
  • Pushing and locking this setting simply enforces the designated security level. Locking this setting does not prevent users from changing their archive key password, for example.
  • After you have upgraded a user's security level, you cannot downgrade the security level without restarting that user's backup.

Archive encryption key summary

Below is a description of the three security options for archive key management. Refer to our encryption key article for full details and a comparison chart.

Standard encryption

Consideration Details
Configuration
  • Standard archive encryption is the default encryption key security option
Key creation
  • Encryption key is generated upon user account creation
Management requirements
  • Users have only one password to remember
  • Lowest risk of losing ability to restore files
Key security & storage
  • Encryption key is escrowed on the master server for authentication during web restores, administrator restores, and installations on new devices
  • Secured key is escrowed on the master server for authentication during mobile restores
Key storage for mobile devices
CrashPlan mobile app only
  • Encryption key is not stored on the device
  • Secured key is sent from the master server during the sign-in process
  • Secured key is stored in the device's memory only while the CrashPlan mobile app is in the foreground and user is signed in
Web restore key access
  • Encryption key is escrowed on the master server for decryption
Administrator access
  • Administrators can access files backed up to the Code42 server without knowing user account password

Archive key password

Consideration Details
Configuration
  • Archive key password is an increased encryption key security option
Key creation
  • Encryption key is generated upon user account creation
  • The encryption key remains the same when security option is changed from standard to archive key password
Management requirements
  • Users have two passwords to remember
  • Archive key password must be 8-56 characters in length
  • Increased risk of not being able to restore files if archive key password is forgotten
  • Users can change the archive key password at any time without affecting backup data
  • (Optional) Users can provide an archive question that, if answered correctly, can be used to reset the archive key password in the event that it is lost or forgotten
Key security & storage
  • The encryption key is not escrowed on the master server.
  • The encryption key is secured with the archive key password. The secured key is escrowed on the master server for authentication during web restores and installations on new devices
Key storage for mobile devices
CrashPlan mobile app only
  • Encryption key is not stored on the device
  • Secured key is sent from the master server during the sign-in process and stored in the device's memory while the CrashPlan mobile app is in the foreground and user is signed in
  • Archive key password must be entered to restore files
  • If a user enables Remember my private password, then the archive key password is stored in the device's memory as long as the user is signed in; the key and password are both removed when signing out
Web restore key access
  • The secured key is stored on the master server for authentication during web restores
  • Archive key password must be entered to restore files
Administrator access
  • Administrators cannot access files backed up to any destination without knowing the archive key password
  • Administrators cannot access a user's archive key password
  • If the archive key password is lost, it can only be reset if an archive question was previously configured; otherwise, backup data is unrecoverable

Custom key

Consideration Details
Configuration
  • Custom key is the highest upgraded encryption key security option
Key creation
  • The original encryption key generated upon account creation is removed from the master server and is replaced with a custom encryption key
  • Users can choose to assign and manage a different custom key for each device
Management requirements
  • Nearly impossible to remember, with increased risk of not being able to restore files if custom key is lost
  • Users must start a completely new backup after upgrading to this security option; files backed up prior to upgrading are deleted from backup archives
  • Web restore, new installations, and push restores require the custom key
Key security & storage
  • Encryption key exists only on source computer
  • The custom key is never cached at any remote location
Key storage for mobile devices
CrashPlan mobile app only
  • User must supply the custom key in order to restore files
  • Custom key is only stored on the device if users enable Remember my custom key
  • Custom key is removed when the user signs out of the app
Web restore key access
  • User must supply the custom key in order to restore files
  • The custom key is held in memory for the purpose of restoring files; it is never written to disk
  • The custom key is flushed from memory once files are restored
Administrator access
  • Administrators cannot access files backed up to any destination without knowing the custom key
  • Administrators cannot access users' custom keys