.png)
This article explains how to export a copy of the encryption key for your company, a specific backup set, or an individual account. This can be used for off-platform safe-keeping, compliance, or disaster recovery needs.
Key exports are protected by a tenant verification check. This requires you to prove you still own your Microsoft 365 and/or Google Workspace tenants, after which you are allowed one export of the key. You will need to re-verify for any future export.
PAGE CONTENTS
- Before you begin
- Export requirements for different scenarios
- How to export
- Common issues
- Security reminders
Before you begin
What your IT admin needs to prepare
Action is only required if you have tenants to verify. For this, you will need:
- Microsoft 365: a Global Administrator or Privileged Role Administrator available to grant consent for each tenant.
- Google Workspace: a Super Admin available to authorise each tenant.
What you need in RedApp
- You are signed in with a user that has the Export encryption keys permission (i.e. Partner Admin or Company Admin role). Read more about RedApp roles in Article 1423.
- You have access to the specific company whose key you want to export.
- If you're exporting as a password-protected zip, you need a password of at least 16 characters. Choose something you can store safely. If you lose this file, it cannot be recovered.
Export requirements for different scenarios
| Event | Export requirement |
|---|---|
| You just completed a switch to Azure Key Vault, a switch to AWS KMS, or a revert. | None. You are allowed one export. |
| You've already exported once since your last verification. | Start a new verification cycle to be allowed another export. |
| It has been more than 30 minutes since your export allowance was issued. | Your export allowance has expired. Start a new verification cycle. |
| Your company has no Microsoft 365 or Google Workspace tenants in any backup sets. | You're cleared to export as soon as you start the verification. No admin consent is required. |
How to export
1. Verify your tenants (if needed)
Skip this step if you already have an active export allowance from a recent KMS change during which you verified your tenants.
- In RedApp, open Key Management and choose Manage KMS, then choose Export company key. You will see a list of Microsoft 365 and Google Workspace tenants from your backup sets.
- For each Microsoft 365 tenant, have a Global Administrator or Privileged Role Administrator complete admin consent.
- For each Google Workspace tenant, have a Super Admin authorise CyberSentriq.
- Once every tenant is verified, the RedApp will issue your export allowance automatically. You have 30 minutes to export your key before your allowance expires.
2. Enter a secure password
Enter a password of at least 16 characters. RedApp will then build a zip file, protected with this password, which contains the key. A password-protected zip file is especially useful if the file is likely to be moved from time to time.
Keep this password in a safe place, as you will not be able to access the contents of the zip file without it.
3. Download and store the key safely
Put the exported key somewhere offline and secure: a password manager, a hardware token, or an encrypted offline drive. Anyone with this key can decrypt the corresponding backups, so treat it like a master password.
You are only allowed one export after a verification cycle. To export again, start a new verification cycle.
Common issues
| What you see | Why it happens | How to fix |
|---|---|---|
| "Verification required" when you try to export | You don't have an active allowance. This means you never verified, you have already used your allowance, or it has expired (allowances last 30 minutes). | Click Start verification and complete tenant consent. Then export within 30 minutes. |
| Verification won't complete — some tenants stay unverified | The user granting consent doesn't have the required role, or a new backup set introduced a new tenant mid-verification. | Confirm the admin has the role Global Administrator or Privileged Role Administrator (M365) or Super Admin (Google Workspace). Refresh the tenant list to pick up any new tenants. |
| "Password must be at least 16 characters" | Your secure-zip password is too short. | Enter a password of 16 or more characters and retry. |
| "Entity not found" or "Key not found" | The company, backup set, or account you selected doesn't exist or you don't have access to it. | Double-check you selected the right entity. If you recently deleted a backup set or account, its key is no longer exportable. |
| "You don't have access to this company" | Your user account isn't linked to the company you're trying to export from. | Ask a Partner Admin or RedstorAdmin to grant you access, or perform the export under an account that already has access. |
| You only get one export and then it stops working | This is by design. An allowance is for one-time use. | Start a new verification cycle to earn another export. If you need to export multiple entities, plan to verify once per export. |
| You can't open the secure zip | The password was mistyped, or your zip tool doesn't support the strong encryption used (Windows Explorer doesn't). | Try a current zip tool (7-Zip, modern WinRAR, or the built-in Archive Utility on a recent macOS). If the password is wrong, the zip can't be recovered. You'll need to verify and export again. |
| The export option is disabled entirely | This is a CyberSentriq platform-side configuration issue, not something you can fix. | Contact CyberSentriq support. |
Security reminders
- An exported key can decrypt the matching backups outside of CyberSentriq. Treat it the same as you would treat the master password for your backup system.
- Don't email or message a plain-text key — use the secure zip format, or put the key into a password manager before sharing.
- If you suspect that an exported key has been exposed, log a ticket with our support team immediately. The only real mitigation is re-keying your company, which requires coordination.
 1.png)