With the announcement of our plan to improve security by removing our default encryption keys for all new backup sets (beginning 4/15/21, see here for more details), we wanted to give you the ability to easily generate, store, and retrieve your encryption keys, both for Servosity version 8 and ShadowProtect. All operations are tracked in our audit log, and keys are stored encrypted with AES-256 bit encryption in our secure vault.
We strongly suggest that if you have been using the Servosity default encryption key, you should validate each backup set by following these instructions, and store the confirmed encryption key in our key management tool or other secure storage.
Setting Encryption Key Generation Method
By default the Encryption Key Management is configured to be storage only. This means that we will not generate the encryption keys for you, but will simply give you a field to store the encryption keys that you have generated through your own tools. It is completely optional, and if you're already generating and storing your own encryption keys securely then you never have to use it at all.
If you'd prefer to have us generate an encryption key for each backup set, which will be automatically stored in the control panel, then you can go to Partner > Settings, and then scroll to the bottom of the page, and change the setting from "Provide your own keys" to "Keys generated automatically" and click the Save button.
Managing Provided Keys
For Servosity Safe companies, encryption keys will always be automatically generated. Please see "Managing Generated Keys" below.
To access the Encryption Key Manager, go to the Company that you want to manage, then click on Company > Credentials and Keys at the top of the page. We will automatically create a keystore for each backup account. If there is no key stored yet, you will have a "Store" button out to the right of the Backup Account name. Click on that button and you will get a text field to input your encryption key. Please verify that the key is pasted in correctly, then click "Save". Encryption keys are not validated when they are stored, so please make sure that you are validating the key is correct before saving it.
For accounts that have a key saved, you have the option to view, or edit that key. When you view a key, you can click the "Copy" button to copy it to the clipboard for easy access. All store, edit, view, and copy events are saved in our audit log, and we also store infinite versions of all stored keys, so that if someone maliciously or accidentally changes the stored key, we are able to revert it to a previous version on request.
Finally, encryption keys can be locked to prevent editing, however this feature is not something that a partner can set as of today. We are working on providing user roles in the control panel, and this is something that will be limited to company admins in a future release. For Servosity Fully Managed companies, our team will lock the encryption key once it has been successfully validated.
Managing Generated Keys
For Servosity Safe companies there will be a Credentials section at the top of this page, please scroll past that section to access the Encryption Key Manager
To access the Encryption Key Manager, go to the Company that you want to manage, then click on Company > Credentials and Keys at the top of the page. We will automatically create a keystore for each backup account. If there is no key stored yet, you will have a "Generate" button out to the right of the Backup Account name. Click on that button, and a secure key will be generated and stored. Encryption keys are not validated when they are stored, so please make sure that you copy the key using the provided button, and verify you can access the encrypted data using the stored key.
If the account already has an encryption key, or you want to use a custom key for any reason, generated keys can be edited and overwritten. All generate, edit, view, and copy events are saved in our audit log, and we also store infinite versions of all stored keys, so that if someone maliciously or accidentally changes the stored key, we are able to revert it to a previous version on request.
Finally, encryption keys can be locked to prevent editing, however this feature is not something that a partner can set as of today. We are working on providing user roles in the control panel, and this is something that will be limited to company admins in a future release. For Servosity Fully Managed companies, our team will lock the encryption key once it has been successfully validated.