Overview
The CrashPlan app encrypts all file data before it leaves endpoint devices for storage in CrashPlan backup archives. No one can decrypt a user's backed up files without that user's archive encryption key.
This article provides guidance for administrators about the three options for encryption key settings for backup archives. In almost all cases, administrators should use the default option and lock it so that users cannot change it.
For users seeking to change the encryption key setting in the CrashPlan app, see:
- Enable archive key password security for CrashPlan backups
- Enable custom key security for CrashPlan backups
Step 1: Choose an encryption key option
There are three options for securing backup archive encryption keys:
- Account password: Users enter their account password to restore data. Administrators can reset passwords for users. Administrators with proper permissions can also access users' backed up data.
- Archive key password: Users choose a separate password to protect the encryption key. Administrators cannot access users' backed up data.
- Custom key: Users supply their own encryption key. Administrators cannot access users' backed up data. This option offers the greatest protection against unauthorized access to backed up data, but also entails the greatest risk of losing the backed up data.
More details for each option are provided below.
Option 1: Account password (standard)
In the CrashPlan console, this option is labeled Standard. In the CrashPlan app, it's labeled Account password.
This is a secure, simple option and is the best choice for most situations. With this option, CrashPlan automatically generates the archive encryption key, and it is protected by the user's account password.
This option provides multiple layers of safety, including:
- No user data can be restored or decrypted without the account owner's CrashPlan username and password.
- Administrators with proper permissions can reset usernames and passwords, and decrypt and restore user data.
- The CrashPlan app encrypts file data with the AES-256 algorithm, the standard adopted by the U.S. National Institute of Standards and Technology (NIST).
- CrashPlan client-server communications use signed certificates and TLS security.
- CrashPlan stores the keys in a dedicated keystore, separate from all other user and administrative data.
- Administrators may further secure keys by storing them in their own private keystore.
Option 2: Archive key password
With this option, CrashPlan automatically generates the archive encryption key, but it is protected by an additional user-created password that is separate from the account password. This prevents administrators from being able to access the backed up files.
- Users choose a separate archive key password to protect the encryption key.
- The backup encryption key is encrypted by the archive key password, and only the user's archive key password can decrypt it.
- Users can also create a recovery question and answer. This allows users to reset the archive key password if they lose or forget it.
- The same archive key password protects all backup archives for all devices on a user's CrashPlan account.
- Only the user/owner has access to the password, the recovery answer, and the encryption key.
They are stored on the CrashPlan cloud, but are hashed and encrypted.
Warnings and limitations
- Users must configure and remember passwords and recovery answers.
- Returning to the Standard setting requires starting over with new account names and new backups.
- CrashPlan administrators cannot restore user data.
Option 3: Custom key
With this option, the user supplies the encryption key. This gives the user complete control over access to the backup archive.
- Users define their own data encryption keys before data leaves their devices.
- Only the owner/user has the key.
- Users can define unique keys for each of their devices.
- CrashPlan does not store the key anywhere outside a user's device.
Warnings and limitations
This option comes with all the same warnings as the archive key password option above. In addition:
- Custom keys pose the greatest risk of users losing their backed up data.
- When you implement the custom key setting for a device, CrashPlan deletes any existing backup for that device. A new backup archive starts from scratch.
- No backup activity occurs for the device until the user defines the new key.
- If a user loses the key for a device, that backup data cannot be recovered.
- CrashPlan has no way to recover a lost custom key.
- A custom key cannot be reset.
- The only recourse for a lost key is to change the account name and start a new backup.
Step 2: Implement an encryption key option
Change settings for individual devices
The instructions below describe settings for organizations. You can also set options for individual devices. In the CrashPlan console, select the device, then edit its backup settings.
Option 1: Lock the standard account password option
The default archive encryption key setting is Standard. But until you lock it, users can change this setting in the CrashPlan app. You should always lock this setting.
To lock this setting:
- Sign in to the CrashPlan console.
- Go to Administration > Environment > Organizations.
- Select your CrashPlan environment's top-level organization.
The organization details view opens. - From the action menu in the upper-right, select Device Backup Defaults...
- Select Security.
- Uncheck Use default archive encryption key setting.
- Make sure Standard is selected.
- Click the lock icon .
- In the confirmation dialog, select All organizations, I understand, and OK.
The standard archive encryption key setting is now locked for all your organizations. Users cannot change it. Existing devices do not revert to standard
Any device or child organization already set to Archive key password or Custom key retains that setting. The steps above cannot revert an organization or device to the Standard setting. - Click Save.
In the CrashPlan app, users can view the current value, but are no longer allowed to change this setting.
Option 2: Require an archive key password
- Sign in to the CrashPlan console.
- Go to Administration > Environment > Organizations.
- Select an organization.
The organization details view opens. - From the action menu in the upper-right, select Device Backup Defaults...
- Select Security.
- Uncheck Use default archive encryption key setting.
- Select Archive key password.
- Click the lock icon .
- In the confirmation dialog, select All organizations, I understand, and OK.
- In the second confirmation dialog, read and acknowledge the warnings, click OK.
Archive key password now applies to all devices in this organization and its child organizations.
Custom key does not revert to archive key password
Any device or child organization already set to Custom key retains that setting. The steps above cannot revert an organization or device to the Archive key password setting. - Advise users to open the CrashPlan app on their desktops.
The CrashPlan app prompts the user to provide a password, a reset question, and an answer.
Option 3: Require a custom key
- Sign in to the CrashPlan console.
- Go to Administration > Environment > Organizations.
- Select an organization.
The organization details view opens. - From the action menu in the upper-right, select Device Backup Defaults...
- Select Security.
- Uncheck Use default archive encryption key setting.
- Select Custom Key.
- Click the lock icon .
- In the confirmation dialog, select All organizations, I understand, and OK.
- In the second confirmation dialog, read and acknowledge the warnings, click OK.
Custom key now applies to all devices in this organization and its child organizations.
- Advise users to open the CrashPlan app on their device.
The CrashPlan app prompts users to define an encryption key. They may:- Import a key from a file.
- Paste a key from the clipboard.
- Enter a passphrase
- Let the CrashPlan app generate a key.
Tell users to save their keys
Impress upon each user the importance of copying the key to a safe place. If a user loses the key, the user's backup data is lost as well.