Archive encryption key security: Advice for users

This article applies to CrashPlan Enterprise and MSPs.png


CrashPlan app encrypts all user data before it leaves endpoint devices for storage in CrashPlan backup archives. No one can decrypt a user's data without that user's archive encryption key. To protect the keys, CrashPlan offers three levels of security. For users of CrashPlan apps, this article describes whether and how to implement the two advanced levels. However, it is best to keep the default, standard level of security if an advanced level is not necessary.

Administrators of CrashPlan environments are encouraged to see another article about administrative decisions and controls regarding archive encryption keys.

Before you begin

Your administrator may have already configured your CrashPlan app to use advanced key security. In that case, the next time you open your CrashPlan app on your desktop, it prompts you to define your credentials. For instructions, see either:

Step 1: Consult your administrator

Do not change the security settings in your CrashPlan app without first consulting the administrator of your CrashPlan environment. The advanced security settings may not be suitable for your CrashPlan environment.

In addition, your administrator may lock the security settings so that you cannot change them. To learn if that is the case:

  1. Open the CrashPlan app on your desktop.
  2. Select settings icon.png Settings.
  3. Select Security.
  4. Look for a button labeled Upgrade.
    If you do not see the Upgrade button, you are not allowed to change the security for your archive encryption key. Consult your CrashPlan environment administrator.
    Archive Key Upgrade.png

Step 2: Choose a security option

To protect the encryption keys for your backup archives, CrashPlan offers three levels of security, summarized below. For more detailed comparison of the options, and for further warnings about their risks, see the information for administrators.

Option 1: Account password security (default configuration) 

User data cannot be decrypted and read without the archive encryption key. The data owner gets the key by supplying the  account name and password. Administrators of the CrashPlan environment also have access to the key, and so to your backed-up data.

Keep the default security option
The standard, default security option allows administrators to help users recover data. The other two options lock administrators out of user data. Keep the default option and lock the security setting so that users cannot change it.

Option 2: Archive key password security

You create a private password, known only to you, that protects your encryption key. The key is encrypted before it is stored on the CrashPlan server. Administrators cannot read your key or your backed-up data. You also define a recovery question and answer to help you when you forget your password.

Option 3: Custom key security

You define your encryption key. That key never leaves the device where it is created. If you lose that key, your backed up data is also lost. There is no way to recover it.

Step 3: Implement a security option

Follow the links below for instructions about implementing advanced security.

  • You cannot revert to standard password security: Once you set any one of your CrashPlan apps to use advanced key security (options 2 or 3 below), there is no reversing the process. The only way to resume the standard account password security is to discard all of your backup data and start over.
  • The settings affect all your devices: When you change the security setting at one CrashPlan app, you change it for all of the devices that back up data to your CrashPlan account.

Option 1: Account password security

The standard option is configured by default for security purposes. 

Option 2: Archive key password security

Follow the instructions at Enable custom key security for CrashPlan backups.

Option 3: Custom key security

Follow the instructions at Enable custom key security for CrashPlan backups.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more