Upgrade Vault

This article applies to CrashPlan Enterprise and MSPs.png

Overview

CrashPlan cloud environments may be configured to store users' encryption keys in the your own private external keystore, rather than in CrashPlan's keystore. The external keystore that CrashPlan supports is Vault, a third-party application specifically built to secure secrets.

This article provides information about steps you must perform before upgrading your private, self-administered Vault server to a newer version.

 Let CrashPlan manage your keys

Instead of managing your encryption keys in Vault, CrashPlan can manage your keys for you. See How CrashPlan handles your encryption keys for file backup for details. For more information, contact your Customer Success Manager (CSM).

 Vault is not a CrashPlan product

Our technical support engineers can assist you with migrating your keystore to your private, self-administered Vault. Crashplan technical support cannot, however, provide assistance with Vault-specific tasks, such as upgrade, installation, configuration, networking, and exporting certificates. For assistance with Vault, consult the Vault documentation.

Affects

This article serves Customer Cloud Administrators who have an existing Vault server installed and configured to store CrashPlan encryption keys. To learn more about why and how to create a Vault, see:

Considerations

Vault versions

  • The latest version of Vault is available from the Vault downloads page. Previous versions are available from the Vault releases page
  • Vault 0.10.2 is tested and compatible with the CrashPlan cloud. 

Upgrading from Vault 0.7.2 or earlier

Versions 0.7.2 and earlier did not enforce certificate expiration. If you upgrade Vault without the new certificate, and your old certificate is expired, you may get locked out of Vault and lose your keys.

Therefore, if you are upgrading from version 0.7.2 or earlier, it is critical that you follow the steps below in the order presented. Before upgrading, first create and install a new administrator certificate at the existing Vault, and then migrate the Vault keystore to your CrashPlan environment, as described below.

Vault uses two certificates

A Vault server connecting with the CrashPlan cloud uses two CA-signed SSL certificates:

  • Your Vault domain certificate secures your Vault server's domain (for example, vault.example.com). It provides encryption for all communications between Vault and the CrashPlan cloud. It's the same process at work in most HTTPS connections between clients and servers.
  • Your Vault user/administrator certificate authenticates the user of your Vault server who administers your CrashPlan cloud key storage. Your Vault server uses this certificate to authenticate and authorize requests from your CrashPlan cloud organization.

Steps

Step 1: Ensure your certificate is up-to-date

You should choose a certificate that expires no more than once a year. Renew your certificate well before the expiration date, else Vault will stop working.

If you need a new certificate, create a new CA-signed certificate that meets these specifications:

  • Get a signed certificate from a widely known and trusted certificate authority (CA), as you would for a secure web site.
  • The certificate must match the domain name where your Vault server listens for requests.
  • Package the CA's reply in a PKCS12 file, also called a *.PFX or *.P12 file.
  • The maximum file size is 5 mb.

New certificate required if upgrading from Vault 0.7.2 or earlier
If you are upgrading from 0.7.2 or earlier, you must obtain a new certificate before preceding.

If you do not need to renew your certificate, proceed to Step 4.

Step 2: Import the new certificate to Vault

If you obtained a new certificate, import the new certificate into Vault. Configure Vault to use that certificate to authenticate requests from your CrashPlan environment.

Step 3: Upload the certificate to your CrashPlan environment

If you obtained a new certificate, provide the certificate file and its password to the CrashPlan cloud as described in Migrate keys to a new keystore.

Step 4: Upgrade your backend storage software

Vault is a front-end for a storage application, typically Consul. Before upgrading Vault, upgrade that storage software.

Step 5: Download  and install a newer version of Vault

Download the latest version of Vault from the Vault downloads page. Previous versions are available from the Vault releases page

For upgrade instructions, see the Vault upgrade documentation.

External resources

For additional help, see the following Vault documentation

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more