Skip to main content

Best Practices for Ahsay Encryption Key Management

Article ID
5023
Last Reviewed Date
Product Version
AhsayACB / AhsayOBM: 9.1 or above
Operating System
All Platforms
Description

This Know-How article answers some of the frequently asked questions about encryption key. It also has recommendations on how to manage your encryption key.

Solution
What is the 'default' encryption setting of a backup set?

For backup sets created with AhsayOBM or AhsayACB version 9.1 or above, the default encryption setting of a backup set is:

AhsayOBM Encryption Settings

  • Encryption Key: A randomly generated key of 44 alpha numeric characters
  • Encryption Key Length: 256 bits
  • Encryption Algorithm: AES
  • Encryption Method: CBC

Each backup set will have its own unique Encryption Key even if the user had chosen to use 'default' setting for their backup sets.

The Ahsay standard 'default' may be changed to use Password or Custom via Policy Group setting. You may need to review user's Effective Policy to confirm default value.
For users who may have used older releases of AhsayOBM or AhsayACB, the 'default' encryption setting is no longer the password. The default setting has changed since version 7.3.
Can I change the encryption setting of a backup set?
The encryption setting of a backup set is generated during backup set creation and cannot be changed afterwards.
Can I restore my backup data if I have lost my encryption key?
No, if you have lost the encryption key of your backup set and did not enable Encryption Recovery, it will be impossible to restore data from the corresponding backup set.
Where is the encryption setting of a backup set saved at?

The encryption setting of a backup set is saved locally on the client computer at ~/.obm/config/settings.sys.

You can also save the encryption setting of your backup sets on the backup server by enabling the 'Encryption Recovery' option within the client user interface:

  1. Login to the AhsayOBM / AhsayACB user interface.
  2. Click on the User Profile.

    AhsayOBM User Profile

  3. Select Encryption Recovery then enable the setting.

    AhsayOBM Encryption Recovery Settings

Or from the AhsayCBS web console:

  1. Login to the AhsayCBS web console.
  2. Go to Backup / Restore > User > User Profile > General > Upload Encryption Key.
  3. Tick the Upload encryption key after running backup for recovery checkbox.

    AhsayOBM Encryption Key Settings

If this option is enabled, the encryption key (in encrypted format) of the backup set would be uploaded to the backup server whenever a backup job is performed.

The encryption key would be saved within the user home of the corresponding account:

%UserHome%\%username%\%backupset_id%\settings\EncryptionKeys-%YYYY-MM-DD%.jsaon.rgz

Contact email address of the user account will also be saved within this file.

Note that the AhsayCBS Administrator cannot decrypt this file.

You must engage Ahsay's Professional Encryption Recovery Service to decrypt this file for retrieving the encryption key of a backup set. The encryption key will be sent directly to the end user's contact email address.
I am prompted to enter the encryption key of my backup sets, why is that?

The client application will prompt for the encryption key of all existing backup sets when the user, if it cannot detect the present settings.sys file within the operating system profile. (e.g. ~/.obm/config/settings.sys)

Examples:

  • Login to the client application on multiple computers with the same backup account.

    You have logged in to AhsayOBM with backup account 'username' on Computer A, then when you login to AhsayOBM with the same account on Computer B and access the Backup Sets tile, you will be prompted to enter the encryption key for all existing backup sets.

  • Login to the client application with multiple backup accounts.

    You have logged in to AhsayOBM with backup account 'username' on Computer A, then when you login to AhsayOBM with backup account 'username2' on Computer A, you will be prompted to enter the encryption key for all existing backup sets.

  • The client application was completely uninstalled (including the user profile at ~/.obm/config/settings.sys).

The user must enter the correct encryption key at this point to manage or continue with the backup or restore operation (of that backup set) on this computer.

AhsayOBM Encryption Key Prompt

Best practices for managing your encryption key

We would like to stress that it is very very very important to keep a record of your encryption key at multiple locations.

  1. Write down the encryption keys of all your backup sets.

    1. Login to the AhsayOBM / AhsayACB user interface.
    2. Click on the Backup Sets tile.
    3. Select the corresponding backup set, then click Show advanced settings.
    4. Click on Others, click Unmask encryption key.

      AhsayOBM Encryption Key

    5. Copy the encryption key to multiple locations.
  2. Make copies of the backup account profiles on the client computer.

    ~/config/settings.sys
  3. Enable the Encryption Recovery setting for your account.

    As a last step to protect yourself from losing the encryption key of your backup sets, enable the 'Encryption Recovery' setting of your backup account, to save the key to the backup server.

    Refer to Where is the encryption setting of a backup set saved at? for instruction.