Data encryption in the SOFiE application

The SOFiE application supports the following encryption of transferred and stored data:

1. Data encryption during transfer. Occurs always implicitly as a part of the standard HTTPS web protocol channel.

2. Data encryption at rest. Occurs optionally, according to the administrator’s configuration. It is enabled by default for new installations.

The following diagram describes the situation:

If the data encryption at rest is enabled, then all files stored on disk are encrypted using DEK (data encryption key). This DEK is unique per package. The DEK is afterwards encrypted using KEK (key encryption key) and stored on the disk together with the files. The KEK is stored in the database, separated from the encrypted files and DEKs. The cypher used is symmetric AES_256_GCM.

An additional extension feature is supported: encryption with a package’s password. If this feature is enabled by the administrator and used by a user, a unique KEK is generated right in the user’s browser, based on the password set for the package. This KEK is sent to the server, used for the encryption of the package by the server and then forgotten, it is not stored anywhere. The package’s files on the server therefore cannot be decrypted without the user providing this key again (the password from which it is derived). So the data encrypted using package’s password cannot be accessed by anyone who does not know the password, not even by the administrator.