Carbonite Support > Message: "Missing Private Encr...

Message: "Missing Private Encryption Key"

Summary:

The error “Missing Private Encryption Key” appears when you:

  • Open CSSB
  • Click a Backup Set on the dashboard
  • Edit a backup set
  • Validate a backup set
  • After importing an existing backup set
Carbonite Safe Server Backup displaying a ''Missing Private Encryption Key'' error

Please note that this article is only for the specific error mentioned above and is not intended for encryption key-related errors that occur at the time of a restore. The errors (and workflows) related to missing or incorrect encryption keys during a restore are completely different.

Cause:

This error indicates one of two things:

  1. CSSB is unable to find a private encryption key that you previously configured.
    1. Possible causes: It has been removed, deleted, renamed, cannot be read due to permissions, or has otherwise been modified in such a way that CSSB no longer recognizes the key.
  2. You are attempting to perform backups using a backup set that both originated on another computer and had private key encryption configured.
    1. It is not an intended/supported workflow to import a backup set from Computer A to Computer B and continue your backups. This is intended for restore purposes only.

This article applies to:

Carbonite Plans Products Platforms Version
Power and Ultimate (Not sure?) Carbonite Safe Server Backup (Not sure?) Windows 6.x

Solution:

If this is not a backup set that has been imported from another computer:

  1. If you have a copy of your encryption key, simply move it to the folder where the key should exist, then perform a new full backup.
    1. The error message includes the path where the key should be.
    2. This will not work if the backup set was imported from another computer!
  2. If you do NOT have a copy of your encryption key, or if Step 1 does not work:
    1. Create a new encryption key as described in this article.
      1. You may need to use the “Delete Key” option as described in the above article before you can create a new key.
    2. Then take a new full backup of the backup set.
    3. Repeat as necessary for other backup sets.

If this is a backup set that was imported from another computer:

  • You may see the error even if the Private Encryption Key exists in the correct folder as described in Step 1a above.
    • Placing the .aes file into the location is not sufficient for a backup set imported from another computer.
  • You may follow Step 2a above to remove the error message if it is blocking your ability to perform other actions in the backup set.
  • However, it is not recommended to continue backups using a backup set that originated on another computer, especially if a Private Encryption Key is in use. Risks include, but are not limited to:
    • Data becomes non-restorable because some or all of a backup cycle is encrypted using different encryption keys.
    • Data becomes non-restorable because some or all of a backup cycle is using a key that no longer exists and cannot be recreated because someone forgot the password.
    • Data that is assumed to be protected is not because the selections made on the original machine do not exactly match the location of data on the new machine.
    • Errors occur because of environmental differences such as permissions, domain structure, domain trust, access to network resources, etc.
  • Instead, follow these Best Practices:
    • Disable the imported backup set or delete its schedules so it does not attempt further backups on this computer.
    • Create a new backup set, ensuring that all selections are correct.
      • There is a Copy Backup Set function available, but it is not recommended. Copying the imported backup set will simply create an exact duplicate—duplicating the risks, too!
    • If you want to use Private Key Encryption, create a new Private Encryption Key to protect the new backup set.
    • Perform a full backup of the new backup set.
    • Delete the imported backup set.
      • You may wish to delete the set without deleting the associated data immediately, so the new backup set has time to establish new backups.

Instructions on disabling, copying, and deleting backup sets can be found in this article.

It is strongly recommended to take a new full backup after editing, modifying, or otherwise changing a Private Encryption Key. This ensures that each backup in a cycle is encrypted with a single password. It is difficult, if not impossible, to restore data from backup cycles that are encrypted with one key for some of the cycle and another key for the rest.

Feedback