> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up file encryption

> Instructions for creating encryption keys and profiles on KMES to encrypt files on SFTP/CIFS shares.

This section covers creating keys on the KMES for encrypting the files. It also describes creating an encryption profile that defines the criteria the KMES uses to determine which files to encrypt on the SFTP or CIFS share and where to store the files.

Perform these tasks after logging in locally to the Excrypt Touch with the **print1** and **print2** identities created in the previous section.

## Create the necessary keys

Perform the following steps to create the necessary keys:

<Steps>
  <Step>
    From the Excrypt Touch Dashboard, bring online the Connection Profile you created for connecting to the KMES Series 3.
  </Step>

  <Step>
    After the device comes online, access the application manager for that device by selecting **\[ Go ]** in the right column.
  </Step>

  <Step>
    Log in to the KMES by using the **print1** and **print2** identities.
  </Step>

  <Step>
    Go to the **Keys** menu and select **\[ Add Key Group ]**.
  </Step>

  <Step>
    In the **Key Group Editor** window, configure the following settings:

    <table>
      <thead>
        <tr>
          <th><em><strong>Setting</strong></em></th>
          <th><em><strong>Required configuration</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Name</strong></td>
          <td>file\_printing</td>
        </tr>

        <tr>
          <td><strong>Algorithm</strong></td>
          <td>None</td>
        </tr>

        <tr>
          <td><strong>Owner group</strong></td>
          <td>Select the <strong>printers </strong>role created in a previous section.</td>
        </tr>

        <tr>
          <td><strong>Ownership</strong></td>
          <td>Select <strong>Do not apply to child key groups</strong> in the drop-down list.</td>
        </tr>

        <tr>
          <td><strong>Owner name</strong></td>
          <td>Leave blank</td>
        </tr>

        <tr>
          <td><strong>Owner address</strong></td>
          <td>Leave blank</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the key group.
  </Step>

  <Step>
    Right-click the newly created key group and select **Add** > **Random**.
  </Step>

  <Step>
    In the **Generate Key** window, configure the following settings:

    <table>
      <thead>
        <tr>
          <th><em><strong>Setting</strong></em></th>
          <th><em><strong>Required configuration</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Name</strong></td>
          <td>version1</td>
        </tr>

        <tr>
          <td><strong>Key Type</strong></td>
          <td>File Encryption Key </td>
        </tr>

        <tr>
          <td><strong>Encrypting Key</strong></td>
          <td>PMK </td>
        </tr>

        <tr>
          <td><strong>Algorithm</strong></td>
          <td>AES </td>
        </tr>

        <tr>
          <td><strong>Key Length</strong></td>
          <td>AES-256 </td>
        </tr>

        <tr>
          <td><strong>Key Usage</strong></td>
          <td>Wrap/Unwrap</td>
        </tr>

        <tr>
          <td><strong>Exportability</strong></td>
          <td>Leave unchecked</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Next ]** twice. Then on the summary page, select **\[ Finish ]**.

    <Check>
      The new key now displays under the file\_printing key group.
    </Check>
  </Step>

  <Step>
    Right-click on the **file\_printing** key group, and select **Add**> **Random**.
  </Step>

  <Step>
    In the **Generate Key** window, configure the following settings:

    <table>
      <thead>
        <tr>
          <th><em><strong>Setting</strong></em></th>
          <th><em><strong>Required configuration</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Name</strong></td>
          <td>version2</td>
        </tr>

        <tr>
          <td><strong>Key Type</strong></td>
          <td>File Encryption Key v2</td>
        </tr>

        <tr>
          <td><strong>Encrypting Key</strong></td>
          <td>PMK </td>
        </tr>

        <tr>
          <td><strong>Algorithm</strong></td>
          <td>AES </td>
        </tr>

        <tr>
          <td><strong>Key Length</strong></td>
          <td>AES-256 </td>
        </tr>

        <tr>
          <td><strong>Key Usage</strong></td>
          <td>Encrypt/Decrypt</td>
        </tr>

        <tr>
          <td><strong>Exportability</strong></td>
          <td>Leave unchecked</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ Next ]** twice. Then on the summary page, select **\[ Finish ]**.

    <Check>
      The new key now displays under the file\_printing key group.
    </Check>
  </Step>
</Steps>

## Create an encryption profile

Perform the following steps to create an encryption profile:

<Steps>
  <Step>
    From the **Excrypt Touch Dashboard**, bring online the Connection Profile that you created for connecting to the KMES Series 3.
  </Step>

  <Step>
    After the device comes online, access the application manager for that device by selecting **\[ Go ]** in the right column.
  </Step>

  <Step>
    Log in to the KMES using the **print1** and **print2** identities.
  </Step>

  <Step>
    Go to the **File Encryption** menu and select **\[ Add ]**.
  </Step>

  <Step>
    On the **Info** tab of the **File Encryption Profile** window, enter `protected` in the name field and change the key mode to **HSM Protected**. In the key field, select **\[ Choose ]** and select the **version2** key, which is in the **file\_printing** key group.
  </Step>

  <Step>
    Go to the **Input** tab and enter the following required information:

    <table>
      <thead>
        <tr>
          <th><em><strong>Option</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Source</strong></td>
          <td>Select the type of file share that the KMES mounts to for this file encryption profile (<strong>SFTP</strong> or <strong>CIFS</strong>). You can also set this field to <strong>Disabled</strong> if you want to set the mount point at a later time.</td>
        </tr>

        <tr>
          <td><strong>Extension</strong></td>
          <td>Specify the file extension which the KMES should monitor on the mount point and then encrypt.</td>
        </tr>

        <tr>
          <td><strong>Directory</strong></td>
          <td>When you select <strong>\[ Browse ],</strong> a file browser opens on either the SFTP or CIFS share (depending on which type of share you set in the <strong>Source </strong>field). In the file browser, navigate to and select the folder that contains the files that you want to be encrypted.</td>
        </tr>

        <tr>
          <td><strong>Subfolders</strong></td>
          <td>If this box is checked, the KMES looks for files that are contained within subfolders of the folder configured in the <strong>Directory</strong> field.</td>
        </tr>

        <tr>
          <td><strong>Delete original</strong></td>
          <td>If this box is checked, the KMES deletes the original unencrypted file after it stores the encrypted version of the file.</td>
        </tr>

        <tr>
          <td><strong>Exclude</strong></td>
          <td>Specify file paths to exclude from file encryption (for example, <code>exampledirectory/examplesubdirectory/\*.txt</code>).  The exclude path that you specify is relative to the file encryption profile input directory. Also, note that the asterisk symbol is the only regular expression that you can use.</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Go to the **Output** tab and enter the following required information:

    <table>
      <thead>
        <tr>
          <th><em><strong>Option</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Destination</strong></td>
          <td>Select the location where you want to store the encrypted files (such as <strong>SFTP</strong>, <strong>CIFS</strong>, or <strong>KMES</strong>). The KMES option stores the encrypted files on a data partition on the KMES device. You can set this field to <strong>Disabled </strong>if you want to set the location at a later time.</td>
        </tr>

        <tr>
          <td><strong>Extension</strong></td>
          <td>In this field, specify the extension that you want encrypted files to have.</td>
        </tr>

        <tr>
          <td><strong>Directory</strong></td>
          <td>If the destination is set to either <strong>SFTP </strong>or <strong>CIFS</strong>, select <strong>\[ Browse ]</strong>, which opens a file browser on whichever file share you configured. In the file browser, go to and select the directory where you want to store the encrypted files. If you selected <strong>KMES </strong>as the destination, you don't need to configure this field.</td>
        </tr>

        <tr>
          <td><strong>Overwrite</strong></td>
          <td>In the drop-down menu, select either <strong>Overwrite </strong>or <strong>Version</strong>.</td>
        </tr>

        <tr>
          <td><strong>Include Path</strong></td>
          <td>If this box remains unchecked, the file header uses only the original file name. If this box is checked, the file header uses the entire path and original file name.</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ OK ]** to finish creating the file encryption profile.
  </Step>
</Steps>