Overview
CrashPlan cloud environments may be configured to store users' encryption keys in the your own private external keystore, rather than in CrashPlan's keystore. The external keystore that CrashPlan supports is Vault, a third-party application specifically built to secure secrets.
This article provides information about steps you must perform before upgrading your private, self-administered Vault server to a newer version.
Let CrashPlan manage your keys
Instead of managing your encryption keys in Vault, CrashPlan can manage your keys for you. See How CrashPlan handles your encryption keys for file backup for details. For more information, contact your Customer Success Manager (CSM).
Vault is not a CrashPlan product
Our technical support engineers can assist you with migrating your keystore to your private, self-administered Vault. Crashplan technical support cannot, however, provide assistance with Vault-specific tasks, such as upgrade, installation, configuration, networking, and exporting certificates. For assistance with Vault, consult the Vault documentation.
Affects
This article serves Customer Cloud Administrators who have an existing Vault server installed and configured to store CrashPlan encryption keys. To learn more about why and how to create a Vault, see:
- Manage your CrashPlan archive keystore
- Configure a Vault server to hold your CrashPlan archive keystore
Considerations
Vault versions
- The latest version of Vault is available from the Vault downloads page. Previous versions are available from the Vault releases page.
- Vault 0.10.2 is tested and compatible with the CrashPlan cloud.
Upgrading from Vault 0.7.2 or earlier
Versions 0.7.2 and earlier did not enforce certificate expiration. If you upgrade Vault without the new certificate, and your old certificate is expired, you may get locked out of Vault and lose your keys.
Therefore, if you are upgrading from version 0.7.2 or earlier, it is critical that you follow the steps below in the order presented. Before upgrading, first create and install a new administrator certificate at the existing Vault, and then migrate the Vault keystore to your CrashPlan environment, as described below.
Vault uses two certificates
A Vault server connecting with the CrashPlan cloud uses two CA-signed SSL certificates:
- Your Vault domain certificate secures your Vault server's domain (for example,
vault.example.com
). It provides encryption for all communications between Vault and the CrashPlan cloud. It's the same process at work in most HTTPS connections between clients and servers. - Your Vault user/administrator certificate authenticates the user of your Vault server who administers your CrashPlan cloud key storage. Your Vault server uses this certificate to authenticate and authorize requests from your CrashPlan cloud organization.
Steps
Step 1: Ensure your certificate is up-to-date
You should choose a certificate that expires no more than once a year. Renew your certificate well before the expiration date, else Vault will stop working.
If you need a new certificate, create a new CA-signed certificate that meets these specifications:
- Get a signed certificate from a widely known and trusted certificate authority (CA), as you would for a secure web site.
- The certificate must match the domain name where your Vault server listens for requests.
- Package the CA's reply in a PKCS12 file, also called a *.PFX or *.P12 file.
- The maximum file size is 5 mb.
New certificate required if upgrading from Vault 0.7.2 or earlier
If you are upgrading from 0.7.2 or earlier, you must obtain a new certificate before preceding.
If you do not need to renew your certificate, proceed to Step 4.
Step 2: Import the new certificate to Vault
If you obtained a new certificate, import the new certificate into Vault. Configure Vault to use that certificate to authenticate requests from your CrashPlan environment.
Step 3: Upload the certificate to your CrashPlan environment
If you obtained a new certificate, provide the certificate file and its password to the CrashPlan cloud as described in Migrate keys to a new keystore.
Step 4: Upgrade your backend storage software
Vault is a front-end for a storage application, typically Consul. Before upgrading Vault, upgrade that storage software.
Step 5: Download and install a newer version of Vault
Download the latest version of Vault from the Vault downloads page. Previous versions are available from the Vault releases page.
For upgrade instructions, see the Vault upgrade documentation.
External resources
For additional help, see the following Vault documentation: