Encryption key options for backup archives (CrashPlan)

Overview

The CrashPlan app encrypts all file data before it leaves endpoint devices for storage in CrashPlan backup archives. No one can decrypt a user's backed up files without that user's archive encryption key.

This article provides guidance for administrators about the three options for encryption key settings for backup archives. In almost all cases, administrators should use the default option and lock it so that users cannot change it.

For users seeking to change the encryption key setting in the CrashPlan app, see:

Step 1: Choose an encryption key option

There are three options for securing backup archive encryption keys:

  1. Account password: Users enter their account password to restore data. Administrators can reset passwords for users. Administrators with proper permissions can also access users' backed up data. 
  2. Archive key password: Users choose a separate password to protect the encryption key. Administrators cannot access users' backed up data.
  3. Custom key: Users supply their own encryption key. Administrators cannot access users' backed up data. This option offers the greatest protection against unauthorized access to backed up data, but also entails the greatest risk of losing the backed up data.

More details for each option are provided below.

Option 1: Account password (standard)

In the CrashPlan console, this option is labeled StandardIn the CrashPlan app, it's labeled Account password.

This is a secure, simple option and is the best choice for most situations. With this option, CrashPlan automatically generates the archive encryption key, and it is protected by the user's account password.

This option provides multiple layers of safety, including:

  • No user data can be restored or decrypted without the account owner's CrashPlan username and password.
  • Administrators with proper permissions can reset usernames and passwords, and decrypt and restore user data.
  • The CrashPlan app encrypts file data with the AES-256 algorithm, the standard adopted by the U.S. National Institute of Standards and Technology (NIST).
  • CrashPlan client-server communications use signed certificates and TLS security.
  • CrashPlan stores the keys in a dedicated keystore, separate from all other user and administrative data.
  • Administrators may further secure keys by storing them in their own private keystore.

Option 2: Archive key password

With this option, CrashPlan automatically generates the archive encryption key, but it is protected by an additional user-created password that is separate from the account password. This prevents administrators from being able to access the backed up files.

  • Users choose a separate archive key password to protect the encryption key.
  • The backup encryption key is encrypted by the archive key password, and only the user's archive key password can decrypt it.
  • Users can also create a recovery question and answer. This allows users to reset the archive key password if they lose or forget it.
  • The same archive key password protects all backup archives for all devices on a user's CrashPlan account.
  • Only the user/owner has access to the password, the recovery answer, and the encryption key.
    They are stored on the CrashPlan cloud, but are hashed and encrypted.
Warnings and limitations
  • Users must configure and remember passwords and recovery answers.
  • Returning to the Standard setting requires starting over with new account names and new backups.
  • CrashPlan administrators cannot restore user data.

Option 3: Custom key

With this option, the user supplies the encryption key. This gives the user complete control over access to the backup archive.

  • Users define their own data encryption keys before data leaves their devices.
  • Only the owner/user has the key.
  • Users can define unique keys for each of their devices.
  • CrashPlan does not store the key anywhere outside a user's device.
Warnings and limitations

This option comes with all the same warnings as the archive key password option above. In addition:

  • Custom keys pose the greatest risk of users losing their backed up data.
  • When you implement the custom key setting for a device, CrashPlan deletes any existing backup for that device. A new backup archive starts from scratch.
  • No backup activity occurs for the device until the user defines the new key.
  • If a user loses the key for a device, that backup data cannot be recovered.
    • CrashPlan has no way to recover a lost custom key.
    • A custom key cannot be reset.
  • The only recourse for a lost key is to change the account name and start a new backup.

Step 2: Implement an encryption key option

Change settings for individual devices
The instructions below describe settings for organizations. You can also set options for individual devices. In the CrashPlan console, select the device, then edit its backup settings.

Option 1: Lock the standard account password option

The default archive encryption key setting is Standard. But until you lock it, users can change this setting in the CrashPlan app. You should always lock this setting.

To lock this setting:

  1. Sign in to the CrashPlan console.
  2. Go to Administration > Environment > Organizations.
  3. Select your CrashPlan environment's top-level organization.
    The organization details view opens.
  4. From the action menu in the upper-right, select Device Backup Defaults...
  5. Select Security.
  6. Uncheck Use default archive encryption key setting.
  7. Make sure Standard is selected.
  8. Click the lock icon settings lock icon.png.
    console security default setting locked.png
  9. In the confirmation dialog, select All organizationsI understand, and OK.
    The standard archive encryption key setting is now locked for all your organizations. Users cannot change it.
    Existing devices do not revert to standard
    Any device or child organization already set to Archive key password or Custom key retains that setting. The steps above cannot revert an organization or device to the Standard setting.
  10. Click Save.
    In the CrashPlan app, users can view the current value, but are no longer allowed to change this setting.
    app setting security locked standard.png

Option 2: Require an archive key password

  1. Sign in to the CrashPlan console.
  2. Go to Administration > Environment > Organizations.
  3. Select an organization.
    The organization details view opens.
  4. From the action menu in the upper-right, select Device Backup Defaults...
  5. Select Security.
    console security default setting locked archive key.png
  6. Uncheck Use default archive encryption key setting.
  7. Select Archive key password.
  8. Click the lock icon settings lock icon.png.
  9. In the confirmation dialog, select All organizationsI understand, and OK.
  10. In the second confirmation dialog, read and acknowledge the warnings, click OK.
    Archive key password now applies to all devices in this organization and its child organizations.
    console confirm archive key.png
    Custom key does not revert to archive key password
    Any device or child organization already set to Custom key retains that setting. The steps above cannot revert an organization or device to the Archive key password setting.
  11. Advise users to open the CrashPlan app on their desktops.
    The CrashPlan app prompts the user to provide a password, a reset question, and an answer.
    app create new archive key password.png

Option 3: Require a custom key

  1. Sign in to the CrashPlan console.
  2. Go to Administration > Environment > Organizations.
  3. Select an organization.
    The organization details view opens.
  4. From the action menu in the upper-right, select Device Backup Defaults...
  5. Select Security.
    console default security setting custom key locked.png
  6. Uncheck Use default archive encryption key setting.
  7. Select Custom Key.
  8. Click the lock icon settings lock icon.png.
  9. In the confirmation dialog, select All organizationsI understand, and OK.
  10. In the second confirmation dialog, read and acknowledge the warnings, click OK.
    Custom key now applies to all devices in this organization and its child organizations.
    console confirm custom key warning.png
  11. Advise users to open the CrashPlan app on their device.
    The CrashPlan app prompts users to define an encryption key. They may:
    • Import a key from a file.
    • Paste a key from the clipboard.
    • Enter a passphrase
    • Let the CrashPlan app generate a key.
    Tell users to save their keys
    Impress upon each user the importance of copying the key to a safe place. If a user loses the key, the user's backup data is lost as well.
    app enter create custom key.png
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more