Operations
Encryption Key Management
Create, escrow, verify, and delete the AES-256 keys that protect encrypted backups - and why a .skey file plus its passphrase is your only recovery path if the appliance is lost.
What Encryption Keys Are
Sendense encrypts backup data with AES-256. The Encryption page in SHA Settings is the inventory of every backup encryption key the appliance holds. From here, appliance administrators create keys, import them, download passphrase-protected escrow copies, verify and change passphrases, and delete keys that are no longer needed. Clicking any key opens a details panel with its source, identifying checksum, creation date, and recent activity.
How Keys Are Protected
Every key is stored double-wrapped, never in the clear. One copy is encrypted under an appliance-managed instance key - this is how scheduled backups and restores run around the clock with no passphrase prompts. The other copy is encrypted under the passphrase you chose, and is what you download as a .skey escrow file.
A .skey file never contains your raw key - only a passphrase-encrypted copy plus the data needed to verify it. That makes it safe to store away from the appliance, but only as safe as its passphrase. Treat the passphrase as the real secret, and store the file and the passphrase separately.
Key changes on this page - creating, importing, deleting, or changing a passphrase - also trigger a refresh of the appliance's recovery bundles (see Appliance Disaster Recovery). Treat the bundles as appliance recovery, not as a substitute for your own .skey escrow.
Escrow model: one key, two wrappings
AES-256
Backup encryption key
A randomly generated key that encrypts the backup data. Never stored unprotected.
Hands-free operation
Appliance copy
The key wrapped under an appliance-managed instance key, so scheduled backups and restores run without passphrase prompts.
AES-256
Backup encryption key
A randomly generated key that encrypts the backup data. Never stored unprotected.
Passphrase-protected
.skey escrow file
The key wrapped under your passphrase, exported as a portable file. Useless without the passphrase.
Passphrase-protected
.skey escrow file
The key wrapped under your passphrase, exported as a portable file. Useless without the passphrase.
Any Sendense system
Disaster recovery
Import the .skey with its passphrase to regain access to encrypted backups if the appliance is lost.
Your only recovery path
If the appliance is ever lost, a .skey file plus its passphrase is the only way to regain access to encrypted backups. Without both, encrypted backups are permanently unrecoverable. Download a .skey for every pattern and standalone key, and keep the file and its passphrase in separate secure locations.
Creating And Importing Keys
Create Key generates a new standalone key. You choose a name and a passphrase of at least 12 characters containing uppercase, lowercase, a number, and a special character; the dialog shows live strength indicators and asks you to confirm the passphrase. As soon as the key is created, store the passphrase safely and download a .skey escrow copy. Pattern keys are created from the protection pattern side when you enable encryption there, with the same passphrase rules.
Import Key accepts a .skey file together with its passphrase. The appliance verifies the passphrase and the file's integrity before accepting the key - a wrong passphrase or a corrupted file is rejected. If the protection pattern the key belonged to still exists, the key is restored onto that pattern. If it does not, Sendense creates a new disabled placeholder pattern, named after the key with "(Imported)" appended, to hold the key until you configure that pattern.
Exporting .skey Escrow Files
Pattern and standalone keys can be exported at any time from the key list or the details panel. The download is a .skey file that works on any Sendense system, so it is your portable disaster-recovery copy.
Imported (chain) keys cannot be exported - they are managed automatically by the appliance. A standalone key that has already been deleted also refuses export, so always export before you delete.
- Export a fresh .skey whenever you create a key and again after every passphrase change.
- Store the .skey file and its passphrase in two separate secure locations, both away from the appliance.
- Keep escrow copies for retired keys until every backup they protect has aged out of retention.
Verifying And Changing Passphrases
For pattern and standalone keys, the details panel lets you verify a passphrase - a quick check that the passphrase you have on record still opens the key - and change it. Verification attempts and passphrase changes are recorded in the key's activity history. Imported keys have no passphrase, so neither option applies to them.
Changing a passphrase requires the current passphrase, and there is no reset path if it is lost. A change re-wraps the same underlying key: backup data is not re-encrypted, and any .skey you exported earlier still opens with the old passphrase. After a change, export a fresh .skey and destroy old copies - especially if you changed the passphrase because the old one may have been exposed.
If a passphrase is lost while the appliance is healthy, scheduled backups and restores keep running, because the appliance uses its own wrapped copy of the key. But you can no longer verify or change that passphrase, and any .skey you exported is unusable without it. To return to a fully escrowed state, assign a new key to the pattern and escrow the new key properly.
Deleting Keys
Deleting a key means different things depending on its source, and for pattern and imported keys it is irreversible for the backups they protect. The confirmation dialog is your safeguard - read it, and export a .skey first if there is any chance you will need the data again.
Rotating To A New Key
There is no in-place key rotation on this page. To re-key a pattern, assign a different key from the protection pattern itself. The next backup of every VM in that pattern is then a full backup that starts a new chain under the new key.
Older chains stay readable with the old key until retention expires, so keep the old key - and its .skey escrow - until every backup it protects has aged out.
Related Docs