Document toolboxDocument toolbox

Settings - Configuration - Data encryption

Owned by Pavel Novák
Last updated: Sept 03, 2024
4 min read

Since version 2.0 the application supports data at rest encryption feature. Because one of the main application features is checking the transferred files using detection engines like anti-viruses and sandboxes, these checks must first be completed for newly uploaded files. The encryption is performed right after that.

The settings section for encryption configuration contains the following items:

Status

Here it shows whether the encryption feature for new packages is active or not.

Package encryption statistics

A table is displayed here informing the administrator about a number of packages in the following states:

  • Unencrypted packages - the packages for which the encryption was not used. If more than 0 exist, a following button is available:

    • Encrypt all packages - runs a one time task to encrypt all currently not encrypted packages using a common server key. Dependent upon the size of the packages being encrypted this operation can take a very long time.

  • Encrypted packages (with a server key) - the packages which were successfully encrypted using a common server encryption key. If more than 0 exist, a following button is available:

    • Decrypt all packages - runs a one time task to decrypt all currently encrypted packages with a server key. Dependent upon the size of the packages being encrypted this operation can take a very long time.

  • Encrypted packages (with a password) - the packages which were successfully encrypted using a key derived from a package password (user entered). This password and key is not stored anywhere.

  • En/decryption failed - the packages for which the encryption or decryption process failed. In correctly working application no such packages should exist. If some do exist, the administrator should check the application state (logs, packages, storage, etc.) and fix the problem, or alternatively contact support.

Encryption settings

Encrypt new packages

If enabled, the data of each new package are encrypted after the detection engine checks are completed. Either with a common server key or with a unique package key derived from the package password, see the settings below.

(default: enabled)

Anonymous users can encrypt packages with a password

Allows anonymous (not logged in) users to encrypt sent packages with a password. The data of the password encrypted packages are not accessible to anyone who does not have the password, not even to the administrator. Encryption occurs after finishing checks with the detection engines. Works only if the new package encryption is enabled.

(default: NO)

Registered users can encrypt packages with a password

Allows registered (logged in) users to encrypt sent packages with a password. In the "only selected" mode only users with the corresponding permission are allowed. The data of the password encrypted packages are not accessible to anyone who does not have the password, not even to the administrator. Encryption occurs after finishing checks with the detection engines. Works only if the new package encryption is enabled.

(default: YES)

Key encryption keys (KEK)

Each package has it's own data encryption key (DEK). This key is stored alongside package data and is encrypted with one or more key encryption keys (KEK). This part of configuration allows the administration of key encryption keys (KEKs).

In the table bellow a list of all KEKs the application knows and uses is shown. At least one must exist for the encryption feature to work correctly. One default key named “local” is created automatically. The “Add” button above the table allows to create a new KEK. There can be more KEKs and in such a case all are used (DEK is encrypted using multiple different KEKs). For each of the keys in the table the following is available:

  • Title - name of the key, with no functional effect, just for clarity.

  • Type - only “local key” type is supported for now, which is stored in the application database. In the future more key types are planned, which will be stored elsewhere (eg. external KMS or HSM).

    • Since version 2.3 there are two types of local keys: ECIES - old and deprecated and HPKE - new and recommended. For new installations the new recommended key type will be automatically used. Old installations will continue using the original ECIES, until the administrator makes the change. We recommend considering to switch to the new key type for older installations (by adding a new key and then removing the old one).

  • Key usage - how many packages is currently encrypted with this key / total number of encrypted packages.

  • Status:

    • ready: a key with no active running operation.

    • adding to packages in progress: a key with an active operation of being added to encrypted packages.

    • removing from packages in progress: a key with an active operation of being removed from encrypted packages.

  • Action:

    • + icon: Adds this KEK to all encrypted packages. Available only if some encrypted packages exist without this key.

    • - icon: Removes this KEK from all encrypted packages. Available only if some encrypted packages exist with this key.

    • Trashcan icon: Removes this KEK from the application. Available only if this key is not currently used for encryption of any package. A key that is used cannot be deleted, because it would cause package data loss.

More about encryption

Additional information about the encryption can be found here: Data encryption in the SOFiE application .