This article provides an overview of the CrashPlan architecture. It includes diagrams that identify and illustrate how the major components of the CrashPlan cloud are organized into a comprehensive and secure solution.
The CrashPlan cloud is home to many services available by secure and standard APIs. Administrators interact with these services via the CrashPlan console.
See the diagram in the following section for information about how CrashPlan's cloud architecture handles file preservation.
The CrashPlan app can identify file changes in selected files, break the files into blocks, and encrypt the blocks on the endpoint. It then transmits the blocks over an authenticated TLSv1.2 channel to file content storage in the CrashPlan cloud, thereby preserving and archiving the original file contents.
Extended cloud architecture
The CrashPlan cloud is extensible and integrates with other cloud services. The CrashPlan cloud:
- Supports SAML 2.0 protocol for single sign-on.
- Supports SCIM for synchronizing directory updates and automated provisioning.
Access to preserved files
The CrashPlan app securely maintains a unique encryption key on each user's computer that is used to encrypt file contents before sending them for storage in CrashPlan cloud archives. The same encryption key decrypts the files when they are restored from archives. A copy of the encryption key is held in escrow in CrashPlan's keystore for limited use cases. For more information, see How CrashPlan handles your encryption keys for file backup.
During a typical session when the CrashPlan app sends files to the CrashPlan cloud for storage in an archive, the CrashPlan app identifies changes to files on the computer, organizes those changes into blocks, compresses the blocks, and encrypts the blocks using the encryption key stored on the computer on which the CrashPlan app is installed.
The encryption key is stored on the endpoint in a fashion that is only readable by the CrashPlan app. The encryption key is automatically removed when the user or computer is deauthorized via the CrashPlan console.
The CrashPlan app then transmits the encrypted blocks over an encrypted TLS channel to the storage service in the CrashPlan cloud. When the encrypted blocks arrive in storage in the CrashPlan cloud, the blocks are appended to the archive in the opaque encrypted form in which they were transmitted.
Once the files are in the CrashPlan cloud, access to encrypted files is only available through authenticated sessions with the storage service. Non-administrative users are only authorized to access their own archives and only through an authenticated CrashPlan app connection with storage services.
The CrashPlan app (also known as the "agent") executes as a service on the endpoint. It consumes platform or operating system APIs to preserve files. Data collected by the agent is transmitted to the CrashPlan cloud. There are no kernel or system drivers, browser extensions, or special group policies to deploy.