Encrypting Backups
To securely encrypt your backups, DealCloud uses a certificate-based approach. The backup data is protected with a password-encrypted .zip file. The password itself is encrypted using the certificate provided.
Follow the steps below to configure encryption and go through the process of downloading & decrypting a backup.
Workflow
Obtain a Certificate
Obtain a valid certificate from your firm's IT or security team. (Note: if your firm does not provide certificates or needs additional information, see 'Generating a Self-Signed Certificates' for an example).
Open Up DealCloud Site Backup Section
Navigate to the Site Backup section (Admin > Site Settings > Integration > Site Backup) and click on the Site Backup button to open up the modal.
Upload Certificate
Under the Encryption section, select "Encrypt by Encryption Key" under the Encryption Type dropdown. Upload your certificate file (.pfx
, .cer
) and once uploaded, hit Save.
Validate: Download Encrypted Backup
To validate, you may either request an adhoc backup or wait until your next daily backup is generated (if enabled). The next backup file that is generated will be encrypted.
Once generated, you will notice two files:
backup.zip
— The encrypted, password protected backup .zip filebackup.zip.txt
— The encrypted text file that contains the password used to decrypt the .zip file
Decrypt and Extract Backup
Use your certificate private key to decrypt the backup.zip.txt
file. You may use the below example commands.
Powershell (assuming key is installed locally)
Unprotect-CmsMessage -Path "C:\Users\username\Desktop\text.zip.txt
OpenSSL
openssl cms -decrypt -binary -inform PEM -in backup.zip.txt -inkey example.com.key -print
Finally, use the password obtained to decrypt the backup.zip
.
Generating a Self-Signed Certificate
You may already have the required certificate and private key provided by your organization's security or IT team. If unsure, please consult them before generating a self-signed certificate or proceeding with this step.
Using OpenSSL
openssl req -x509 -newkey rsa:2048 -sha256 -days 365 -nodes -keyout example.com.key -out example.com.crt -subj "/CN=example.com"