Encrypting Backups

We support the use of certificates to encrypt backups. This is done by following the steps below, all scripts are written in powershell with administrator permissions.

  1. Create a certificate and private key using the following command:

    certreq -new ./encryption.inf ./cert.cer

    The contents of the encryption.inf file should be as follows:

    [Version]
    Signature = "$Windows NT$"
     
    [Strings]
    szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
    szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"
     
    [NewRequest]
    Subject = "CN=DealCloud QA Auto Tests,O=DealCloud,L=Jersey City,S=NJ,C=US"
    FriendlyName = "DealCloud QA Auto Tests Documents Signing"
    KeyLength = 2048
    HashAlgorithm = SHA256
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    Exportable = true
    MachineKeySet = true
    RequestType = Cert
    KeySpec = AT_KEYEXCHANGE
    KeyUsage = CERT_KEY_ENCIPHERMENT_KEY_USAGE
    ValidityPeriod = Years
    ValidityPeriodUnits = 3
     
    [Extensions]
    %szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"
  2. Import the certificate to the Windows Certificates Manager: 2.1. Double-click on cert.cer -> Install Certificate. 2.2. Store Location: Local Machine. 2.3. Certificate Store: Personal.

  3. Export the certificate to a PFX file: 3.1 Open the Windows Certificates Manager certlm.msc. 3.2 Go to Personal -> Certificates. 3.3 Right-click on the certificate -> All Tasks -> Export. 3.4 Select Yes, export the private key. 3.5 Select Include all certificates in the certification path if possible. 3.6 Select Password and enter a password. 3.7 Select a location to save the PFX file.

  4. Encrypt the backup using the following command:

    Protect-CmsMessage -To ./cert.cer -Path ./test.zip | Out-File ./encrypted.zip

    The certificate password is the password used in step 3.6.

  5. Decrypt the backup using the following command:

    Unprotect-CmsMessage -Path ./encrypted.txt
  6. To use the certificate in the DealCloud application, go to the Admin -> Site Settings -> Integrations -> Backup -> Encryption Certificate and upload the .cer file.