File Encryption Agent

to perform file encryption and decryption, you must define cryptographic keys although the {{k3}} supports defining static keys, we recommend setting up key templates that automatically generate new keys after a defined time the steps outlined in this section include our recommended configuration settings we base these on industry best practices and our experience deploying file encryption functionality in customer environments certain environments, however, might require different settings the following list includes the high level tasks for key management by using the {{k3}} create key groups define key templates define a key rotation policy this section contains details relating to file encryption specific tasks for a full overview of {{k3}} key management functionality, see the key lifecycle management section of the {{k3}} user guide file encryption key hierarchy the {{k}} uses the following key hierarchy and keys for file encryption key description platform master key (pmk) the pmk is one of the top level major keys in the {{k3}} and is typically 256 bit aes the pmk wraps all users and subordinate keys on the server master file key (mfk) the mfk is one of the top level major keys in the {{k3}} the mfk encrypts system parameters, including smtp passwords and sftp credentials file encryption key (fek) the fek is a key exchange key and is typically 256 bit aes data encryption keys (dek) and message authentication code (mac) keys are randomly generated by using the fek when you define a key rotation policy, a new fek is randomly generated and used data encryption key (dek) deks, randomly generated and wrapped by the fek, encrypt and decrypt files the {{k3}} uses a unique dek per file encrypted and stores the encrypted key in the header of the file this enables file portability message authentication code (mac) key mac keys, randomly generated and wrapped by the fek, perform integrity checks on files the {{k3}} uses a unique mac key per file encrypted and stores the encrypted key in the header of the file this enables file integrity checking file portability and integrity checking file portability and integrity checking are two major benefits of the {{k3}} file encryption functionality, which the dek and mac keys outlined in the preceding section enable file portability when the {{k}} encrypts a file, the fek wraps the dek and embeds it in the file header this enables file portability, such as for backup or transfer to different recipients, as well as retention of key material even after the fek is rotated file integrity because the encrypted files include a mac key, the system runs an integrity check on them before decryption if the file mac does not validate, decryption is not permitted this gives users decrypting files positive confirmation that the file has not been tampered with create a symmetric hsm trusted key group key groups house the keys or key templates used by the file encryption agent perform the following steps to create a symmetric hsm trusted key group go to key management > keys and select \[ create ] under key groups select symmetric for the key type and hsm trusted for the storage location , then select \[ ok ] in the group tab of the key group editor , enter a name for the key group, set the desired rotation policy , and leave the remaining fields assigned to the default values optionally, in the info tab, you can set values for owner name and owner address select \[ ok ] to finish creating the symmetric hsm trusted key group create a file encryption key you must create a file encryption key for all file encryption and decryption operations perform the following steps to generate a new random file encryption key go to key management > keys select the symmetric hsm trusted key group created in the previous section, and select create > random under keys we also support batch , key template , and xor components key loading mechanisms, but this example uses the random option in the key tab, specify a name for the key, select either file encryption key or file encryption key v2 in the key type drop down list, and set the desired validity dates refer to the file encryption techniques section of this guide, which explains important differences between the file encryption key v1 and file encryption v2 key types understanding these differences is essential for optimizing file encryption for your specific use case optionally, in the info tab, you can set values in the owner and address fields select \[ ok ] to finish creating the file encryption key it should display under keys key rotation to enable cryptographic agility in the history of modern cryptography, there have been many instances where algorithms were weakened or broken, causing major industry shifts historically, these transitions were complex, time consuming, and expensive for organizations deploying or designing cryptosystems you should reasonably expect algorithms to transition over time, and the {{k3}} techniques mitigate the risks and downsides of these processes for forward looking organizations implementing file encryption for long term use, key rotation is a fundamental component of this process what is cryptographic agility? cryptographic agility refers to the ability to switch between algorithms without rewriting applications or deploying new hardware agile cryptosystems can react quickly if an algorithm is vulnerable or a weakness is discovered, reducing the risk of a breach additionally, system wide upgrades are significantly less complex when you implement cryptographic agility, encouraging early adoption of new standards and best practices