Sendense Documentation

Encryption Key Management

Create, escrow, verify, and delete the AES-256 keys that protect encrypted backups - and why a .skey file plus its passphrase is your only recovery path if the appliance is lost.

Documents Home

Operations

Encryption Key Management

Create, escrow, verify, and delete the AES-256 keys that protect encrypted backups - and why a .skey file plus its passphrase is your only recovery path if the appliance is lost.

ReadyCurrentencryptionkeysescrowsecurity

What Encryption Keys Are

Sendense encrypts backup data with AES-256. The Encryption page in SHA Settings is the inventory of every backup encryption key the appliance holds. From here, appliance administrators create keys, import them, download passphrase-protected escrow copies, verify and change passphrases, and delete keys that are no longer needed. Clicking any key opens a details panel with its source, identifying checksum, creation date, and recent activity.

Pattern keys
Created automatically when you enable encryption on a protection pattern. A pattern key protects every encrypted backup taken under that pattern.
Standalone keys
Reusable keys you create manually on this page and later assign to protection patterns.
Imported keys
Keys attached to individual backup chains when you import existing encrypted backups into a repository. Managed automatically by the appliance; they have no passphrase of their own.

How Keys Are Protected

Every key is stored double-wrapped, never in the clear. One copy is encrypted under an appliance-managed instance key - this is how scheduled backups and restores run around the clock with no passphrase prompts. The other copy is encrypted under the passphrase you chose, and is what you download as a .skey escrow file.

A .skey file never contains your raw key - only a passphrase-encrypted copy plus the data needed to verify it. That makes it safe to store away from the appliance, but only as safe as its passphrase. Treat the passphrase as the real secret, and store the file and the passphrase separately.

Key changes on this page - creating, importing, deleting, or changing a passphrase - also trigger a refresh of the appliance's recovery bundles (see Appliance Disaster Recovery). Treat the bundles as appliance recovery, not as a substitute for your own .skey escrow.

Escrow model: one key, two wrappings

AES-256

Backup encryption key

A randomly generated key that encrypts the backup data. Never stored unprotected.

Hands-free operation

Appliance copy

The key wrapped under an appliance-managed instance key, so scheduled backups and restores run without passphrase prompts.

AES-256

Backup encryption key

A randomly generated key that encrypts the backup data. Never stored unprotected.

Passphrase-protected

.skey escrow file

The key wrapped under your passphrase, exported as a portable file. Useless without the passphrase.

Passphrase-protected

.skey escrow file

The key wrapped under your passphrase, exported as a portable file. Useless without the passphrase.

Any Sendense system

Disaster recovery

Import the .skey with its passphrase to regain access to encrypted backups if the appliance is lost.

Your only recovery path

If the appliance is ever lost, a .skey file plus its passphrase is the only way to regain access to encrypted backups. Without both, encrypted backups are permanently unrecoverable. Download a .skey for every pattern and standalone key, and keep the file and its passphrase in separate secure locations.

Creating And Importing Keys

Create Key generates a new standalone key. You choose a name and a passphrase of at least 12 characters containing uppercase, lowercase, a number, and a special character; the dialog shows live strength indicators and asks you to confirm the passphrase. As soon as the key is created, store the passphrase safely and download a .skey escrow copy. Pattern keys are created from the protection pattern side when you enable encryption there, with the same passphrase rules.

Import Key accepts a .skey file together with its passphrase. The appliance verifies the passphrase and the file's integrity before accepting the key - a wrong passphrase or a corrupted file is rejected. If the protection pattern the key belonged to still exists, the key is restored onto that pattern. If it does not, Sendense creates a new disabled placeholder pattern, named after the key with "(Imported)" appended, to hold the key until you configure that pattern.

Exporting .skey Escrow Files

Pattern and standalone keys can be exported at any time from the key list or the details panel. The download is a .skey file that works on any Sendense system, so it is your portable disaster-recovery copy.

Imported (chain) keys cannot be exported - they are managed automatically by the appliance. A standalone key that has already been deleted also refuses export, so always export before you delete.

  • Export a fresh .skey whenever you create a key and again after every passphrase change.
  • Store the .skey file and its passphrase in two separate secure locations, both away from the appliance.
  • Keep escrow copies for retired keys until every backup they protect has aged out of retention.

Verifying And Changing Passphrases

For pattern and standalone keys, the details panel lets you verify a passphrase - a quick check that the passphrase you have on record still opens the key - and change it. Verification attempts and passphrase changes are recorded in the key's activity history. Imported keys have no passphrase, so neither option applies to them.

Changing a passphrase requires the current passphrase, and there is no reset path if it is lost. A change re-wraps the same underlying key: backup data is not re-encrypted, and any .skey you exported earlier still opens with the old passphrase. After a change, export a fresh .skey and destroy old copies - especially if you changed the passphrase because the old one may have been exposed.

If a passphrase is lost while the appliance is healthy, scheduled backups and restores keep running, because the appliance uses its own wrapped copy of the key. But you can no longer verify or change that passphrase, and any .skey you exported is unusable without it. To return to a fully escrowed state, assign a new key to the pattern and escrow the new key properly.

Deleting Keys

Deleting a key means different things depending on its source, and for pattern and imported keys it is irreversible for the backups they protect. The confirmation dialog is your safeguard - read it, and export a .skey first if there is any chance you will need the data again.

Deleting a pattern key
Removes all key material from the pattern and disables its encryption. Every encrypted backup already taken under that pattern becomes permanently unrecoverable unless you hold a .skey for that key plus its passphrase. Future backups of that pattern are no longer encrypted until you re-enable encryption.
Deleting an imported (chain) key
Removes the key from that one imported backup chain. The backups in that chain become undecryptable.
Deleting a standalone key
A deactivation, not a destruction. The key disappears from the list, can no longer be assigned to new patterns, and can no longer be exported - but patterns that already adopted it keep their own copy and continue backing up and restoring normally.

Rotating To A New Key

There is no in-place key rotation on this page. To re-key a pattern, assign a different key from the protection pattern itself. The next backup of every VM in that pattern is then a full backup that starts a new chain under the new key.

Older chains stay readable with the old key until retention expires, so keep the old key - and its .skey escrow - until every backup it protects has aged out.

Related Docs