As one of our core pillars, addressing the end-to-end security and privacy of data is a primary requirement of Carbonite Endpoint. By utilizing our automated key management and encryption technology in conjunction with our unique data deduplication, both efficiency of data deduplication and security of data can be accomplished. This document describes the end-to-end encryption process and encryption key life cycle management.
During creation of a company account (tenant), a cryptographically random asymmetric RSA 1024-bit encryption key is generated and stored in the vault. Company encryption keys are stored separately from any data that will be stored in the vault and are NOT used to encrypt data. Company encryption keys are used to wrap and escrow device keys as described below. Company encryption keys can be rotated as required by contacting Carbonite support.
During company key rotation, a new cryptographically random key is generated. Each device key is re-wrapped with the new company key. Since no data is encrypted with the company key, rotation does not require any data to be re- uploaded or any devices to be reactivated.