Storage Encryption Technical Details
When you enable FileCloud storage encryption properly, all existing files in FileCloud managed storage will be encrypted before the system will be ready for use.
This topic describes:
- How a Plain File Key is Created
- Technical Details about Encryption Keys
- When are Files Encrypted?
- When are files Decrypted?
How a Plain File Key is Created
After you enable encryption, the initialization process begins so that a plain file key can be created.
- A plain file key will be used to encrypt and decrypt all files using symmetric encryption
- If you set a password when you enable encryption, you will need to supply the master password before the initialization process can start
Warning On Master Password
If an optional master password was specified, then you need to retain the password for future use.
Without this password the encryption module cannot encrypt or decrypt files in the FileCloud storage.
Once FileCloud starts the initialization process, the plain file key is created as described in Figure 1.
Figure 1. How a Plain File Key is Created
- An asymmetric key pair (private/public) known as the Master key is generated. (If the optional master password is specified it is also used.)
- A symmetric key known as the Plain File key is generated.
- The Plain File key (created in step 2) is encrypted using the Master private key. This step creates an Encrypted Plain File key.
Any existing unencrypted files in the FileCloud storage will be encrypted before the system will be ready for use.
After restarting the server, you must type in the master password for encryption to work properly.
Technical Details about Encryption Keys
Additional details on the keys:
Key | Key Details | User Input | Persistence | Remarks |
---|---|---|---|---|
Master public/private key pair |
| Password (optional) | Both private and public keys are persisted |
|
Plain File Key |
| None | Not persisted |
|
Encrypted File Key |
| None | Encrypted file key is persisted |
Whenever you restart the server, the encrypted file key is decrypted again. |
When are Files Encrypted?
Once the storage encryption is enabled and the plain file key is generated, it will be automatically used to encrypt all files stored in the FileCloud.
- Since this encryption process is a symmetric operation, the impact on your system to encrypt files is insignificant.
The file encryption process is described in Figure 2.
Figure 2. How Files Are Encrypted
- A FileCloud user uploads a new file to the server.
- The plain file key is looked for in the local key cache.
- If the key is not found, a decryption process will be started to decrypt the plain file key from the encrypted file key (which is stored in the database).
- For this decryption process the master private key and the optional master password will be used.
- At the end of decryption, the plain file key will be cached.
- If the key is found, the plain file key will be used to symmetrically encrypt all incoming files.
When storage encryption is enabled, it will run when any of the following events occur:
- When a new file is uploaded completely
- When a thumb is created
- When a slide image is created
- When a slide image is rotated
- When a request to encrypt all existing plain files is initiated
When are Files Decrypted?
Storage decryption will occur without notifying the end user.
This means that:
- Decryption will automatically happen every time a file is accessed
- Decryption will occur without any additional steps to perform
The file decryption process is described in Figure 3.
Figure 3. How Files Are Decrypted
- A FileCloud user requests to download a file from the server.
- The plain file key is looked for in the local key cache.
- If the key is not found, a decryption process will be started to decrypt the plain file key from the encrypted file key (which is stored in the database).
- For this decryption process the master private key and the optional master password will be used.
- At the end of decryption, the plain file key will be cached.
- If the key is found, the plain file key will be used to symmetrically decrypt an encrypted file.
- The file is downloaded to the user's client computer or device.
When storage encryption is enabled, decryption will run when any of the following events occur:
- When a file is downloaded.
- When a thumb nail is downloaded.
- When a slide image is downloaded.
- When a document preview is requested.