Encrypting Backups

To securely encrypt your backups, DealCloud uses a certificate-based approach. The backup data is protected with a password-encrypted .zip file. The password itself is encrypted using the certificate provided.

Follow the steps below to configure encryption and go through the process of downloading & decrypting a backup.

Workflow

Obtain a Certificate

Obtain a valid certificate from your firm's IT or security team. (Note: if your firm does not provide certificates or needs additional information, see 'Generating a Self-Signed Certificates' for an example).

Open Up DealCloud Site Backup Section

Navigate to the Site Backup section (Admin > Site Settings > Integration > Site Backup) and click on the Site Backup button to open up the modal.

Upload Certificate

Under the Encryption section, select "Encrypt by Encryption Key" under the Encryption Type dropdown. Upload your certificate file (.pfx, .cer) and once uploaded, hit Save.

Validate: Download Encrypted Backup

To validate, you may either request an adhoc backup or wait until your next daily backup is generated (if enabled). The next backup file that is generated will be encrypted.

Once generated, you will notice two files:

  • backup.zip — The encrypted, password protected backup .zip file
  • backup.zip.txt — The encrypted text file that contains the password used to decrypt the .zip file

Decrypt and Extract Backup

Use your certificate private key to decrypt the backup.zip.txt file. You may use the below example commands.

Powershell (assuming key is installed locally)

Unprotect-CmsMessage -Path "C:\Users\username\Desktop\text.zip.txt

OpenSSL

openssl cms -decrypt -binary -inform PEM -in backup.zip.txt -inkey example.com.key -print

Finally, use the password obtained to decrypt the backup.zip.

Generating a Self-Signed Certificate

You may already have the required certificate and private key provided by your organization's security or IT team. If unsure, please consult them before generating a self-signed certificate or proceeding with this step.

Using OpenSSL

openssl req -x509 -newkey rsa:2048 -sha256 -days 365 -nodes -keyout example.com.key -out example.com.crt -subj "/CN=example.com"