Skip to main content
Contact Support

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Upgrade Vault

  1. Last updated
  2. Save as PDF

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, yes.

Overview

Code42 cloud environments may be configured to store users' encryption keys in the your own private external keystore, rather than in Code42's keystore. The external keystore that Code42 supports is Vault, a third-party application specifically built to secure secrets.

This article provides information about steps you must perform before upgrading your private, self-administered Vault server to a newer version.

Let Code42 manage your keys
Instead of managing your encryption keys in Vault, Code42 can manage your keys for you. See How Code42 handles your encryption keys for file backup for details. For more information, contact your Customer Success Manager (CSM).
Vault is not a Code42 product
Our Technical Support Engineers can assist you with migrating your keystore to your private, self-administerd Vault. Technical Support Engineers cannot, however, provide assistance with Vault-specific tasks, such as upgrade, installation, configuration, networking, and exporting certificates. For assistance with Vault, consult the Vault documentation.

Affects

This article serves Customer Cloud Administrators who have an existing Vault server installed and configured to store Code42 encryption keys. To learn more about why and how to create a Vault, see:

Considerations

Vault versions

  • The latest version of Vault is available from the Vault downloads page. Previous versions are available from the Vault releases page
  • Vault 0.10.2 is tested and compatible with the Code42 cloud. 
Upgrading from Vault 0.7.2 or earlier

Versions 0.7.2 and earlier did not enforce certificate expiration. If you upgrade Vault without the new certificate, and your old certificate is expired, you may get locked out of Vault and lose your keys.

Therefore, if you are upgrading from version 0.7.2 or earlier, it is critical that you follow the steps below in the order presented. Before upgrading, first create and install a new administrator certificate at the existing Vault, and then migrate the Vault keystore to your Code42 environment, as described below.

Vault uses two certificates

A Vault server connecting with the Code42 cloud uses two CA-signed SSL certificates:

  • Your Vault domain certificate secures your Vault server's domain (for example, vault.example.com). It provides encryption for all communications between Vault and the Code42 cloud. It's the same process at work in most HTTPS connections between clients and servers.
  • Your Vault user/administrator certificate authenticates the user of your Vault server who administers your Code42 cloud key storage. Your Vault server uses this certificate to authenticate and authorize requests from your Code42 cloud organization.

Steps

Step 1: Ensure your certificate is up-to-date

You should choose a certificate that expires no more than once a year. Renew your certificate well before the expiration date, else Vault will stop working.

If you need a new certificate, create a new CA-signed certificate that meets these specifications:

  • Get a signed certificate from a widely known and trusted certificate authority (CA), as you would for a secure web site.
  • The certificate must match the domain name where your Vault server listens for requests.
  • Package the CA's reply in a PKCS12 file, also called a *.PFX or *.P12 file.
  • The maximum file size is 5 mb.
New certificate required if upgrading from Vault 0.7.2 or earlier
If you are upgrading from 0.7.2 or earlier, you must obtain a new certificate before preceding.

If you do not need to renew your certificate, proceed to Step 4.

Step 2: Import the new certificate to Vault

If you obtained a new certificate, import the new certificate into Vault. Configure Vault to use that certificate to authenticate requests from your Code42 environment.

Step 3: Upload the certificate to your Code42 environment

If you obtained a new certificate, provide the certificate file and its password to the Code42 cloud as described in Migrate keys to a new keystore.

Step 4: Upgrade your backend storage software

Vault is a front-end for a storage application, typically Consul. Before upgrading Vault, upgrade that storage software.

Step 5: Download  and install a newer version of Vault

Download the latest version of Vault from the Vault downloads page. Previous versions are available from the Vault releases page

For upgrade instructions, see the Vault upgrade documentation.

External resources

For additional help, see the following Vault documentation

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
    Available in CrashPlan Cloud
    No
    Available in other/on-premises product plans
    No
    Available in Incydr Basic and Advanced
    Yes
    Available in Incydr Pro, Enterprise, and Horizon
    No
    Available in Instructor
    No
    Available in Code42 CrashPlan Premium
    Yes
    Available in Code42 CrashPlan Standard
    Yes
    Available in CrashPlan for Small Business
    No
    Stage
    Final
  2. Tags
    1. deployment:cloud
    2. External keystore
    3. security
    4. Vault