Overview
CrashPlan supports managing encryption keys using an external keystore. When integrated with Azure Key Vault, encryption keys are stored securely outside of CrashPlan.
Key characteristics:
- Encryption keys are stored per user
- The keystore is isolated from backup data
- Azure Key Vault is accessed through a proxy for this integration
Keystore Types
CrashPlan supports two types of keystores:
- CrashPlan vault (default)
- Self-administered Vault (Hashicorp)
- Self-administered Vault (Azure)
NOTE:
Azure Key Vault is used as a self-administered keystore through custom integration.
Access Keystore Settings
- Sign in to the CrashPlan console.
- Navigate to Administration → Environment → Keystore
Configure or Edit Keystore
- Sign in to the CrashPlan console.
- Navigate to Administration → Environment → Keystore
- Click the Settings icon and then select Edit Keystore
Provide the following details:
- URL:
- Must use HTTPS (https://<vault-name>.vault.azure.net)
- Must include hostname and port (if applicable)
- Must not include path
- Certificate:
- Upload a .pfx or .p12 file
- Certificate must authenticate successfully
For Azure Key Vault integration:
- URL = Proxy endpoint
- Certificate = Proxy client cert
- Click Continue and then confirm by selecting Are you Sure?
Update Keystore
To modify an existing keystore configuration:
- Navigate to Administration → Environment → Keystore
- Select Edit Keystore
- Update the required fields:
- URL and/or certificate
- Save changes.
CrashPlan will automatically validate:
- Connectivity
- Authentication
Migration to Azure Keystore
Steps:
- Sign in to the CrashPlan console
- Navigate to Administration → Environment → Keystore
- Click on Settings and then select Migrate Keystore
Provide:
- New URL (proxy endpoint)
- Certificate
- Start migration.
Using Azure Key Vault as an external keystore improves security by isolating encryption keys from backup data.
Proper configuration, validation, and monitoring are essential to ensure uninterrupted operation.