Organizations - Device Backup Defaults - Security settings reference (Enterprise)

Overview

This reference guide describes an organization's backup security settings. You can require users to enter their account password when opening the CrashPlan app, and you can also set the security level of the archive encryption key for users' backup archives.

Access device backup security settings

  • To view the general device backup settings, choose Administration > Environment > Organizations. When the Active tab opens, click the organization name. (You may need to expand the parent organization.) Scroll down to Device Backup Defaults and click the Security tab.
  • To change these default settings for the organization, from the action menu, choose Device Backup Defaults, then click the Security tab.

Device backup security settings

device backup default security.png

Item Description
a Require account password to access CrashPlan app

Selected - Requires that the user enters the correct password to open the CrashPlan app.
Deselected - No password is required to open the CrashPlan app.

Require password for added security
We strongly recommend requiring the account password to open the CrashPlan app. If the device is lost, stolen, or infected with malware or ransomware, this helps protect backed-up files from being accessed or deleted by an unauthorized user.
b Lock

Locks this setting to prevent users from changing it in their personal settings.

c Push Applies these settings to existing users in addition to new users.
d

Standard

Users or administrators can restore files without providing an additional password (default).
e

Archive key password

Users or administrators can restore files only by providing the correct archive key password. This additional password cannot be reset if it is forgotten or lost. By default, this password is the account password.

Users who sign in with SSO
Do not use the CrashPlan console to enable archive key password for users who sign in with SSO. Doing so prevents users from accessing their archives, resulting in data loss. Instead, make sure the Archive Encryption Key settings are unlocked, then instruct users to enable Archive key password from the CrashPlan app.
f

Custom key

Users or administrators can restore files only by providing the correct custom key. If a user forgets or loses the custom key, the user's backup data becomes unrecoverable and the key cannot be reset. Adding or changing the custom key requires users to restart their backups.

Archive encryption key considerations
  • Pushing and locking this setting simply enforces the designated security level. Locking this setting does not prevent users from changing their archive key password, for example.
  • After you have upgraded a user's security level, you cannot downgrade the security level without restarting that user's backup.

Archive encryption key summary

Below is a description of the three security options for archive key management. Refer to our encryption key article for full details and a comparison chart.

Standard encryption

Consideration Details
Configuration
  • Standard archive encryption is the default encryption key security option
Key creation
  • Encryption key is generated upon user account creation
Management requirements
  • Users have only one password to remember
  • Lowest risk of losing ability to restore files
Key security & storage
  • Encryption key is escrowed for authentication during web restores, administrator restores, and installations on new devices
Web restore key access
  • Encryption key is escrowed for decryption
Administrator access
  • Administrators can access backed up files without knowing user account password

Archive key password

Consideration Details
Configuration
  • Archive key password is an increased encryption key security option
Key creation
  • Encryption key is generated upon user account creation
  • The encryption key remains the same when security option is changed from standard to archive key password
Management requirements
  • Users have two passwords to remember
  • Archive key password must be 8-56 characters in length
  • Increased risk of not being able to restore files if archive key password is forgotten
  • Users can change the archive key password at any time without affecting backup data
  • (Optional) Users can provide an archive question that, if answered correctly, can be used to reset the archive key password in the event that it is lost or forgotten
Key security & storage
  • The encryption key is not escrowed.
  • The encryption key is secured with the archive key password. The secured key is escrowed for authentication during web restores and installations on new devices
Web restore key access
  • The secured key is stored for authentication during web restores
  • Archive key password must be entered to restore files
Administrator access
  • Administrators cannot access files backed up to any destination without knowing the archive key password
  • Administrators cannot access a user's archive key password
  • If the archive key password is lost, it can only be reset if an archive question was previously configured; otherwise, backup data is unrecoverable

Custom key

Consideration Details
Configuration
  • Custom key is the highest upgraded encryption key security option
Key creation
  • The original encryption key generated upon account creation is removed and is replaced with a custom encryption key
  • Users can choose to assign and manage a different custom key for each device
Management requirements
  • Nearly impossible to remember, with increased risk of not being able to restore files if custom key is lost
  • Users must start a completely new backup after upgrading to this security option; files backed up prior to upgrading are deleted from backup archives
  • Web restore, new installations, and push restores require the custom key
Key security & storage
  • Encryption key exists only on source computer
  • The custom key is never cached at any remote location
Web restore key access
  • User must supply the custom key in order to restore files
  • The custom key is held in memory for the purpose of restoring files; it is never written to disk
  • The custom key is flushed from memory once files are restored
Administrator access
  • Administrators cannot access files backed up to any destination without knowing the custom key
  • Administrators cannot access users' custom keys
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more