Convert devices to passphrase-based encryption

If you have lost or forgotten the security code/encryption key for a backup device, or simply no longer wish to individually manage security codes/encryption keys for your list of backup devices, Backup Manager offers the function to convert backup devices to use a passphrase-based encryption method.

Please be aware that once this change is made, you cannot change back to use the original security code/encryption key if found at a later date.

Differences between encryption methods

  • Private key encryption relies on encryption keys/security codes that are defined by users during Backup Manager installation. The encryption key/security code is set once and cannot be changed or retrieved afterward
  • Passphrase-based encryption uses a system-generated encryption key that is securely accessible from the management console

Requirements

  1. Backup Manager version 17.11 or later must be installed and functional on the system you wish to convert
  2. The system must be running on Windows
  3. The system must be intact (the conversion process will not work after a system is lost, destroyed or infected)
  4. Access to run the Command Prompt as an administrator is required on each system you wish to convert
  5. Backups should not be actively running during this process

Instructions

Step 1. Get a partner UID for conversion

  1. Log in to the Console as a user with security officer permissions
  2. In the left navigation bar, click Customer management
  3. Find the customer containing backup devices you want to convert
  4. Click the three dots to the right to access the Action Menu
  5. Click Edit Customer
  6. On the General tab, scroll down and enable the Automatic Deployment option (if it is disabled)
  7. Click Save
  8. Copy the Customer UID for later use as the -partner-uid parameter

You can re-use the UID for any number of devices belonging to the customer.

Step 2. Perform conversion on each device

Windows devices

Run the below command on each Windows device you plan to convert to passphrase-based encryption.

  1. Log in to the system on which the backup device is installed
  2. Start the Command Prompt as an administrator
  3. Run the following command

    "C:\Program Files\Backup Manager\ClientTool.exe" takeover -partner-uid [Customer UID from Management Console] -config-path "c:\Program Files\Backup Manager\config.ini"

The components contained in the command are:

  • C:\Program Files\Backup Manager\ - is the default installation directory of the Backup Manager. Make sure you edit the path if the Backup Manager is installed at a custom location
  • ClientTool.exe – an executable file included into all Backup Manager installations. It lets you operate the Backup Manager through the command line
  • takeover – a command that moves a backup device to another category (to another customer or to passphrase-based encryption)
  • partner-uid – the Customer UID you copied at step 1.6

Linux devices

Run the below command on each Linux device you plan to convert to passphrase-based encryption.

  1. Log in to the system on which the backup device is installed
  2. Start the terminal
  3. Run the following command

    "/opt/backup-manager/bin/ClientTool" takeover -partner-uid [Customer UID from Management Console] -config-path "/opt/MXB/etc/config.ini"

The components contained in the command are:

  • /opt/backup-manager/ - is the default installation directory of the Backup Manager. Make sure you edit the path if the Backup Manager is installed at a custom location
  • ClientTool – an executable file included into all Backup Manager installations. It lets you operate the Backup Manager through the command line
  • takeover – a command that moves a backup device to another category (to another customer or to passphrase-based encryption)
  • partner-uid – the Customer UID you copied at step 1.6

MacOS devices

Run the below command on each MacOS device you plan to convert to passphrase-based encryption.

  1. Log in to the system on which the backup device is installed
  2. Start the terminal
  3. Run the following command

    "/Applications/Backup Manager.app/Contents/MacOS/ClientTool/ClientTool" takeover -partner-uid [Customer UID from Management Console] -config-path "/Library/Application Support/MXB/Backup Manager/config.ini"

The components contained in the command are:

  • /Applications/Backup Manager.app/ - is the default installation directory of the Backup Manager. Make sure you edit the path if the Backup Manager is installed at a custom location
  • ClientTool – an executable file included into all Backup Manager installations. It lets you operate the Backup Manager through the command line
  • takeover – a command that moves a backup device to another category (to another customer or to passphrase-based encryption)
  • partner-uid – the Customer UID you copied at step 1.6

Step 3. Test the conversion (optional)

Now you can run a test to make sure the device has been successfully converted to passphrase-based encryption. Here are steps to follow:

  1. Get a passhprase (instructions)
  2. Add the device to the Recovery Console with that passphrase or install the device on an additional machine in the restore-only mode

If you have at least one backup session completed on the device, you can go even further and run a test restore.

It is a good practice to periodically test your security codes or passphrases this way.