Who is this article for?
CrashPlan for Small Business, no.
Code42 for Enterprise, yes.
Link: Product plans and features.
This article applies to version 4.
The CrashPlan app is engineered to provide the benefits of cloud backup without compromising data security and privacy. With three secure options for managing your archive encryption key, the CrashPlan app offers the flexibility needed to meet your data security needs. Common questions about CrashPlan app security are answered below.
How archive encryption and decryption work
Encryption is the process of converting information into a coded form that cannot be accessed without the key used to encode it. The CrashPlan app encrypts the files included in your backup before the data is sent to your destinations. Data encryption, combined with a secured encryption key, prevents unauthorized access to your information.
Put simply, if someone ever accessed your backup archive, both your password and encryption key are needed to decrypt your files.
The type of encryption depends on which version of the CrashPlan app you are using. There are two possible types:
- Advanced Encryption Standard (AES): AES is an open source algorithm adopted by the National Institute of Standards and Technology (NIST) as the standard for electronic data encryption, and is used by businesses worldwide.
- Blowfish: Blowfish is a freely available, documented, and open method of encrypting data. It is used by a wide range of encryption products.
|Product||CrashPlan app Version||Encryption Algorithm|
|Code42 for Enterprise||4.6.x and later||AES|
|4.2.x and earlier||Blowfish|
The strength of the keys used to encrypt your files depends on which product you are using.
|Product||Encryption Algorithm||Key Strength|
|Code42 for Enterprise||
* Blowfish and AES key strength cannot be directly compared due to a difference in block sizes.
No, existing backups do not need to start over. A single archive can contain AES-encrypted data and Blowfish-encrypted data. Once AES is enabled, new files and versions are backed up with AES encryption.
If a backup contains both Blowfish and AES encrypted data, are two encryption keys required?
No. Only one encryption key exists for backup archives containing both Blowfish-encrypted data and AES-encrypted data. The first 256-bits of the encryption key are honored when restoring data encrypted with AES, and the full 448-bits are used when restoring data encrypted with Blowfish.
You can access your encrypted files by restoring them from the CrashPlan app or CrashPlan web app. The CrashPlan app will decrypt your files using your encryption key. The method the CrashPlan app uses to access your encryption key depends on how you restore your files and your security settings. Learn more about how file decryption works during restores.
Archive encryption key options and storage
The CrashPlan app offers three options for securing the archive encryption key for your backup. The answer depends on your Archive Encryption setting.
- Standard encryption (default): When you install the CrashPlan app, an encryption key is securely generated for your account. The key is escrowed on Code42's servers for authentication during web restores and installations on new devices.
- Archive key password: The key generated by the CrashPlan app is secured with a secondary password, known as your archive key password. Only the secured key is stored on Code42's servers for authentication during web restores and installations on new devices.
- Custom key: The original encryption key generated by the CrashPlan app is replaced with an encryption key you choose. Code42's servers never escrow the encryption key when using a custom key. This means that if you lose or forget your encryption key, your backup data cannot be restored and our Customer Champions cannot assist with recovery.
The default settings satisfy the security needs for most users. However, you may want to consider upgrading your security settings if any of the following apply:
- Your devices are highly mobile and/or are frequently at risk of exposure or theft
- Your devices contain highly-sensitive business or medical information
- Your devices must comply with medical or legal regulations that require an increased level of security
Increasing the security setting for your account trades ease of use for enhanced archive security. Each additional level of protection also comes with risks and an increased need for password management. Please review your options carefully before upgrading your security.
Yes, the encryption key remains the same. If you use the default security option, then your encryption key is relocked with your new account password when your password is changed. If you use either the archive key password or custom key option, then changing your account password has no effect on how your encryption key is secured.
Refer to our detailed description for each security option in the Archive Encryption Key Security article for information on where your encryption key is stored.
- Standard encryption: Upon reinstalling the CrashPlan app, your configuration settings are pulled from our server, including your secured key. Your account password is used to unlock the encryption key that allows you to restore.
- Archive key password: Upon reinstalling the CrashPlan app, your configuration settings are pulled from our server, including your secured key. You are then prompted for your archive key password before restoring. The archive key password is used to unlock the encryption key that allows you to restore.
- Custom key: Upon reinstalling the CrashPlan app, you must provide your custom key. You must also provide your custom key in order to restore.
Upgraded security details
Archive key password
- Your account password is the password you entered when you installed the CrashPlan app. Combined with your email address, it links all the computers on your account together. You can update your Security settings to require your account password to access the CrashPlan app. Your account password is also required when accessing the CrashPlan web app.
- An archive key password is an additional layer of security used to secure your archive encryption key. If you upgrade your security to archive key password, you must enter your archive key password before you can restore files. The archive key password is not stored on Code42's servers. If you choose to use the web restore feature, the password is sent to Code42's servers and temporarily used to gain access to your archive key, but the password is not persisted on Code42's servers.
You can reset your account password at any time. However, our Customer Champions cannot retrieve or restore the archive key password for you if you lose it.
Your files are not actually encrypted with the archive key password or account password. Those passwords act as a way to lock or protect your encryption key. So if you change your archive key password, your data doesn’t need to be re-encrypted and your backup doesn’t need to start over. Rather, your encryption key is simply re-locked with the new archive key password. Your data encryption key never changes.
Imagine you have your keys to your car locked in a safe. The archive key password is the key to the safe, not the keys to the car. You can still restore versions of files encrypted with the original archive key password and you don't need to start your backup over.
For versions 3.6.1 and later, you have the option to enable an archive question. An archive question can be used to reset the archive key password in the event that the existing password is lost or forgotten. If you do not enable the archive question, or you are unable to answer the question correctly, then there is absolutely no way to help you recover the archive key password needed to restore your files. Our Customer Champions cannot help you recover an archive key password. Learn more about your password and account recovery options.
Yes. Enabling the archive key password option affects ALL of the computers on your account. Setting the archive key password on one computer sets the same archive key password for all your computers. You need to enter this archive key password on all the computers in your account.
Because you are changing the encryption key used to encode your data, your backup must start over if you upgrade to the custom key security option, or if you change your custom key.
There is absolutely no way for Code42 to recover your custom key. If you forget or lose your custom key, you must start over with a new account. Learn more about account recovery.
Enabling custom key security impacts ALL of the computers on your account. However, you can choose to use a different custom key for each computer.
Once your files are encrypted and secured with the security method of your choice, your backup transmission is sent to your destinations using 128-bit AES in-transit encryption.
Yes, it is transferred securely with the same encryption technology used to encrypt files during backup. The key itself is also locked or encrypted.
Policies, certifications, and compliance standards
Code42 ensures and monitors appropriate ISO27001 or SSAE16 certifications for its cloud data centers, and is an ISO27001-certified organization. Code42 continually strives to keep pace with evolving industry security standards.
Archive encryption and encrypted disks
The CrashPlan app supports encrypted files, folders, drives, and filesystems that are run at a system level. In other words, they are not being configured and run in a user space. Learn more about backing up encrypted files and locations.