In The Key to Securing Data in the Cloud, keeping encryption keys on-premises was described as a critical component of data security in the cloud. In this article, I’ll answer several fundamental questions about how Code42 securely backs up files. This two-part post will cover the backup process beginning with user provisioning to the encryption of files. In a second post, I’ll discuss processes that power transmission of encrypted files and file restoration.

The process for backing up user data is the same regardless of where the copies are stored—in private, hybrid or public storage models.

Installation

It begins when an IT Admin provisions a user with CrashPlan. To simplify deployments, user provisioning is often done through integration with AD/LDAP or another directory service, but can be done manually as well. As soon as a user is provisioned, the Code42 server generates a unique encryption key for each user’s backup.

User installs CrashPlan client software and logs in. Alternatively, CrashPlan can be push installed through systems management software such as SCCM, KACE or Casper and logins scripted by the IT Admin. The encryption key for that user is transmitted to the client from the server over transport layer security (TSL).

Dedupe and Compression

Whether it is the first backup of files or a subsequent backup, CrashPlan begins by analyzing the files in the user’s backup set and segmenting them into blocks. Block size varies to accommodate file types and sizes and supports the elimination of duplicated blocks. Should a duplicate block be found, the block is not backed up a second time. If a new block is found, the block moves to the next stage.

Compression removes repetition in the blocks themselves. Client-side deduplication and compression reduce both storage requirements at the server level and network consumption between the client and server. Moreover, since all these processes are distributed across multiple clients, there’s no need for expensive servers in your data center to handle server-side compression.

Encryption and Ready for Transport

Finally, before the data leaves the client, blocks are encrypted using either AES 256-bit or 448 Blowfish encryption standards—depending on which encryption standard best suits your needs. At this stage, blocks are ready to be transmitted to a backup storage destination—your data center or data centers or to the Code42 public cloud.

Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.