Generic
File encryption

File Encryption Agent

13min

To perform file encryption and decryption, you must define cryptographic keys. Although the supports defining static keys, we recommend setting up key templates that automatically generate new keys after a defined time.

The steps outlined in this section include our recommended configuration settings. We base these on industry best practices and our experience deploying file encryption functionality in customer environments. Certain environments, however, might require different settings.

The following list includes the high-level tasks for key management by using the :

  • Create key groups
  • Define key templates
  • Define a key rotation policy

This section contains details relating to file encryption-specific tasks. For a full overview of key management functionality, see the Key Lifecycle Management section of the user guide.

File Encryption Key hierarchy

The uses the following key hierarchy and keys for file encryption:

Key

Description



Platform Master Key (PMK)

The PMK is one of the top-level major keys in the and is typically 256-bit AES. The PMK wraps all users and subordinate keys on the server.



Master File Key (MFK)

The MFK is one of the top-level major keys in the . The MFK encrypts system parameters, including SMTP passwords and SFTP credentials.



File Encryption Key (FEK)

The FEK is a key exchange key and is typically 256-bit AES. Data Encryption Keys (DEK) and Message Authentication Code (MAC) keys are randomly generated by using the FEK. When you define a key rotation policy, a new FEK is randomly generated and used.



Data Encryption Key (DEK)

DEKs, randomly generated and wrapped by the FEK, encrypt and decrypt files. The uses a unique DEK per file encrypted and stores the encrypted key in the header of the file. This enables file portability.



Message Authentication Code (MAC) Key

MAC keys, randomly generated and wrapped by the FEK, perform integrity checks on files. The uses a unique MAC key per file encrypted and stores the encrypted key in the header of the file. This enables file integrity checking.



File portability and integrity checking

File portability and integrity checking are two major benefits of the file encryption functionality, which the DEK and MAC keys outlined in the preceding section enable.

File portability

When the encrypts a file, the FEK wraps the DEK and embeds it in the file header. This enables file portability, such as for backup or transfer to different recipients, as well as retention of key material even after the FEK is rotated.

File integrity

Because the encrypted files include a MAC key, the system runs an integrity check on them before decryption. If the file MAC does not validate, decryption is not permitted. This gives users decrypting files positive confirmation that the file has not been tampered with.

Create a symmetric HSM Trusted key group

Key groups house the keys or key templates used by the File Encryption Agent. Perform the following steps to create a Symmetric HSM Trusted key group:

1

Go to Key Management > Keys and select [ Create ] under Key Groups.

2

Select Symmetric for the Key Type and HSM Trusted for the Storage Location, then select [ OK ].

3

In the Group tab of the Key Group Editor, enter a Name for the key group, set the desired Rotation Policy, and leave the remaining fields assigned to the default values.

4

Optionally, in the Info tab, you can set values for Owner name and Owner address.

5

Select [ OK ] to finish creating the Symmetric HSM Trusted key group.

Create a File Encryption Key

You must create a file encryption key for all file encryption and decryption operations. Perform the following steps to generate a new random file encryption key:

1

Go to Key Management > Keys.

2

Select the Symmetric HSM Trusted key group created in the previous section, and select Create > Random under Keys.

We also support Batch, Key Template, and XOR Components key loading mechanisms, but this example uses the Random option.

3

In the Key tab, specify a Name for the key, select either File Encryption Key or File Encryption Key v2 in the Key type drop-down list, and set the desired validity dates.

Refer to the File Encryption Techniques section of this guide, which explains important differences between the File Encryption Key v1 and File Encryption v2 key types. Understanding these differences is essential for optimizing file encryption for your specific use case.

4

Optionally, in the Info tab, you can set values in the Owner and Address fields.

5

Select [ OK ] to finish creating the file encryption key.

It should display under Keys.

Key rotation to enable cryptographic agility

In the history of modern cryptography, there have been many instances where algorithms were weakened or broken, causing major industry shifts. Historically, these transitions were complex, time-consuming, and expensive for organizations deploying or designing cryptosystems. You should reasonably expect algorithm transition over time, and the techniques mitigate the risks and downsides of these processes. For forward-looking organizations implementing file encryption for long-term use, key rotation is a fundamental component of this process.

What is cryptographic agility?

Cryptographic agility refers to the ability to switch between algorithms without rewriting applications or deploying new hardware. Agile cryptosystems can react quickly if an algorithm is vulnerable or a weakness is discovered, reducing the risk of a breach. Additionally, system-wide upgrades are significantly less complex when you implement cryptographic agility, encouraging early adoption of new standards and best practices.