# RSA Lockbox: Setup and Usage RSA Lockbox is a customer-managed encryption key (CMEK) mode in Cloudback. You supply an RSA public key, and Cloudback encrypts each backup's password with it. Only you can decrypt those passwords using your private key. ## Prerequisites * An RSA key pair (minimum 2048 bits) in PEM format. * If you don't have one, see [Generating an RSA key pair](#generating-an-rsa-key-pair) below. ## How it works 1. **You provide your RSA public key.** The private key never leaves your infrastructure. 2. **For each backup,** Cloudback generates a unique random ZIP password and encrypts it with your public key using RSA-OAEP with SHA-256. Only the ciphertext is stored. 3. **To restore or download,** you paste your private key into a dialog. Cloudback decrypts the password in memory and never persists the private key. This gives you full control over backup encryption: even if Cloudback were compromised, your archives stay protected without your private key. ## Setting up RSA Lockbox ### Step 1: Create an encryption provider 1. Go to **Account Settings**. 2. Open the **Encryption Providers** section and click **Add Encryption Provider**. 3. Select **RSA Lockbox** as the type. 4. Enter a name for the provider (e.g., "Production RSA Key"). 5. Paste your RSA **public key** in PEM format into the text area. It should look like: ``` -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A... -----END PUBLIC KEY----- ``` 6. Click **Save**. Cloudback validates that the key is a valid RSA key of at least 2048 bits before accepting it. ![New Encryption Provider form](/files/T81EKrHjOWaGp0wieec2) ### Step 2: Set provider access 1. In the encryption provider's settings, open the **Access** panel. 2. Check the accounts that should use this provider. 3. Click **Save**. A single provider can be made available to multiple accounts. ![Encryption Provider Access Editor](/files/fTuhcRCXHlKmvcgver9k) ### Step 3: Select the provider for backups 1. Go to **Account Settings** for the target account. 2. Under **Backup Encryption**, select your new RSA Lockbox provider from the dropdown. 3. Click **Save**. All future backups for this account will now use the selected provider. Existing backups are not affected. ![Account Settings - Backup Encryption dropdown](/files/8VR2LHC5NNWlDs09c3lu) ## Restoring or downloading a backup When you restore or download a backup that was encrypted with RSA Lockbox, Cloudback will prompt you for your private key: 1. Click **Restore** or **Download** on the backup. 2. A dialog appears asking for your RSA private key. 3. Paste the private key in PEM format: ``` -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA... -----END RSA PRIVATE KEY----- ``` Both PKCS#1 (`BEGIN RSA PRIVATE KEY`) and PKCS#8 (`BEGIN PRIVATE KEY`) formats are accepted. 4. Click **Submit**. Cloudback decrypts the backup password in memory and proceeds with the operation. The private key is used only for the duration of the request and is never stored. ## Rotating your RSA key If you need to replace your RSA key pair (e.g., for periodic rotation or after a suspected compromise), update the public key on the RSA Lockbox provider. Cloudback supports re-encrypting existing backup passwords with the new public key. ### Steps 1. Open the encryption provider you want to update. 2. Replace the public key with your new public key. 3. Click **Save**. 4. If there are existing backups encrypted with the old key, Cloudback will open a **Re-encryption** dialog: * **Phase 1:** Choose whether to re-encrypt existing passwords, skip re-encryption, or cancel. * **Phase 2:** If you chose to re-encrypt, paste the **old private key** so Cloudback can decrypt the existing passwords. * **Phase 3:** Cloudback re-encrypts all passwords with the new public key. Progress is shown during the operation. 5. Once complete, existing backup passwords have been re-encrypted with the new public key, and future backups use it too. ### What happens if you skip re-encryption? * The public key on the provider is updated. Future backups use the new public key. * Existing backups remain encrypted with the old key. You will need the **old private key** to restore or download them. * This means you must retain both the old and new private keys. ### Re-encryption details * Passwords are re-encrypted in batches, within a single database transaction. * If any row fails to decrypt (e.g., wrong private key), the entire operation rolls back and no changes are made. * The old private key is held in server memory only for the duration of the re-encryption request. ## Deleting an encryption provider You can delete a custom encryption provider only if there are **no active backups** protected by it. If backups still reference the provider, the delete button is disabled. To delete a provider that has active backups: 1. Delete or let the retention policy expire the backups protected by that provider. 2. Once no backups reference the provider, it can be deleted. ## Generating an RSA key pair If you don't already have an RSA key pair, you can generate one with OpenSSL: ```bash # Generate a 4096-bit RSA private key openssl genpkey -algorithm RSA -out private-key.pem -pkeyopt rsa_keygen_bits:4096 # Extract the public key openssl rsa -pubout -in private-key.pem -out public-key.pem ``` Upload the contents of `public-key.pem` to Cloudback. Store `private-key.pem` securely - you will need it every time you restore or download a backup. **Important:** If you lose your private key, any backups encrypted with the corresponding public key **cannot be recovered**. Store your private key in a secure location such as a hardware security module (HSM), a secrets manager, or an encrypted vault. ## Security considerations * **RSA-OAEP with SHA-256** is used for all encryption operations. This is the recommended padding scheme for RSA encryption. * **Minimum key size is 2048 bits.** We recommend 4096 bits for long-term protection. * **Cloudback never stores your private key.** It exists in server memory only during restore, download, or re-encryption requests, and is discarded immediately after. * **Key fingerprints** (first 16 hex characters of the SHA-256 hash of the public key) are recorded in the audit log for traceability, allowing you to verify which key was used without exposing the full key. ## Learn More * [Encryption Overview](/encryption-management/encryption-overview.md) - overview of all encryption modes * [Password-Protected Archives](/security-and-compliance/password-protected-archives.md) - AES-256 ZIP encryption details * [Account Settings](/managing-backups/account-settings.md) - configuring default settings per account * [Audit Log](/security-and-compliance/audit-log.md) - tracking all account activities --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloudback.it/encryption-management/rsa-lockbox.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.