Each Redstor account has its own encryption key, which is used to encrypt that account’s data during the backup process. If this encryption key is lost (e.g. if the machine hosting that account's Agent dies and the user cannot remember the encryption key), there is no way to access the backed-up data (not even for Redstor employees). In managed environments, a Group administrator may wish to avoid this scenario by protecting the encryption keys so that they can be recovered if necessary. This is where Group Certificates come in.


Benefits of Group Certificates:

  • Contingency - Since there is no way for Redstor to access or reset encryption keys, Group Certificates provide a means of doing this.
  • Security – Group Certificates are password-protected and only available to authorised users of the Console where the certificates are loaded.
  • Eliminates human error – Group Certificates are much less risky than, for example, manually saving encryption keys to a text file.
  • Simplifies key management - Encryption keys are captured automatically when new accounts are created.


A Redstor Group Certificate contains a pair of keys: one that can be shared publicly, and one that remains private. Any information (such as encryption keys) that is encrypted with the public key can only be decrypted with the private key.


The Group Certificate key pair is generated from the Group admin's Console. The private key is then stored within that admin's Console, protected by a passphrase selected by the admin themselves. The public key, in turn, is sent to Redstor as part of a Group Certificate request. You can also request a Group Certificate for a Collection. This certificate will then be valid for all Collections and Groups within the parent Collection.


Since access to encryption keys also allows access to the backed-up data, we first verify that the requesting admin has been appropriately authorised by their organisation before signing the certificate. Encryption keys are only captured if a valid, signed certificate is present.


The admin then uploads the signed certificate to the Storage Platform. When a Group Certificate is uploaded, the AccountServer immediately signs and capture all keys that are in the memory cache at that time. As there is no guarantee that a specific key will be in memory when the Group Certificate is uploaded, it is imperative to complete this as soon as possible and not as part of disaster recovery, to ensure access to keys when it matters. All keys are signed and captured after a backup, which means that the only way to ensure access to a key is for at least one backup of the account to have completed after the Group Certificate was uploaded.


After the Group Certificate upload, whenever an encryption key is provided by an Agent in order to perform a backup, that key is encrypted using the public key from the Group Certificate, and stored in the relevant AccountServer database. The AccountServer caches the (encrypted) keys in memory in case they are required for offline data processing such as roll-ups, data verification, or integrity checks. Keys are only cached in memory, never written to disk. The encryption key's encrypted value can only be decrypted by the private key of that Group Certificate, which is stored securely in the Group admin's Console.


In short: the only way to get to an Agent's encryption key (and therefore its backed-up data) is to have access to the private key stored in the Group admin's Console and to the passphrase created by the Group admin. No-one but the Group admin who requested the Group Certificate can therefore access the encryption keys of a Group's accounts.


Read more about best practices for managing encryption keys here.

Frequently asked questions

Can I use a Group Certificate to get the encryption key for a server that is not backing up anymore?

It is possible to retrieve the encryption key if a Group Certificate was uploaded to the Console and at least one backup ran after that. However, there are limitations and retrieval is not guaranteed. Most importantly, the encryption key is only stored in cached memory for up to seven days after the last backup, which means retrieval cannot be attempted after this period.


Do I need to renew Group Certificates?

Group Certificates are valid for a maximum of 1000 days, which means they only need to be renewed before this period runs out. It is not necessary to replace them more regularly. Unnecessarily replacing Group Certificates leads to confusion and may lock out other admins.


If I rename or move my Group, do I need to create a new Group Certificate?

No. We link the Group Certificate to the Group GUID and not to its name, which means that you can move a Group/Collection or change its name (and consequently its path) without invalidating its certificate.


If I move an account to a different Group, does the encryption key move as well?

No, the key does not move. As long as the destination Group has an active Group Certificate, the account just has to backup once in its new location for us to capture the encryption key in the appropriate Group Certificate.


Where do I view my Group Certificates?

To see a list of Groups with Group Certificates, locate the relevant Collection on the Storage Platform Console. Right-click the Collection name and go to Reports > Group Certificates Active > Run Report.



You will see a list of all Groups in the Collection that have Group Certificates, as well as the date when they expire. Note that more than one Group in the same Collection can have the same Group Certificate.


Can I share a Group Certificate with another user?

After a signed Group Certificate is uploaded to the Console, the user of that Console/machine will be able to access the certificate and its password in the directory C:\Users\<username>\AppData\Roaming\Redstor Backup Pro\Console\Certificates. This directory contains a separate folder for each Group. 

To share a Group Certificate and password with another user, copy the entire Group folder (from the Certificates directory) to the same location on the other user's machine (or user profile if it is the same machine). To share all Group Certificates, copy the entire Certificates directory.

Note: If you are sharing Group Certificates between users, all users should be notified whenever a Group Certificate is renewed/replaced to ensure continuing access.