Start FileCloud FREE Trial
Log in

Storage Encryption Technical Details

When you enable FileCloud storage encryption properly, all existing files in FileCloud managed storage will be encrypted before the system will be ready for use. 

This topic describes:

  • How a Plain File Key is Created
  • Technical Details about Encryption Keys
  • When are Files Encrypted?
  • When are files Decrypted?

How a Plain File Key is Created

After you enable encryption, the initialization process begins so that a plain file key can be created.

  • A plain file key will be used to encrypt and decrypt all files using symmetric encryption
  • If you set a password when you enable encryption, you will need to supply the master password before the initialization process can start


Warning On Master Password

If an optional master password was specified, then you need to retain the password for future use.

Without this password the encryption module cannot encrypt or decrypt files in the FileCloud storage.


Once FileCloud starts the initialization process, the plain file key is created as described in Figure 1.

Figure 1. How a Plain File Key is Created


  1. An asymmetric key pair (private/public) known as the Master key  is generated. (If the optional master password is specified it is also used.)
  2. A symmetric key known as the Plain File key  is generated.
  3. The Plain File key (created in step 2) is encrypted using the Master private key. This step creates an Encrypted Plain File key.

Any existing unencrypted files in the FileCloud storage will be encrypted before the system will be ready for use. 


After restarting the server, you must type in the master password for encryption to work properly.



Technical Details about Encryption Keys

Additional details on the keys:

KeyKey DetailsUser InputPersistenceRemarks
Master public/private key pair
  • Asymetric
  • 4096 bits
  • RSA
  • sha512 digest
Password (optional)Both private and public keys are persisted
  • It is important to save the password (if one was provided)
Plain File Key
  • Symetric
  • AES
  • 128 bits
NoneNot persisted
  • The plain file key will be used to encrypt decrypt all files using symmetric encryption
  • This key will not be persisted but will be cached for performance
  • The cache will be valid for the lifetime of the FileCloud server process
Encrypted File Key
  • Encrypted using master public key
NoneEncrypted file key is persisted
  • Decryption of the encrypted file key results in plain file key
  • Decryption of the encrypted file key will be done using the master private key and optional master password
  • The plain key that is a result of decryption process is cached for the lifetime of the FileCloud server process

(lightbulb) Whenever you restart the server, the encrypted file key is decrypted again. 

When are Files Encrypted?

Once the storage encryption is enabled and the plain file key is generated, it will be automatically used to encrypt all files stored in the FileCloud.

  • Since this encryption process is a symmetric operation, the impact on your system to encrypt files is insignificant. 

The file encryption process is described in Figure 2.

Figure 2. How Files Are Encrypted

  1. A FileCloud user uploads a new file to the server.
  2. The plain file key is looked for in the local key cache.
    1. If the key is not found, a decryption process will be started to decrypt the plain file key from the encrypted file key (which is stored in the database).
    2. For this decryption process the master private key and the optional master password will be used.
    3. At the end of decryption, the plain file key will be cached.
  3. If the key is found, the plain file key will be used to symmetrically encrypt all incoming files.

When storage encryption is enabled, it will run when any of the following events occur:

  • When a new file is uploaded completely
  • When a thumb is created
  • When a slide image is created
  • When a slide image is rotated
  • When a request to encrypt all existing plain files is initiated


When are Files Decrypted?

Storage decryption will occur without notifying the end user.

This means that:

  • Decryption will automatically happen every time a file is accessed 
  • Decryption will occur without any additional steps to perform

The file decryption process is described in Figure 3.

Figure 3. How Files Are Decrypted



  1. A FileCloud user requests to download a file from the server.
  2. The plain file key is looked for in the local key cache.
    1. If the key is not found, a decryption process will be started to decrypt the plain file key from the encrypted file key (which is stored in the database).
    2. For this decryption process the master private key and the optional master password will be used.
    3. At the end of decryption, the plain file key will be cached.
  3. If the key is found, the plain file key will be used to symmetrically decrypt an encrypted file.
  4. The file is downloaded to the user's client computer or device.


When storage encryption is enabled, decryption will run when any of the following events occur:

  • When a file is downloaded.
  • When a thumb nail is downloaded.
  • When a slide image is downloaded.
  • When a document preview is requested.