Best Practices for Ahsay Encryption Key Management
Article ID
Last Reviewed Date
Product Version
Operating System
Description
This Know-How article answers some of the frequently asked questions about encryption key. It also has recommendations on how to manage your encryption key.
Solution
For backup sets created with AhsayOBM or AhsayACB version 9.1 or above, the default encryption setting of a backup set is:
- Encryption Key: A randomly generated key of 44 alpha numeric characters
- Encryption Key Length: 256 bits
- Encryption Algorithm: AES
- Encryption Method: CBC
Each backup set will have its own unique Encryption Key even if the user had chosen to use 'default' setting for their backup sets.
The encryption setting of a backup set is saved locally on the client computer at ~/.obm/config/settings.sys.
You can also save the encryption setting of your backup sets on the backup server by enabling the 'Encryption Recovery' option within the client user interface:
- Login to the AhsayOBM / AhsayACB user interface.
-
Click on the User Profile.
-
Select Encryption Recovery then enable the setting.
Or from the AhsayCBS web console:
- Login to the AhsayCBS web console.
- Go to Backup / Restore > User > User Profile > General > Upload Encryption Key.
-
Tick the Upload encryption key after running backup for recovery checkbox.
If this option is enabled, the encryption key (in encrypted format) of the backup set would be uploaded to the backup server whenever a backup job is performed.
The encryption key would be saved within the user home of the corresponding account:
%UserHome%\%username%\%backupset_id%\settings\EncryptionKeys-%YYYY-MM-DD%.jsaon.rgz
Contact email address of the user account will also be saved within this file.
Note that the AhsayCBS Administrator cannot decrypt this file.
You must engage Ahsay's Professional Encryption Recovery Service to decrypt this file for retrieving the encryption key of a backup set. The encryption key will be sent directly to the end user's contact email address.The client application will prompt for the encryption key of all existing backup sets when the user, if it cannot detect the present settings.sys file within the operating system profile. (e.g. ~/.obm/config/settings.sys)
Examples:
-
Login to the client application on multiple computers with the same backup account.
You have logged in to AhsayOBM with backup account 'username' on Computer A, then when you login to AhsayOBM with the same account on Computer B and access the Backup Sets tile, you will be prompted to enter the encryption key for all existing backup sets.
-
Login to the client application with multiple backup accounts.
You have logged in to AhsayOBM with backup account 'username' on Computer A, then when you login to AhsayOBM with backup account 'username2' on Computer A, you will be prompted to enter the encryption key for all existing backup sets.
- The client application was completely uninstalled (including the user profile at ~/.obm/config/settings.sys).
The user must enter the correct encryption key at this point to manage or continue with the backup or restore operation (of that backup set) on this computer.
Best practices for managing your encryption key
We would like to stress that it is very very very important to keep a record of your encryption key at multiple locations.
-
Write down the encryption keys of all your backup sets.
- Login to the AhsayOBM / AhsayACB user interface.
- Click on the Backup Sets tile.
- Select the corresponding backup set, then click Show advanced settings.
-
Click on Others, click Unmask encryption key.
- Copy the encryption key to multiple locations.
-
Make copies of the backup account profiles on the client computer.
~/config/settings.sys -
Enable the Encryption Recovery setting for your account.
As a last step to protect yourself from losing the encryption key of your backup sets, enable the 'Encryption Recovery' setting of your backup account, to save the key to the backup server.
Refer to Where is the encryption setting of a backup set saved at? for instruction.