Overview
The Code42 agent encrypts all file data before it leaves endpoint devices for storage in Code42 backup archives. No one can decrypt a user's backed up files without that user's archive encryption key.
This article provides guidance for administrators about the three options for encryption key settings for backup archives. In almost all cases, administrators should use the default option and lock it so that users cannot change it.
For users seeking to change the encryption key setting in the Code42 agent, see:
Step 1: Choose an encryption key option
There are three options for securing backup archive encryption keys:
- Account password: Users enter their account password to restore data. Administrators can reset passwords for users. Administrators with proper permissions can also access users' backed up data.
- Archive key password: Users choose a separate password to protect the encryption key. Administrators cannot access users' backed up data.
- Custom key: Users supply their own encryption key. Administrators cannot access users' backed up data. This option offers the greatest protection against unauthorized access to backed up data, but also entails the greatest risk of losing the backed up data.
More details for each option are provided below.
Option 1: Account password (standard)
In the Code42 console, this option is labeled Standard. In the Code42 agent, it's labeled Account password.
This is a secure, simple option and is the best choice for most situations. With this option, Code42 automatically generates the archive encryption key, and it is protected by the user's account password. Use this option if you have an Incydr product plan.
This option provides multiple layers of safety, including:
- No user data can be restored or decrypted without the account owner's Code42 username and password.
- Administrators with proper permissions can reset usernames and passwords, and decrypt and restore user data.
- The Code42 agent encrypts file data with the AES-256 algorithm, the standard adopted by the U.S. National Institute of Standards and Technology (NIST).
- Code42 client-server communications use signed certificates and TLS security.
- Code42 stores the keys in a dedicated keystore, separate from all other user and administrative data.
- Administrators may further secure keys by storing them in their own private keystore.
Option 2: Archive key password
With this option, Code42 automatically generates the archive encryption key, but it is protected by an additional user-created password that is separate from the account password. This prevents administrators from being able to access the backed up files.
- Users choose a separate archive key password to protect the encryption key.
- The backup encryption key is encrypted by the archive key password, and only the user's archive key password can decrypt it.
- Users can also create a recovery question and answer. This allows users to reset the archive key password if they lose or forget it.
- The same archive key password protects all backup archives for all devices on a user's Code42 account.
- Only the user/owner has access to the password, the recovery answer, and the encryption key.
They are stored on the Code42 cloud, but are hashed and encrypted.
- Users must configure and remember passwords and recovery answers.
- Returning to the Standard setting requires starting over with new account names and new backups.
- Code42 administrators cannot:
- Restore user data.
- Enable endpoint monitoring of user devices.
Option 3: Custom key
With this option, the user supplies the encryption key. This gives the user complete control over access to the backup archive.
- Users define their own data encryption keys before data leaves their devices.
- Only the owner/user has the key.
- Users can define unique keys for each of their devices.
- Code42 does not store the key anywhere outside a user's device.
This option comes with all the same warnings as the archive key password option above. In addition:
- Custom keys pose the greatest risk of users losing their backed up data.
- When you implement the custom key setting for a device, Code42 deletes any existing backup for that device. A new backup archive starts from scratch.
- No backup activity occurs for the device until the user defines the new key.
- If a user loses the key for a device, that backup data cannot be recovered.
- Code42 has no way to recover a lost custom key.
- A custom key cannot be reset.
- The only recourse for a lost key is to change the account name and start a new backup.
Step 2: Implement an encryption key option
The instructions below describe settings for organizations. You can also set options for individual devices. In the Code42 console, select the device, then edit its backup settings.
Option 1: Lock the standard account password option
The default archive encryption key setting is Standard. But until you lock it, users can change this setting in the Code42 agent. You should always lock this setting.
To lock this setting:
- Sign in to the Code42 console.
- Go to Administration > Environment > Organizations.
- Select your Code42 environment's top-level organization.
The organization details view opens. - From the Actions menu in the upper-right, select Device Backup Defaults.
- Select Security.
- Uncheck Use default archive encryption key setting.
- Make sure Standard is selected.
- Click the lock icon.
- In the confirmation dialog, select All organizations, I understand, and OK.
The standard archive encryption key setting is now locked for all your organizations. Users cannot change it.Existing devices do not revert to standard
Any device or child organization already set to Archive key password or Custom key retains that setting. The steps above cannot revert an organization or device to the Standard setting. - Click Save.
In the Code42 agent, users can view the current value, but are no longer allowed to change this setting.
Option 2: Require an archive key password
- Sign in to the Code42 console.
- Go to Administration > Environment > Organizations.
- Select an organization.
The organization details view opens. - From the Actions menu in the upper-right, select Device Backup Defaults.
- Select Security.
- Uncheck Use default archive encryption key setting.
- Select Archive key password.
- Click the lock icon.
- In the confirmation dialog, select All organizations, I understand, and OK.
- In the second confirmation dialog, read and acknowledge the warnings, click OK.
Archive key password now applies to all devices in this organization and its child organizations.
Custom key does not revert to archive key password
Any device or child organization already set to Custom key retains that setting. The steps above cannot revert an organization or device to the Archive key password setting. - Advise users to open the Code42 agent on their desktops.
The Code42 agent prompts the user to provide a password, a reset question, and an answer.
Option 3: Require a custom key
- Sign in to the Code42 console.
- Go to Administration > Environment > Organizations.
- Select an organization.
The organization details view opens. - From the Actions menu in the upper-right, select Device Backup Defaults.
- Select Security.
- Uncheck Use default archive encryption key setting.
- Select Custom Key.
- Click the lock icon.
- In the confirmation dialog, select All organizations, I understand, and OK.
- In the second confirmation dialog, read and acknowledge the warnings, click OK.
Custom key now applies to all devices in this organization and its child organizations. - Advise users to open the Code42 agent on their device.
The Code42 agent prompts users to define an encryption key. They may:- Import a key from a file.
- Paste a key from the clipboard.
- Enter a passphrase
- Let the Code42 agent generate a key.
Tell users to save their keys
Impress upon each user the importance of copying the key to a safe place. If a user loses the key, the user's backup data is lost as well.
Related topics
These articles provide instructions to users setting archive encryption options in the Code42 agent: