Skip to main content

This article applies to Code42 for Enterprise version 4.

Code42 Support

Security: Encryption and password options

This article applies to Code42 for Enterprise version 4.


The CrashPlan app is engineered to provide the benefits of cloud backup without compromising data security and privacy. With three secure options for managing your archive encryption key, the CrashPlan app offers the flexibility needed to meet your data security needs. Common questions about CrashPlan app security are answered below.

How archive encryption and decryption work

What is archive encryption, and how does it protect my backup?

Encryption is the process of converting information into a coded form that cannot be accessed without the key used to encode it. The CrashPlan app encrypts the files included in your backup before the data is sent to your destinations. Data encryption, combined with a secured encryption key, prevents unauthorized access to your information.

Put simply, if someone ever accessed your backup archive, both your password and encryption key are needed to decrypt your files.

What type of encryption does the CrashPlan app use?

The type of encryption depends on which version of the CrashPlan app you are using. There are two possible types:

  • Advanced Encryption Standard (AES): AES is an open source algorithm adopted by the National Institute of Standards and Technology (NIST) as the standard for electronic data encryption, and is used by businesses worldwide.
  • Blowfish: Blowfish is a freely available, documented, and open method of encrypting data. It is used by a wide range of encryption products.
Product CrashPlan app Version Encryption Algorithm
Code42 for Enterprise 4.6.x and later AES
  • AES
    • Default for new installations of the Code42 platform
    • Optional for Code42 platforms upgraded from an earlier version
  • Blowfish
    • Default for Code42 platforms upgraded from an earlier version
4.2.x and earlier Blowfish


How strong are the encryption keys that the CrashPlan app uses?

The strength of the keys used to encrypt your files depends on which product you are using.

Product Encryption Algorithm Key Strength
Code42 for Enterprise



CrashPlan app version 4.5.x and earlier only


* Blowfish and AES key strength cannot be directly compared due to a difference in block sizes.

Does my backup start over when the encryption type changes from Blowfish to AES?

No, existing backups do not need to start over. A single archive can contain AES-encrypted data and Blowfish-encrypted data. Once AES is enabled, new files and versions are backed up with AES encryption.

If a backup contains both Blowfish and AES encrypted data, are two encryption keys required?

No. Only one encryption key exists for backup archives containing both Blowfish-encrypted data and AES-encrypted data. The first 256-bits of the encryption key are honored when restoring data encrypted with AES, and the full 448-bits are used when restoring data encrypted with Blowfish.

How can I access my encrypted files?

You can access your encrypted files by restoring them from the CrashPlan app or CrashPlan web app. The CrashPlan app will decrypt your files using your encryption key. The method the CrashPlan app uses to access your encryption key depends on how you restore your files and your security settings. Learn more about how file decryption works during restores.

Archive encryption key options and storage

Do Code42's servers create, maintain, or save my encryption key for me?

The CrashPlan app offers three options for securing the archive encryption key for your backup. The answer depends on your Archive Encryption setting.

  • Standard encryption (default): When you install the CrashPlan app, an encryption key is securely generated for your account. The key is escrowed on Code42's servers for authentication during web restores and installations on new devices.
  • Archive key password: The key generated by the CrashPlan app is secured with a secondary password, known as your archive key password. Only the secured key is stored on Code42's servers for authentication during web restores and installations on new devices.
  • Custom key: The original encryption key generated by the CrashPlan app is replaced with an encryption key you choose. Code42's servers never escrow the encryption key when using a custom key. This means that if you lose or forget your encryption key, your backup data cannot be restored and our Customer Champions cannot assist with recovery.
Should I upgrade my account security settings?

The default settings satisfy the security needs for most users. However, you may want to consider upgrading your security settings if any of the following apply:

  • Your devices are highly mobile and/or are frequently at risk of exposure or theft
  • Your devices contain highly-sensitive business or medical information
  • Your devices must comply with medical or legal regulations that require an increased level of security

Increasing the security setting for your account trades ease of use for enhanced archive security. Each additional level of protection also comes with risks and an increased need for password management. Please review your options carefully before upgrading your security.

Does my encryption key maintain its value even if I change my account password?

Yes, the encryption key remains the same. If you use the default security option, then your encryption key is relocked with your new account password when your password is changed. If you use either the archive key password or custom key option, then changing your account password has no effect on how your encryption key is secured.

Where is the encryption key stored?

Refer to our detailed description for each security option in the Archive Encryption Key Security article for information on where your encryption key is stored.

Where does the CrashPlan app retrieve the data encryption key for decrypting the backup if I have reinstalled my operating system or formatted my hard drive?
  • Standard encryption: Upon reinstalling the CrashPlan app, your configuration settings are pulled from our server, including your secured key. Your account password is used to unlock the encryption key that allows you to restore.
  • Archive key password: Upon reinstalling the CrashPlan app, your configuration settings are pulled from our server, including your secured key. You are then prompted for your archive key password before restoring. The archive key password is used to unlock the encryption key that allows you to restore.
  • Custom key: Upon reinstalling the CrashPlan app, you must provide your custom key. You must also provide your custom key in order to restore.

Upgraded security details

Archive key password

What's the difference between an account password and an archive key password?
  • Your account password is the password you entered when you installed the CrashPlan app. Combined with your email address, it links all the computers on your account together. You can update your Security settings to require your account password to access the CrashPlan app. Your account password is also required when accessing the CrashPlan web app.
  • An archive key password is an additional layer of security used to secure your archive encryption key. If you upgrade your security to archive key password, you must enter your archive key password before you can restore files. The archive key password is not stored on Code42's servers. If you choose to use the web restore feature, the password is sent to Code42's servers and temporarily used to gain access to your archive key, but the password is not persisted on Code42's servers.

You can reset your account password at any time. However, our Customer Champions cannot retrieve or restore the archive key password for you if you lose it.

If I change my archive key password, what happens to the data already backed up?

Your files are not actually encrypted with the archive key password or account password. Those passwords act as a way to lock or protect your encryption key. So if you change your archive key password, your data doesn’t need to be re-encrypted and your backup doesn’t need to start over. Rather, your encryption key is simply re-locked with the new archive key password. Your data encryption key never changes.

Imagine you have your keys to your car locked in a safe. The archive key password is the key to the safe, not the keys to the car. You can still restore versions of files encrypted with the original archive key password and you don't need to start your backup over.

What can I do if I forget my archive key password?

For versions 3.6.1 and later, you have the option to enable an archive question. An archive question can be used to reset the archive key password in the event that the existing password is lost or forgotten. If you do not enable the archive question, or you are unable to answer the question correctly, then there is absolutely no way to help you recover the archive key password needed to restore your files. Our Customer Champions cannot help you recover an archive key password. Learn more about your password and account recovery options.

Do I need to enter my archive key password on all my computers?

Yes. Enabling the archive key password option affects ALL of the computers on your account. Setting the archive key password on one computer sets the same archive key password for all your computers. You need to enter this archive key password on all the computers in your account.

Custom key

If I add or change my custom key, what happens to the data already backed up?

Because you are changing the encryption key used to encode your data, your backup must start over if you upgrade to the custom key security option, or if you change your custom key.

What can I do if I forget my custom key?

There is absolutely no way for Code42 to recover your custom key. If you forget or lose your custom key, you must start over with a new account. Learn more about account recovery.

Do I need to enter my custom key on all my computers?

Enabling custom key security impacts ALL of the computers on your account. However, you can choose to use a different custom key for each computer.

Transmission security

After my data is encrypted on the source computer, how is it transmitted to my destinations?

Once your files are encrypted and secured with the security method of your choice, your backup transmission is sent to your destinations using 128-bit AES in-transit encryption.

If I use a setting in which Code42's servers maintain my encryption key, is it sent securely?

Yes, it is transferred securely with the same encryption technology used to encrypt files during backup. The key itself is also locked or encrypted.

Policies, certifications, and compliance standards

What is your Privacy Policy?

The information we collect from you is only for the purposes of providing you a backup service and communicating with you about the backup services we provide. Read our complete Privacy Policy.

Are your data centers secure?

Code42 ensures and monitors appropriate ISO27001 or SSAE16 certifications for its cloud data centers, and is an ISO27001-certified organization. Code42 continually strives to keep pace with evolving industry security standards.

Archive encryption and encrypted disks

Can I use the CrashPlan app if my files are already encrypted?

The CrashPlan app supports encrypted files, folders, drives, and filesystems that are run at a system level. In other words, they are not being configured and run in a user space. Learn more about backing up encrypted files and locations.