Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional and Enterprise
Incydr Basic and Advanced
Other product plans

Incydr Professional and Enterprise, no.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, yes.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Encryption key options for backup archives

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional and Enterprise
Incydr Basic and Advanced
Other product plans

Incydr Professional and Enterprise, no.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, yes.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

Overview

The Code42 app encrypts all file data before it leaves endpoint devices for storage in Code42 backup archives. No one can decrypt a user's backed up files without that user's archive encryption key.

This article provides guidance for administrators about the three options for encryption key settings for backup archives. In almost all cases, Code42 strongly recommends that administrators use the default option and lock it so that users cannot change it.

For users seeking to change the encryption key setting in the Code42 app, see:

Step 1: Choose an encryption key option

There are three options for securing backup archive encryption keys:

  1. Account password (recommended): Users enter their account password to restore data. Administrators can reset passwords for users. Administrators with proper permissions can also access users' backed up data.
  2. Archive key password: Users choose a separate password to protect the encryption key. Administrators cannot access users' backed up data.
  3. Custom key: Users supply their own encryption key. Administrators cannot access users' backed up data. This option offers the greatest protection against unauthorized access to backed up data, but also entails the greatest risk of losing the backed up data.

More details for each option are provided below.

Recommended option: Account password (standard)

In the Code42 console, this option is labeled Standard. In the Code42 app, it's labeled Account password.

This is a secure, simple option and is the best choice for most situations. With this option, Code42 automatically generates the archive encryption key, and it is protected by the user's account password. Use this option if you have an Incydr product plan.

This option provides multiple layers of safety, including:

  • No user data can be restored or decrypted without the account owner's Code42 username and password.
  • Administrators with proper permissions can reset usernames and passwords, and decrypt and restore user data.
  • The Code42 app encrypts file data with the AES-256 algorithm, the standard adopted by the U.S. National Institute of Standards and Technology (NIST).
  • Code42 client-server communications use signed certificates and TLS security.
  • Code42 stores the keys in a dedicated keystore, separate from all other user and administrative data.
  • Administrators may further secure keys by storing them in their own private keystore.

Option 2: Archive key password

With this option, Code42 automatically generates the archive encryption key, but it is protected by an additional user-created password that is separate from the account password. This prevents administrators from being able to access the backed up files.

  • Users choose a separate archive key password to protect the encryption key.
  • The backup encryption key is encrypted by the archive key password, and only the user's archive key password can decrypt it.
  • Users can also create an optional recovery question and answer. This allows users to reset the archive key password if they lose or forget it.
  • The same archive key password protects all backup archives for all devices on a user's Code42 account.
  • Only the user/owner has access to the password, the recovery answer, and the encryption key.
    They are stored on the Code42 cloud, but are hashed and encrypted.
Warnings and limitations
  • Users must configure and remember passwords and recovery answers.
  • Returning to the Standard setting requires starting over with new account names and new backups.
  • Code42 administrators cannot:
Incydr requires the default archive encryption key setting
Incydr features related to endpoint file activity detection are not supported if you enable the Archive key password or Custom key encryption setting.

Option 3: Custom key

With this option, the user supplies the encryption key. This gives the user complete control over access to the backup archive.

  • Users define their own data encryption keys before data leaves their devices.
  • Only the owner/user has the key.
  • Users can define unique keys for each of their devices.
  • Code42 does not store the key anywhere outside a user's device.
Warnings and limitations

This option comes with all the same warnings as the archive key password option above. In addition:

  • Custom keys pose the greatest risk of users losing their backed up data.
  • When you implement the custom key setting for a device, Code42 deletes any existing backup for that device. A new backup archive starts from scratch.
  • No backup activity occurs for the device until the user defines the new key.
  • If a user loses the key for a device, that backup data cannot be recovered.
    • Code42 has no way to recover a lost custom key.
    • A custom key cannot be reset.
  • The only recourse for a lost key is to change the account name and start a new backup.

Step 2: Implement an encryption key option

Change settings for individual devices
The instructions below describe settings for organizations. You can also set options for individual devices. In the Code42 console, select the device, then edit its backup settings.

Recommended: Lock the standard account password option

The default archive encryption key setting is Standard. But until you lock it, users can change this setting in the Code42 app. To lock this setting:

  1. Sign in to the Code42 console.
  2. Go to Administration > Environment > Organizations.
  3. Select your Code42 environment's top-level organization.
    The organization details view opens.
  4. From the action menu in the upper-right, select Device Backup Defaults...
  5. Select Security.
  6. Uncheck Use default archive encryption key setting.
  7. Make sure Standard is selected.
  8. Click the lock icon. lock button
    device backup security standard
  9. In the confirmation dialog, select All organizations, I understand, and OK.
    The standard archive encryption key setting is now locked for all your organizations. Users cannot change it.
    Existing devices do not revert to standard
    Any device or child organization already set to Archive key password or Custom key retains that setting. The steps above cannot revert an organization or device to the Standard setting.
  10. Click Save.
    In the Code42 app, users can view the current value, but are no longer allowed to change this setting.
    CrashPlan app locked security

Option 2: Require an archive key password

  1. Sign in to the Code42 console.
  2. Go to Administration > Environment > Organizations.
  3. Select an organization.
    The organization details view opens.
  4. From the action menu in the upper-right, select Device Backup Defaults...
  5. Select Security.
    device security password
  6. Uncheck Use default archive encryption key setting.
  7. Select Archive key password.
  8. Click the lock icon. lock button
  9. In the confirmation dialog, select All organizations, I understand, and OK.
  10. In the second confirmation dialog, read and acknowledge the warnings, click OK.
    Archive key password now applies to all devices in this organization and its child organizations.
    Confirm change to archive key password.
    Custom key does not revert to archive key password
    Any device or child organization already set to Custom key retains that setting. The steps above cannot revert an organization or device to the Archive key password setting.
  11. Advise users to open the Code42 app on their desktops.
    The Code42 app prompts the user to provide a password, a reset question, and an answer.
    client key password

Option 3: Require a custom key

  1. Sign in to the Code42 console.
  2. Go to Administration > Environment > Organizations.
  3. Select an organization.
    The organization details view opens.
  4. From the action menu in the upper-right, select Device Backup Defaults...
  5. Select Security.
    device security custom
  6. Uncheck Use default archive encryption key setting.
  7. Select Custom Key.
  8. Click the lock icon. lock button
  9. In the confirmation dialog, select All organizations, I understand, and OK.
  10. In the second confirmation dialog, read and acknowledge the warnings, click OK.
    Custom key now applies to all devices in this organization and its child organizations.
    Confirm change to custom key.
  11. Advise users to open the Code42 app on their device.
    The Code42 app prompts users to define an encryption key. They may:
    • Import a key from a file.
    • Paste a key from the clipboard.
    • Enter a passphrase
    • Let the Code42 app generate a key.
    Tell users to save their keys
    Impress upon each user the importance of copying the key to a safe place. If a user loses the key, the user's backup data is lost as well.
    CrashPlan app custom key
  • Was this article helpful?