CrashPlan cloud environments may be configured to store users' encryption keys in the your own private external keystore, rather than in CrashPlan's keystore. The external keystore that CrashPlan supports is Vault, a third-party application specifically built to secure secrets.
This article provides information about steps you must perform before upgrading your private, self-administered Vault server to a newer version.
Instead of managing your encryption keys in Vault, CrashPlan can manage your keys for you. See How CrashPlan handles your encryption keys for file backup for details. For more information, contact your Customer Success Manager (CSM).
Our technical support team can assist you with migrating your keystore to your private, self-administered Vault. technical support engineers cannot, however, provide assistance with Vault-specific tasks, such as upgrade, installation, configuration, networking, and exporting certificates. For assistance with Vault, consult the Vault documentation.
This article serves Customer Cloud Administrators who have an existing Vault server installed and configured to store CrashPlan encryption keys. To learn more about why and how to create a Vault, see:
- The latest version of Vault is available from the Vault downloads page. Previous versions are available from the Vault releases page.
- Vault 0.10.2 is tested and compatible with the CrashPlan cloud.
Versions 0.7.2 and earlier did not enforce certificate expiration. If you upgrade Vault without the new certificate, and your old certificate is expired, you may get locked out of Vault and lose your keys.
Therefore, if you are upgrading from version 0.7.2 or earlier, it is critical that you follow the steps below in the order presented. Before upgrading, first create and install a new administrator certificate at the existing Vault, and then migrate the Vault keystore to your CrashPlan environment, as described below.
Vault uses two certificates
A Vault server connecting with the CrashPlan cloud uses two CA-signed SSL certificates:
- Your Vault domain certificate secures your Vault server's domain (for example,
vault.example.com). It provides encryption for all communications between Vault and the CrashPlan cloud. It's the same process at work in most HTTPS connections between clients and servers.
- Your Vault user/administrator certificate authenticates the user of your Vault server who administers your CrashPlan cloud key storage. Your Vault server uses this certificate to authenticate and authorize requests from your CrashPlan cloud organization.
Step 1: Ensure your certificate is up-to-date
You should choose a certificate that expires no more than once a year. Renew your certificate well before the expiration date, else Vault will stop working.
If you need a new certificate, create a new CA-signed certificate that meets these specifications:
- Get a signed certificate from a widely known and trusted certificate authority (CA), as you would for a secure web site.
- The certificate must match the domain name where your Vault server listens for requests.
- Package the CA's reply in a PKCS12 file, also called a *.PFX or *.P12 file.
- The maximum file size is 5 mb.
If you are upgrading from 0.7.2 or earlier, you must obtain a new certificate before preceding.
If you do not need to renew your certificate, proceed to Step 4.
Step 2: Import the new certificate to Vault
If you obtained a new certificate, import the new certificate into Vault. Configure Vault to use that certificate to authenticate requests from your CrashPlan environment.
Step 3: Upload the certificate to your CrashPlan environment
If you obtained a new certificate, provide the certificate file and its password to the CrashPlan cloud as described in Migrate keys to a new keystore.
Step 4: Upgrade your backend storage software
Vault is a front-end for a storage application, typically Consul. Before upgrading Vault, upgrade that storage software.