Organizations - Device Backup Defaults - Security settings reference

Overview

This reference guide describes an organization's backup security settings. You can require users to enter their account password when opening the Code42 agent, and you can also set the security level of the archive encryption key for users' backup archives.

Video

Watch the video below for an overview of the archive encryption keys settings. For more videos, visit the Code42 University

Updated Code42 console interface
Some menu and navigation items shown in this video have changed. Follow the steps in this article to navigate to these settings, then watch the video for more details.

Access device backup security settings

To view or edit device backup security settings:

  1. Sign in to the Code42 console.
  2. Select Administration > Environment > Organizations.
  3. Select an organization.
    The organization details appear.
  4. Select Actions > Device backup defaults.
  5. On the General tab, deselect Use device defaults from parent if necessary.
  6. Select the Security tab. See below for details about each setting.
  7. Click Save after making any changes.

Device backup security settings

Device Backup Default Settings - Security

Item Description
a Require account password to access Code42 agent

Selected - Requires that the user enters the correct password to open the Code42 agent.
Deselected - No password is required to open the Code42 agent.

Require password for added security
We strongly recommend requiring the account password to open the Code42 agent. If the device is lost, stolen, or infected with malware or ransomware, this helps protect backed-up files from being accessed or deleted by an unauthorized user.
b Lock

Locks this setting to prevent users from changing it in their personal settings.

c Push Applies these settings to existing users in addition to new users.
d

Standard

Users or administrators can restore files without providing an additional password (default).
e

Archive key password

Users or administrators can restore files only by providing the correct archive key password. This additional password cannot be reset if it is forgotten or lost. By default, this password is the account password.

Users who sign in with SSO
Do not use the Code42 console to enable archive key password for users who sign in with SSO. Doing so prevents users from accessing their archives, resulting in data loss. Instead, make sure the Archive Encryption Key settings are unlocked, then instruct users to enable Archive key password from the Code42 agent.
f

Custom key

Users or administrators can restore files only by providing the correct custom key. If a user forgets or loses the custom key, the user's backup data becomes unrecoverable and the key cannot be reset. Adding or changing the custom key requires users to restart their backups.

Archive encryption key considerations
  • Pushing and locking this setting simply enforces the designated security level. Locking this setting does not prevent users from changing their archive key password, for example.
  • After you have upgraded a user's security level, you cannot downgrade the security level without restarting that user's backup.

Archive encryption key summary

Below is a description of the three security options for archive key management. Refer to our encryption key article for full details and a comparison chart.

Standard encryption

Consideration Details
Configuration
  • Standard archive encryption is the default encryption key security option
Key creation
  • Encryption key is generated upon user account creation
Management requirements
  • Users have only one password to remember
  • Lowest risk of losing ability to restore files
Key security & storage
  • Encryption key is escrowed for authentication during web restores, administrator restores, and installations on new devices
Web restore key access
  • Encryption key is escrowed for decryption
Administrator access
  • Administrators can access backed up files without knowing user account password

Archive key password

Consideration Details
Configuration
  • Archive key password is an increased encryption key security option
Incydr requires the default archive encryption key setting
Incydr features related to endpoint file activity detection are not supported if you enable the Archive key password or Custom key encryption setting.
Key creation
  • Encryption key is generated upon user account creation
  • The encryption key remains the same when security option is changed from standard to archive key password
Management requirements
  • Users have two passwords to remember
  • Archive key password must be 8-56 characters in length
  • Increased risk of not being able to restore files if archive key password is forgotten
  • Users can change the archive key password at any time without affecting backup data
  • (Optional) Users can provide an archive question that, if answered correctly, can be used to reset the archive key password in the event that it is lost or forgotten
Key security & storage
  • The encryption key is not escrowed.
  • The encryption key is secured with the archive key password. The secured key is escrowed for authentication during web restores and installations on new devices
Web restore key access
  • The secured key is stored for authentication during web restores
  • Archive key password must be entered to restore files
Administrator access
  • Administrators cannot access files backed up to any destination without knowing the archive key password
  • Administrators cannot access a user's archive key password
  • If the archive key password is lost, it can only be reset if an archive question was previously configured; otherwise, backup data is unrecoverable

Custom key

Consideration Details
Configuration
  • Custom key is the highest upgraded encryption key security option
Incydr requires the default archive encryption key setting
Incydr features related to endpoint file activity detection are not supported if you enable the Archive key password or Custom key encryption setting.
Key creation
  • The original encryption key generated upon account creation is removed and is replaced with a custom encryption key
  • Users can choose to assign and manage a different custom key for each device
Management requirements
  • Nearly impossible to remember, with increased risk of not being able to restore files if custom key is lost
  • Users must start a completely new backup after upgrading to this security option; files backed up prior to upgrading are deleted from backup archives
  • Web restore, new installations, and push restores require the custom key
Key security & storage
  • Encryption key exists only on source computer
  • The custom key is never cached at any remote location
Web restore key access
  • User must supply the custom key in order to restore files
  • The custom key is held in memory for the purpose of restoring files; it is never written to disk
  • The custom key is flushed from memory once files are restored
Administrator access
  • Administrators cannot access files backed up to any destination without knowing the custom key
  • Administrators cannot access users' custom keys