Backup for Files - Set a pass phrase

Written By Tami Sutcliffe (Super Administrator)

Updated at March 31st, 2021

Your pass phrase is what protects your data from unauthorized access. Having a unique, strong pass phrase is a key element to keeping your offsite backup data secure. It is very important that you adequately document your pass phrase, as well as your secret questions in the event that you lose access to your pass phrase and need to recover it. Pass phrase recovery is a complimentary service we offer, and may not always be possible in a given situation. Please keep your pass phrase information stored in a secure location.

Setting your pass phrase 

Before backups can be started for an account, a pass phrase must be set. To set the pass phrase, please take the following steps:

1. Install the Online Backup Manager. 

The software can be downloaded here:
mceclip0.png

2. If one has not already been created, create a new username in the portal for this backup.

Click here for more information on creating an account.

3. Configure the Online Backup Manager with the username and password.  

Enter the User Name and Password and click Test Connection. If prompted, set a permanent password, which must be at least one character different than the password you originally entered. 

Save the settings.

setting1.jpg

4. Click the button to Create Pass Phrase.

mceclip0.png

5. Enter the Pass Phrase you wish to use. Click OK.

You may opt to show the pass phrase as you type. It is strongly recommended you leave the option checked to securely store the pass phrase on the server in case it is forgotten. This allows you to have the option to recover the pass phrase if it is ever forgotten.
mceclip1.png

Click here for more information about storing your pass phrase securely on the server

The pass phrase is used to encrypt your data and must be remembered in order to recover your data.

  • A secure pass phrase consists of at least three words.
  • A pass phrase should contain numbers and punctuation, placed within and between words for maximum security.
  • A pass phrase is case sensitive.
  • Always store the pass phrase on the server unless your security policy prohibits you from doing so.
  • The pass phrase is dually encrypted and you will be the only person that can recover the pass phrase.

6. Once you have clicked OK, you will get a pop up. Click Yes if you want to print your pass phrase from the machine you are on right now. Click No if you do not want to print the pass phrase from the machine you are on right now.


mceclip2.png

If you clicked Yes, select the printer you wish to print from, and click OK.

7. A box for your security questions will pop up. Select or enter questions and answers and click OK.

For additional security, your pass phrase will be encrypted using your answers to a list of security questions. You should choose questions that only you would know all of the answers to and yet would never be forgotten. Each additional question increases the level of security exponentially. (Answer at least three questions).

You may choose from these questions: 

mceclip3.png

Or you can opt to click on the blank selection of the drop down and type any question you prefer in the box.

blank.jpg

Enter answers to your questions. You must remember your answers exactly. Answers ignore capitalization and whitespace, but punctuation is important.

mceclip5.png

For example:

Answer to the question “Date of birth?”

  Option 1      January 1, 2000
  Option 2      Jan. 1, 2000
  Option 3      1-1-2000
  Option 4      1/1/2000
  Option 5      1/1/001
  Option 6      1 1 2000

While these are all the same date, if you used option 3 as the original answer, none of the other answers would be correct if you needed to recover your pass phrase at a later date. White space, though, as well as capitalization, is ignored in answers. So ‘1 1 2000’ and ‘112000’ is the same, as well as ‘January 1, 2000' is the same as ‘january 1, 2000’ when answering the questions. The answer ‘January 1 2000’ would NOT be correct, though, due to the lack of punctuation.

8. A confirmation box will pop up with your questions and answers. Please verify that the answers to your questions are correct. You must remember these answers exactly, including punctuation. If you cannot remember these answers exactly as shown it will be impossible to recovery your pass phrase under ANY circumstances.

mceclip6.png

Once you proceed past this screen, you will not be able to see your answers again.

  • Click Print to print the questions and answers from the machine you are on right now.
  • Click Copy to Clipboard to copy your answers to the clipboard and proceed.
  • Click Proceed to move forward in the process.
  • Click Cancel to return to the question dialog box and change the questions or answers.

If you opt to print/save, you may be brought back to this dialog box to continue forward. If so, click Proceed.

9.  You will get a pop up box asking if you want to save your pass phrase to a file (recommended). You must save it to a location that is NOT the C drive of the machine. If you attempt to save it to a non-removable media, you may get a pop up stating that it cannot be saved to that location.
Click Yes to save the pass phrase to a file
Click No to continue without saving the pass phrase to a local removable media storage location.

mceclip7.png

10. You will get a pop up confirming the pass phrase has been set.

mceclip8.png

11. You can now configure your backups.

 


 

Storing Your Pass Phrase Securely on the Server

Ensuring your privacy and security is our number one priority. Your pass phrase is encrypted twice before it is stored on the server to prevent anyone but you from recovering the stored pass phrase. The system is designed so that recovering a pass phrase requires action from two people: the person that created the key and a senior level Axcient server technician. Neither person can recover the pass phrase without the cooperation of the other person. The system is also designed so that only the creator of the pass phrase can view the pass phrase once it is recovered.

Is this secure? Will someone be able to access my data?

Using two layers of encryption around the stored pass phrase offers a very high level of protection. The outer layer requires our 3072-bit private key to decrypt. This private key is encrypted by our master pass phrase recovery password, which is never written down and is known by only a few people (it is a closely guarded secret). Even those who know the master pass phrase recovery password cannot view your pass phrase because of the inner layer of encryption protecting your pass phrase.

Decrypting the inner layer of encryption requires knowing the answers to your security questions. The security questions themselves are only protected by the outer layer of encryption (anyone with the private key has access to your security questions). Thus, you should choose questions that are difficult for another person to answer (and yet will be something you will never forget). The more questions you use the harder it is to break the inner layer of encryption. Each additional question makes it exponentially more difficult. We recommend using at least four security questions to protect your pass phrase. The answers to your security questions are only used to encrypt the pass phrase and are never sent across the Internet, stored on the server, or remembered by the client software.

Technical Details

When your pass phrase is stored on the server it is secured by following this process:

  1. You select a series of questions that only you should know the answer to and then provide the answers. You should use enough questions such that you are sure that only you will have the answers to all of the questions. A minimum of 3 questions are required.
  2. The answers to the questions are used to generate a 256-bit encryption key by following the standard described in RFC2898 (using SHA-256 for the hash function).
  3. The pass phrase is encrypted using the Advanced Encryption Standard (AES) algorithm and the encryption key derived from the answers to your security questions.
  4. A random 256-bit file encryption key is generated and is used to encrypt your encrypted pass phrase and your list of security questions (but not their answers) using the AES-256 algorithm. The dually encrypted pass phrase and the encrypted list of security questions is called a pass phrase envelope.
  5. The random 256-bit file key is encrypted using our 3072-bit public key. Only someone with the matching private key can decrypt this data. We are the only ones with access to the private key.
  6. The encrypted 256-bit file key along with the pass phrase envelope is sent via SSL (an encrypted Internet connection) to our server, where it is stored. The permissions on the stored file are narrowed such that only a senior level server technician can access the data.

When you need to recover your pass phrase it is secured by the following process:

  1. You use the client software to request that your pass phrase be recovered. The software generates a new 3072-bit public/private key pair (this is your request key). 
  2. The public request key and the details of your request are sent via SSL to our server, where it is stored.
  3. A senior level server technician at Axcient will use the master pass phrase recovery program to decrypt the outer layer of your stored pass phrase envelope. This requires that the operator to enter the master pass phrase recovery password, which decrypts our 3072-bit private key.
  4. At this point your pass phrase is still encrypted with the 256-bit encryption key that was generated by the answers to your questions. As the technician does not know the answers to your security questions your pass phrase is still private.
  5. The recovery program generates a new 256-bit file key and encrypts the pass phrase envelope. The pass phrase envelope is now fully encrypted again. The new 256-bit file key is encrypted with your request public key. Now only the person that can decrypt the pass phrase envelope is the person with the request private key (the person that submitted the request).
  6. The newly encrypted pass phrase envelope is stored on the server. The technician emails you notifying you that your request has been handled. 
  7. You use the client software to connect to our server and download the response over an SSL connection.
  8. The client software uses the request private key to decrypt the outer layer of the pass phrase envelope.
  9. The client software presents your security questions. If you correctly answer these questions then it will be able to decrypt the final encryption layer protecting your pass phrase, and your pass phrase will be recovered.

Click here for more detailed steps on recovering your pass phrase.