Skip to main content
Contact Support
Code42 Support

Archive encryption key security

  1. Last updated
    15:31, 11 Aug 2017
  2. Save as PDF

Available in:

StandardPremiumEnterprise
Small Business
Applies to:

Overview

Code42 for Enterprise encrypts your data with a key that is unique to your account. You or your administrator can choose how to secure this key. This article contains an in-depth summary of each of the encryption key security settings.

See the Definitions section below if you are uncertain about the terms used in this article.

How account encryption-key security works

Code42 for Enterprise encrypts your backup files before sending data to your backup destinations. All backup archives are encrypted with AES 256-bit encryption. The method used to secure your encryption key depends on your Security preferences. The options include:

Enhanced security considerations

  • By upgrading your encryption key security option to either archive key password or custom key, you reduce the likelihood that an unauthorized person could restore the data in your backup archive. However, without careful management, upgrading your security also increases the likelihood that you too will be unable to restore the data. Review each setting carefully before upgrading your security.
  • Once upgraded to either of the enhanced security options, you can never downgrade your security setting. Your administrator cannot downgrade your security either. This prevents someone from recovering your lost or stolen device and using the Code42 app to downgrade your security.
  • Your administrator may choose to lock the security setting so that you cannot upgrade your security settings.
Security setting applies to all devices on your account

The security setting for your archive encryption key applies to all of the devices on your account. The setting will also apply to devices you add to your account in the future.

Options at a glance

The following table compares the available security settings for your encryption key. If you are uncertain about the terms used in the table, see the Definitions section below .

Security Account Password (Default) Archive Key Password Custom Key
Data encryption AES-256 AES-256 AES-256
Level of data privacy Strong Stronger Strongest
Risk of being unable to restore files Low

Medium (with recovery question enabled)

High (without recovery question enabled)

High:

  • Key is nearly impossible to commit to memory
  • Key cannot be recovered by administrator
Requires restarting backup after upgrading? No No Yes
Secured key stored on an authority server or external keystore? Yes Yes No
Information needed to restore from the Code42 app and administration console Account password Account password and archive key password Account password and custom encryption key
Information needed to restore from CrashPlan mobile app Account password Account password and archive key password Account password and custom encryption key
Devices on your account Single account password and encryption key for all devices Single account password, encryption key, and archive key password for all devices Single account password; individual devices may have a unique encryption key
Information required for new installations Account password Account password and archive-key password Account password and custom key
Administrator can access backup archive? Yes No No

Account encryption key security options

Account password

Your account password is the default method for securing your encryption key. It is the simplest method to use, and it offers a good balance between security and ease of use. Using this method, you can access and restore files from the Code42 app, the CrashPlan mobile app, and the administration console by supplying your account password.

Account password recovery

You can reset your account password at any time without impacting your encryption key or your ability to restore data.

Technical notes

Consideration Details
Configuration

Account password is the default account encryption key security option.
Key creation

Encryption key is generated the first time you install the Code42 app.
Management requirements
  • You only need to manage a single password.
  • You can access and restore files from the Code42 app, the CrashPlan mobile app, and the administration console by supplying your account password.
  • With this option, there is a low risk of losing your ability to restore files.
Key security & storage

Encryption key is escrowed on the authority server or external keystore for web restores and for installations on new devices.
Key storage for mobile devices
CrashPlan mobile app only
  • Encryption key is not stored on the device.
  • Secured key is sent from the authority server during the sign-in process.
  • Secured key is stored in the device's memory only while the CrashPlan mobile app is in the foreground and user is signed in.
Web restore key access

Encryption key is escrowed on the authority server for decryption.
Administrator access

Administrators can access files backed up to cloud destinations without knowing the user's account password.

Archive key password

When you enable the archive key password option, you change how the encryption key is secured, but the encryption key itself doesn't change. Instead of securing the encryption key with your account password, you are choosing to secure the key with an additional password, called an archive key password. Only the secured encryption key is stored on the authority server or external keystore for your Code42 environment.

An archive key password applies to all devices included on an account. You cannot have separate archive key passwords for separate devices on a single account.

Read our tutorial on upgrading security to the archive key password setting for more information.

Archive key password recovery

If you forget your archive key password, you can reset it if you previously configured a recovery question. If you did not configure a recovery question, or you do not know the answer to your recovery question, then there is no way to reset your archive key password.

Lost archive key password
The Code42 Customer Champion team and your administrator have no way to help you recover an archive key password or recovery question. You will be unable to restore files.

Recovery question

A recovery question is an optional feature of the archive key password security option. A recovery question can be used to reset the archive key password in the event that the existing archive key password is lost or forgotten.

Setting The Recovery Question
You must know your existing archive key password in order to set the recovery question. The question cannot be set if the archive key password has already been lost or forgotten. The Code42 Customer Champion team and your administrator cannot set a recovery question for you, or recover the answer to your recovery question in the event that you lose or forget it.
How It Works
  • The question is stored on the authority server or external keystore as plain text so that it can be displayed in the Code42 app.
  • A salted and hashed version of the answer is stored on the authority server or external keystore.

If you lose or forget your archive-key password and have a recovery question enabled, you can answer your recovery question to reset your archive-key password.

  1. The Code42 app presents you with the recovery question.
  2. The Code42 app salts and hashes the answer you supply and compares it against the salted and hashed version stored on the authority server or external keystore.
  3. If the supplied answer matches the stored answer, you can enter a new archive key password.
  4. The secure key stored on the authority server or external keystore is updated with the new archive key password.

Technical notes

Consideration Details
Configuration

Archive key password is an enhanced encryption key security option.
Key creation
  • Encryption key is generated the first time you install the Code42 app.
  • Your encryption key remains the same when you upgrade security to archive key password.
Management requirements
  • You must manage two passwords.
  • You increase the risk of not being able to restore files (if you forget your archive key password).
  • You can change your archive key password at any time without affecting backup data.
  • Restores from the Code42 app, CrashPlan mobile app, and administration console require your archive key password.
  • New installations of the Code42 app require your archive key password.
  • (Optional) You can provide a recovery question that can be used to reset your archive key password in the event that it is lost or forgotten.
Key security & storage

  • The plain-text of the archive encryption key is not saved to the authority server. The key is itself encrypted with your archive key password. That encrypted version of the key (called the secured key) gets saved to the authority server or external keystore.

  • The secured key is decrypted for web restores and new devices only when the user provides the archive key password. 
Key storage for mobile devices
CrashPlan mobile app only
  • Encryption key is not stored on the device.
  • Secured key is sent from the authority server during the sign-in process and stored in the device's memory while the CrashPlan mobile app is in the foreground and you remain signed in.
  • You must enter your archive key password to restore files.
  • If you enable Remember my private password, then the archive key password is stored in the device's memory as long as you remain signed in; the key and password are both removed when you sign out.
Web restore key access
  • Encryption key is secured with your archive key password on the authority server or external keystore for web restore.
  • The archive key password is hashed and escrowed on the authority server or external keystore for decryption.
  • You must supply your archive key password to restore files.
Administrator access
  • Administrators cannot access files backed up to your destinations
  • Administrators cannot access your archive key password

Custom key

If you choose the custom-key security setting, the encryption key that was generated by Code42 for Enterprise is replaced with a custom key. This is the most secure option, but it requires the most management because you must provide the full custom key when performing:

  • Web restores
  • Mobile restores
  • Administrator restores
  • Installation of the Code42 app on new devices

With this option, you create your own encryption key that resides on your device. The custom key is never transmitted to any other locations, including the authority server or external keystore. Make sure to store a copy of your custom key someplace where it is accessible if you need to restore data, even if the source device is lost or fails.

The setting applies to all devices on your account. Any additional devices on your account will stop backing up until a custom key is entered on the device. You may choose to use unique custom keys for each device, or you can apply the same key to each of your devices.

Backup Must Start Over
When you upgrade to custom key, files backed up with your previous encryption key are deleted from your backup and cannot be restored. Your backup must start over with the new encryption key. Likewise, if you change your custom key, your backup must start over with the new encryption key.

Read our tutorial on upgrading security to custom key for more information on creating, exporting, and importing your custom key.

Custom key recovery

Lost custom key
There is no way to reset your custom key if it is lost or forgotten. The Customer Champion team and your administrator have no way to help you recover a custom key. You will be unable to restore files.

Manage your custom key

You are responsible for storing your encryption key. We recommend exporting your key to a plain text file (.txt) for safe keeping. Do not modify the file. If you must open the file, use a plain text editor such a vi, vim, emacs, nano, pico, Notepad, or TextMate. Avoid using word processors, such as Word, Wordpad, Pages, or OpenOffice Writer, which introduce additional formatting characters and may corrupt your encryption key.

Technical notes

Consideration Details
Configuration

Custom key is an enhanced encryption key security option
Key creation
  • The original encryption key generated by the Code42 app is removed from the authority server or external keystore; you can assign a custom key using the import, paste from clipboard, passphrase, or generate options in the Code42 app.
  • You can choose to assign a different custom key to each computer on your account.
Management requirements
  • Your custom key is nearly impossible to remember, and therefore the risk of not being able to restore files high (if the custom key is lost).
  • Restores from the Code42 app, CrashPlan mobile app, and administration console require your custom key.
  • New installations of the Code42 app require your custom key.
  • You must start a completely new backup after upgrading to this security option; files backed up prior to upgrading are deleted from backup archives.
Key security & storage
  • Encryption key exists only on source device.
  • Your custom key is never cached at any remote location.
Key storage for mobile devices
CrashPlan mobile app only
  • Custom key is only stored on your device if you enable Remember my custom key.
  • Custom key is removed when you sign out of the app.
Web restore key access
  • You must supply your custom key in order to restore files.
  • The custom key is held in memory for the purpose of restoring files; it is never written to disk.
  • The custom key is flushed from memory once files are restored.
Administrator access
  • Administrators cannot access files backed up to your destinations.
  • Administrators cannot access your custom key.

Transmission security

Once your files are encrypted and secured with the encryption key method of your choice, the Code42 app transmits your backups to your destinations using a TLS-based communications encryption protocol and a 128-bit AES cipher.

Definitions

The terms below are used throughout this article.

account password

Password used to access the Code42 app and administration console.

archive key password

Password supplied when the archive key password option is enabled for archive encryption. If you have enabled this option, you must supply the archive key password to access files. See also account password, secured key.

authority server
The authority server is the "authority" server in any Code42 environment. Key functions of the authority server include (but are not limited to) authentication, the management of all licensing, and the storage of encryption keys. Ownership and management of the authority server depends on your environment’s deployment architecture.
custom key

Encryption key that is user-created (using the Passphrase or Generate options) and is used instead of the encryption key generated by the Code42 app. This encryption security option offers the greatest security because the custom key never leaves the source device. It also greatly increases user responsibility; there is no way to recover a backup if the custom key is lost or forgotten. Customer Champion have no way to assist with custom key recovery.

encryption key

A piece of information that a cryptographic algorithm uses to encrypt data.

external keystore

An internet service where the Code42 cloud stores encryption keys for customer data. The service is separate from and external to Code42 authority servers and storage servers. By default, the Code42 cloud uses a Vault server owned and managed by Code42. Code42 cloud customers may also create and use their own private instances of Vault.

recovery question

A recovery question is an optional feature of the archive key password security option. If your account has a recovery question and answer configured, you are able to reset the archive key password if it is lost or forgotten. When you enable the recovery question, the security of your archive key depends on both how hard it is to guess your answer and the strength of your archive key password. You can enable the recovery question feature at any time provided you know your current archive key password.

secured key

A version of a user's archive encryption key that is encrypted with the user's account password (default security) or archive key password (enhanced security).

External resources

  • AES is an open source algorithm adopted by the National Institute of Standards and Technology (NIST) as the standard for electronic data encryption, and is used by businesses worldwide. For more information on AES encryption, see this article by TechTarget.
  • Salting and hashing is a security measure used for passwords. Learn more about salting and hashing from BlackWasp.