Backup Keys
A backup key is a type of encryption key that is used to ensure that it is possible to recover a Nasuni Edge Appliance that has no owned volumes. Without a backup key, it is not possible to recover a Nasuni Edge Appliance that has no owned volumes.
If a Nasuni Edge Appliance has no owned volumes and no backup key, after 2 days, the following notification is sent: “Because this Edge Appliance has no volumes or backup keys, you cannot currently perform a disaster recovery on this Edge Appliance. On the Encryption Keys page, you can generate a backup key to enable disaster recovery.”
You can generate a backup key on the Encryption Keys page.

Figure A-1: Encryption Keys page.
Important: The time to generate an encryption key can vary widely, depending on the hardware (real or virtual) that the Nasuni Edge Appliance is executing on. Encryption keys are generated in the background, so as to not block use of the Nasuni Edge Appliance during generation.
The “Generate Key” button is available if the Nasuni Edge Appliance has no owned volumes and no backup key. Alternatively, you can upload an encryption key for use as a backup key. (For security reasons, encryption keys that you upload cannot be downloaded from the system.)
If a backup key has been generated or uploaded for a Nasuni Edge Appliance, the backup key appears in the list of encryption keys on the Encryption Keys page.

Figure A-2: Encryption Keys page.
A generated backup key is automatically escrowed with Nasuni. You can also download a generated backup key and safeguard it yourself.
If the backup key is the only encryption key for the Nasuni Edge Appliance, you cannot delete the backup key.
When recovering the Nasuni Edge Appliance using a backup key, indicate whether or not you need Nasuni to provide an escrowed backup key on the second “Perform Disaster Recovery on existing Filer” page. Then obtain your backup key, either from Nasuni or from your own safekeeping, and upload your backup key on the “Upload Encryption Keys” page.
Tip: You can also upload encryption keys using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.
Escrow Passphrase
To perform a recovery procedure on an Edge Appliance, you MUST have all of the encryption keys for ALL volumes owned by that Edge Appliance in order to successfully regain access to your data. This means that, if Nasuni is escrowing any of your encryption keys, one of the following must occur:
You must have created an escrow passphrase.
You must have all of your encryption keys available, including the encryption keys escrowed with Nasuni.
You must contact Nasuni and verify your identity so that Nasuni can issue a special one-time- use recovery key.
The escrow passphrase must contain only ASCII printable characters (no Unicode) and cannot exceed 511 characters.
You can create an escrow passphrase on the Nasuni Edge Appliance, on the NMC, or using the NMC API.
To create an escrow passphrase on the Nasuni Edge Appliance, follow these steps:
Click Configuration, then select Encryption Keys from the list. The Encryption Keys page appears.
Figure A-3: Encryption Keys page.
Click Set Escrow Passphrase. The Set Escrow Passphrase dialog box appears.
Figure A-4: Set Escrow Passphrase dialog box.
Enter the Escrow Passphrase. The passphrase must contain only ASCII printable characters (no Unicode) and cannot exceed 511 characters.
An indication of the strength of the passphrase is displayed.
Confirm the escrow passphrase by entering it again.
Click Set Passphrase.
The escrow passphrase is created.
Important: Keep this escrow passphrase in a secure place. You use the escrow passphrase when performing a recovery procedure for the Nasuni Edge Appliance.
Tip: If the escrow passphrase is lost, contact Nasuni Support and complete a lost passphrase form. Nasuni provides a one-time-use recovery key. The recovery key is not the escrow passphrase: Nasuni does not know your escrow passphrase and cannot provide it.