Skip to main content

This article applies to Cloud.

Available in:

Small Business
Code42 Support

Create a Vault server to hold your archive keystore

This article applies to Cloud.

Available in:

Small Business


External keystores mean that even in the Code42 cloud environment, you can fully control the encryption keys that secure your backed-up data. The keys are stored separately from the Code42 cloud, in a Vault keystore system. Vault is a third-party application specifically built to secure secrets. This article describes how to create a private, self-administered Vault server to store Code42 encryption keys.

Once you have your Vault server running and tested, move your organization's keys into it by following the instructions for migrating keys to a new keystore.


Code42 affirms that Vault version 0.6.5 is compatible with the Code42 cloud.

  • Any minor version change, Vault 0.7.x for example, should work, but has not been tested.
  • Code42 makes no promises regarding major Vault versions 1.x and later. 
Vault is not Code42

Sample commands in this article are illustrations only. Code42 has makes no guarantees regarding their security or effectiveness, or their suitability for your environment.

Vault is not a Code42 product. Our Customer Champions can assist you with migrating your keystore to your private, self-administerd Vault. Customer Champions cannot, however, provide assistance with Vault-specific tasks, such as installation, configuration, networking, and exporting certificates.

For assistance with Vault, consult the Vault documentation.

How Vault works

A Vault server connecting with the Code42 cloud uses two SSL certificates:

  • Your Vault domain certificate.
    • A signed certificate and private key secures your Vault server's domain (for example,
    • That key and certificate provide encryption for all communications between your Vault and the Code42 cloud. The process resembles most HTTPS connections between clients and servers.
  • Your Vault user certificate.
    • A second key and certificate are generated by your Vault, in response to your command during the configuration process.
    • That key and certificate identify the Vault user that becomes a part of your Code42 cloud organization. Your Vault server uses it to authenticate and authorize requests from your Code42 cloud organization.
    • You package that user key and certificate into a PKCS12 certificate file (*.p12 or *.pfx) and import that file and its password into your Code42 cloud organization.

Before you begin

Install a Vault server at a location available to the Code42 cloud.

  1. Set up a machine or virtual machine with network access that allows TLS/HTTPS communication with the Code42 cloud.
  2. Plan storage capacity of roughly 1 KB for each of your Code42 users.
  3. Download a Vault package for that machine's operating system.
  4. Install and configure a Vault server as described by the Vault documentation.
  5. Connect your Vault server to whatever storage backend suits your purposes.
  6. Code42 recommends configuring your Vault for monitoring and auditing.
    Vault provides multiple methods for logging requests. In the Vault documentation, look for Audit Backends.
Back up your Vault!
When you create a private keystore, create a scheduled process to back it up.
Losing a self-administered private keystore is catastrophic. A wide range of Code42 functions fail. You cannot create new users. You cannot replace a lost or damaged device from backup. You cannot restore data via the console. The only sure way to protect your data is to restart all user backups from scratch.

Step 1: Configure your Vault to work with Code42

Sample commands:
The commands below are samples only. They illustrate configuration of a Vault server on a Linux operating system. Code42 makes no guarantees regarding their security or effectiveness, or their suitability for your environment

To allow the Code42 cloud to read and write encryption your encryption keys, configure your Vault server as follows:

  1. Create your Vault domain certificate, a signed SSL key and certificate for the domain where your Vault server communicates.
    • Get your signed certificate from a widely known and trusted certificate authority (CA), as you would for a secure web site.
    • The certificate must match the domain name where your Vault server listens for requests.
    • Note your certificate's expiration date. Renew your certificate before that date, else your Vault will stop working.
  2. Edit the configuration file for your Vault server to enable TLS/HTTPS connections.
  3. Edit the configuration file to secure TLS connections with the key and certificate you created at step 1.
  4. Enable SSL certificate authentication:
    vault auth-enable cert
  5. Tune Vault to issue short-lived authentication tokens for TLS connections:
    Replace<nn> with a number of seconds. A short time-to-live (TTL) is more secure than a long one. Code42 recommends 60 seconds.
    vault mount-tune -default-lease-ttl=<nn>s auth/cert
  6. Mount the Vault public key infrastructure (PKI):
    vault mount pki
  7. Tune Vault to set the life-span of the SSL certificates it generates:
    Replace<nnnnnn> with a number of hours. Any certificate you generate with Vault works for this number of hours, then you need to replace it. Code42 recommends at least 8760 hours (1 year).
    vault mount-tune -max-lease-ttl=<nnnnnn>h pki
  8. Create your Vault user certificate:
    Replace <nnnnnn> with the same number of hours you provided above.
    vault write pki/root/generate/internal ttl=<nnnnnn>h
    vault write pki/roles/cpRole allow_any_name="true" allow_subdomains="true"
    vault write pki/issue/cpRole > temp_cert.pem
    cp temp_cert.pem crashplan_cert.pem
    cp temp_cert.pem crashplan_key.pem
    The resulting *.pem files contain hold three encrypted strings in the following order, with the following labels:
    certificate ...
    issuing_ca ...
    private_key ...
  9. Edit crashplan_cert.pem with a text editor so that it holds only the certificate string:
    MIIDEzCCA ... 
    <encrypted string truncated here> 
    ... /x8Qtigpn=
    -----END CERTIFICATE-----
  10. Edit crashplan_key.pem so that it holds only the key string:
    MIIEox8/+ ...
    <encrypted string truncated here>
    ... 5QD9moAAl 
    -----END RSA PRIVATE KEY-----
  11. Write the four lines below to a text file named crashplanPolicyFile
    The file defines a Vault policy that allows writing and storing certificates and policies—and nothing else.
    # crashplanPolicyFile
    path "pki/issue/*" {policy = "write"}
    path "sys/policy/*" {policy = "write"}
    path "auth/cert/certs/*" {policy = "write"}
  12. Read the policy into your Vault system:
    vault policy-write crashplanPolicy crashplanPolicyFile
  13. Create a Vault user to work with the Code42 cloud:
    vault write auth/cert/certs/crashplanUser display_name="crashplanUser" 
       policies=crashplanPolicy certificate=@crashplan_cert.pem
  14. Create a PKCS12 key and certificate file for import to the Code42 cloud:
    The openssl command will prompt you for a password. Provide up to 10,000 characters.
    openssl pkcs12 -export -out crashplan.p12 -inkey crashplan_key.pem 
       -in crashplan_cert.pem

Step 2: Configure the Code42 cloud to work with your Vault

The crashplan.p12 file created in the previous step is a PKCS12 certificate (also called a PFX or P12 file) that identifies your Code42 cloud organization to your Vault server.

Provide the file and its password to the Code42 cloud as described in Migrate keys to a new keystore.

The maximum file size is 5 mb.

  • Was this article helpful?