Convert devices to passphrase-based encryption

If you have lost or forgotten the security code/encryption key for a backup device, or simply no longer wish to individually manage security codes/encryption keys for your list of backup devices, Backup Manager offers the function to convert backup devices to use a passphrase-based encryption method.

Please be aware that once this change is made, you cannot change back to use the original security code/encryption key.

Differences between encryption methods

  • Private key encryption relies on encryption keys/security codes that are defined by users during Backup Manager installation. The encryption key/security code is set once and cannot be changed or retrieved afterwards.
  • Passphrase-based encryption uses a system-generated encryption key that is securely accessible from the management console.


  1. Backup Manager version 17.11 or later must be installed and functional on the system you wish to convert.
  2. The system must be running on Windows.
  3. The system must be intact (the conversion process will not work after a system is lost, destroyed or infected).
  4. Access to run the Command Prompt as an administrator is required on each system you wish to convert.
  5. Backups should not be actively running during this process.


Step 1. Get a partner UID for conversion

  1. Log in to the Console as a user with security officer permissions
  2. In the left navigation bar, click Partner management
  3. Select the partner containing backup devices you want to convert
  4. Enable the Automatic Deployment option (if it is disabled)
  5. Click Save
  6. You will now be given a customer UID

  7. Copy the UID for later use

You can re-use the UID for any number of devices belonging to the partner.

Step 2. Perform conversion on each device

Run the below command on each Windows device you plan to convert to passphrase-based encryption.

  1. Log in to the system on which the backup device is installed.
  2. Start the Command Prompt as an administrator and run the following command.

"C:\Program Files\Backup Manager\ClientTool.exe" takeover -partner-uid 92bcdff7-9a73-46f4-8xYxTa-8exXxXxXxX0b11d -config-path "c:\Program Files\Backup Manager\config.ini"

Here is what the command contains:

  • ClientTool.exe – an executable file included into all Backup Manager installations. It lets you operate the Backup Manager through the command line.
  • C:\Program Files\Backup Manager\ - is the default installation directory of the Backup Manager. Make sure you edit the path if the Backup Manager is installed at a custom location.
  • takeover – a command that moves a backup device to another category (to another partner or to passphrase-based encryption)
  • partner-uid – the UID you copied at step 1.

Step 3. Test the conversion (optional)

Now you can run a test to make sure the device has been successfully converted to passphrase-based encryption. Here are steps to follow:

  1. Get a passhprase (instructions).
  2. Add the device to the Recovery Console with that passphrase or install the device on an additional machine in the restore-only mode.

If you have at least 1 backup session completed on the device, you can go even further and run a test restore.

It is a good practice to periodically test your security codes or passphrases this way.