Convert Devices to Passphrase-Based Encryption

If you have lost or forgotten the Self-Managed Encryption Key/Security Code for a backup device, or you no longer wish to individually manage encryption for your backup device(s) yourself, Backup Manager offers the function to convert backup devices to use the Managed, or passphrase-based encryption method.

Please be aware that once this change is made, you cannot change back to using Self-Managed encryption at a later date.

Differences between encryption methods

Self-Managed - This is Private key encryption, which relies on Encryption Key/Security Codes that are defined by a user during Backup Manager installation.
- The Encryption Key/Security Code is set once and cannot be changed or retrieved afterward
Managed - This is Passphrase-based encryption, which uses Cove Data Protection (Cove)'a system-generated encryption.
- This is securely accessible from the Device Properties in the Cove Management Console

Requirements

Backup Manager version 17.11 or later must be installed and functional on the system you wish to convert
The system must be intact (the conversion process will not work after a system is lost, destroyed or infected)
Access to run the Command Prompt as an administrator is required on each system you wish to convert
Backups should not be actively running during this process

Instructions

Before beginning the below steps, we strongly advise taking a copy of the configuration file and storing this elsewhere.

Step 1. Get a partner UID for conversion

Log in to the Management Console as a user with security officer permissions
In the Management section of the vertical menu, click Customers to open the Customer Management window
Find the customer containing the backup device you want to convert
Click the three dots to the right to access the Action Menu
Click Edit Customer
On the General tab, scroll down and enable the Automatic Deployment option if it is disabled. If this is already enabled, skip to step #8
Click Save
Take a copy of the Customer UID for later use as the -partner-uid parameter

You can re-use the UID for any number of devices belonging to this customer.

Step 2. Perform conversion on each device

Windows devices

Run the below command on each Windows device you plan to convert to passphrase-based encryption:

Log in to the device on which Backup Manager is installed
Start the Command Prompt as an administrator
Run the following command:
"C:\Program Files\Backup Manager\ClientTool.exe" takeover -partner-uid [Customer UID from Management Console] -config-path "c:\Program Files\Backup Manager\config.ini"

Command Component	Definition
`C:\Program Files\Backup Manager\`	The default installation directory of the Backup Manager Make sure you change this path if the Backup Manager is installed in a custom location
`ClientTool.exe`	An executable file included into all Backup Manager installations, which lets you operate the Backup Manager through the command line
`takeover`	A command that moves the backup device to another category (to another customer or to Managed (passphrase-based) encryption)
`-partner-uid`	The Customer UID copied at Step 1.8
`-config-path`	The file path to the configuration file for the device which will be updated to reflect the new encryption method

Linux devices

Run the below command on each Linux device you plan to convert to passphrase-based encryption:

Log in to the device on which Backup Manager is installed
Start the Terminal
Run the following command:
"/opt/MXB/bin/ClientTool" takeover -partner-uid [Customer UID from Management Console] -config-path "/opt/MXB/etc/config.ini"

Command Component	Definition
`/opt/MXB/`	The default installation directory of the Backup Manager Make sure you change this path if the Backup Manager is installed in a custom location
`ClientTool`	An executable file included into all Backup Manager installations, which lets you operate the Backup Manager through the terminal
`takeover`	A command that moves the backup device to another category (to another customer or to Managed (passphrase-based) encryption)
`-partner-uid`	The Customer UID copied at Step 1.8
`-config-path`	The file path to the configuration file for the device which will be updated to reflect the new encryption method

MacOS devices

Run the below command on each macOS device you plan to convert to passphrase-based encryption:

Log in to the device on which Backup Manager is installed
Start the Terminal
Run the following command:
"/Applications/Backup Manager.app/Contents/MacOS/ClientTool" takeover -partner-uid [Customer UID from Management Console] -config-path "/Library/Application Support/MXB/Backup Manager/config.ini"

Command Component	Definition
`/Applications/Backup Manager.app/`	The default installation directory of the Backup Manager Make sure you change this path if the Backup Manager is installed in a custom location
`ClientTool`	An executable file included into all Backup Manager installations, which lets you operate the Backup Manager through the terminal
`takeover`	A command that moves the backup device to another category (to another customer or to Managed (passphrase-based) encryption)
`-partner-uid`	The Customer UID copied at Step 1.8
`-config-path`	The file path to the configuration file for the device which will be updated to reflect the new encryption method

Step 3. Test the conversion (optional)

Once the command has completed, you can close out of the control panel/terminal and run a test to make sure the device has been successfully converted to passphrase-based encryption:

Get the passphrase for the device
Add the device to the Recovery Console with the passphrase

Install the device on an additional machine in the restore-only mode

If you have at least one backup session completed on the device, you can go even further and run a test restore.

It is a good practice to periodically test your Encryption Key/Security Code or Passphrase this way.