This article applies to Cloud.
Code42 cloud environments may be configured to store users' encryption keys in the your own private external keystore, rather than in Code42's keystore. The external keystore that Code42 supports is Vault, a third-party application specifically built to secure secrets.
This article provides information about steps you must perform before upgrading your private, self-administered Vault server to a newer version.
Instead of managing your encryption keys in Vault, Code42 can manage your keys for you. See our Encryption Key Management and Security product document for details. For more information, contact your Customer Success Manager (CSM) for enterprise support at firstname.lastname@example.org.
Our Customer Champions can assist you with migrating your keystore to your private, self-administerd Vault. Customer Champions cannot, however, provide assistance with Vault-specific tasks, such as upgrade, installation, configuration, networking, and exporting certificates. For assistance with Vault, consult the Vault documentation.
This article serves Customer Cloud Administrators who have an existing Vault server installed and configured to store Code42 encryption keys. To learn more about why and how to create a Vault, see:
- The latest version of Vault is available from the Vault downloads page. Previous versions are available from the Vault releases page.
- Vault 0.10.2 is tested and compatible with the Code42 cloud.
Versions 0.7.2 and earlier did not enforce certificate expiration. If you upgrade Vault without the new certificate, and your old certificate is expired, you may get locked out of Vault and lose your keys.
Therefore, if you are upgrading from version 0.7.2 or earlier, it is critical that you follow the steps below in the order presented. Before upgrading, first create and install a new administrator certificate at the existing Vault, and then migrate the Vault keystore to your Code42 environment, as described below.
Vault uses two certificates
A Vault server connecting with the Code42 cloud uses two CA-signed SSL certificates:
- Your Vault domain certificate secures your Vault server's domain (for example,
vault.example.com). It provides encryption for all communications between Vault and the Code42 cloud. It's the same process at work in most HTTPS connections between clients and servers.
- Your Vault user/administrator certificate authenticates the user of your Vault server who administers your Code42 cloud key storage. Your Vault server uses this certificate to authenticate and authorize requests from your Code42 cloud organization.
Step 1: Ensure your certificate is up-to-date
Code42 recommends a certificate that expires in one year. Renew your certificate before that date, else Vault will stop working.
If you need a new certificate, create a new CA-signed certificate that meets these specifications:
- Get a signed certificate from a widely known and trusted certificate authority (CA), as you would for a secure web site.
- The certificate must match the domain name where your Vault server listens for requests.
- Package the CA's reply in a PKCS12 file, also called a *.PFX or *.P12 file.
- The maximum file size is 5 mb.
If you are upgrading from 0.7.2 or earlier, you must obtain a new certificate before preceding.
If you do not need to renew your certificate, proceed to Step 4.
Step 2: Import the new certificate to Vault
If you obtained a new certificate, import the new certificate into Vault. Configure Vault to use that certificate to authenticate requests from your Code42 environment.
Step 3: Upload the certificate to your Code42 environment
If you obtained a new certificate, provide the certificate file and its password to the Code42 cloud as described in Migrate keys to a new keystore.
Step 4: Upgrade your backend storage software
Vault is a front-end for a storage application, typically Consul. Before upgrading Vault, upgrade that storage software.
For additional help, see the following Vault documentation: