Convert devices to passphrase-based encryption
This article explains how to convert backup devices deployed with private key encryption to passphrase-based encryption. Reasons to consider the feature:
- You no longer wish to individually manage security codes for backup devices.
- You have lost or forgotten a security code for a device.
Please be aware that once this change is made, you cannot change back to use the original encryption key/security code.
Differences between encryption methods
- Private key encryption relies on encryption keys/security codes that are defined by users during Backup Manager installation. The encryption key/security code is set once and cannot be changed or retrieved afterwards.
- Passphrase-based encryption uses a system-generated encryption key that is securely accessible from the management console.
- Backup Manager version 17.11 or later must be installed and functional on the system you wish to convert.
- The system must be running on Windows.
- The system must be intact (the conversion process will not work after a system is lost, destroyed or infected).
- Access to run the Command Prompt as an administrator is required on each system you wish to convert.
- Backups should not be actively running during this process.
Step 1. Get a partner UID for conversion
- Log in to the Console under a SuperUser account with security officer permissions.
- In the left navigation bar, click Group management.
- Select the group containing backup devices you want to convert.
- Enable the Automatic Deployment option (if it is disabled) and copy the UID for later use.
You can re-use the UID for any number of devices belonging to the group.
Step 2. Perform conversion on each device
Run the below command on each Windows device you plan to convert to passphrase-based encryption.
- Log in to the system on which the backup device is installed.
- Start the Command Prompt as an administrator and run the following command.
"C:\Program Files\Backup Manager\ClientTool.exe" takeover -partner-uid 92bcdff7-9a73-46f4-8xYxTa-8exXxXxXxX0b11d -config-path "c:\Program Files\Backup Manager\config.ini"
Here is what the command contains:
- ClientTool.exe – an executable file included into all Backup Manager installations. It lets you operate the Backup Manager through the command line.
C:\Program Files\Backup Manager\- is the default installation directory of the Backup Manager. Make sure you edit the path if the Backup Manager is installed at a custom location.
takeover– a command that moves a backup device to another category (to another group or to passphrase-based encryption)
partner-uid– the UID you copied at step 1.
Step 3. Test the conversion (optional)
Now you can run a test to make sure the device has been successfully converted to passphrase-based encryption. Here are steps to follow:
- Get a passhprase (instructions).
- Add the device to the Recovery Console with that passphrase or install the device on an additional machine in the restore-only mode.
If you have at least 1 backup session completed on the device, you can go even further and run a test restore.
It is a good practice to periodically test your security codes or passphrases this way.