File Encryption Agent
To perform file encryption and decryption, you must define cryptographic keys. Although the supports defining static keys, we recommend setting up key templates that automatically generate new keys after a defined time.
The steps outlined in this section include our recommended configuration settings. We base these on industry best practices and our experience deploying file encryption functionality in customer environments. Certain environments, however, might require different settings.
- Create key groups
- Define key templates
- Define a key rotation policy
Key
Description
Platform Master Key (PMK)
Master File Key (MFK)
File Encryption Key (FEK)
The FEK is a key exchange key and is typically 256-bit AES. Data Encryption Keys (DEK) and Message Authentication Code (MAC) keys are randomly generated by using the FEK. When you define a key rotation policy, a new FEK is randomly generated and used.
Data Encryption Key (DEK)
Message Authentication Code (MAC) Key
File portability and integrity checking are two major benefits of the file encryption functionality, which the DEK and MAC keys outlined in the preceding section enable.
When the encrypts a file, the FEK wraps the DEK and embeds it in the file header. This enables file portability, such as for backup or transfer to different recipients, as well as retention of key material even after the FEK is rotated.
Because the encrypted files include a MAC key, the system runs an integrity check on them before decryption. If the file MAC does not validate, decryption is not permitted. This gives users decrypting files positive confirmation that the file has not been tampered with.
Key groups house the keys or key templates used by the File Encryption Agent. Perform the following steps to create a Symmetric HSM Trusted key group:
Go to Key Management > Keys and select [ Create ] under Key Groups.
Select Symmetric for the Key Type and HSM Trusted for the Storage Location, then select [ OK ].
In the Group tab of the Key Group Editor, enter a Name for the key group, set the desired Rotation Policy, and leave the remaining fields assigned to the default values.
Optionally, in the Info tab, you can set values for Owner name and Owner address.
Select [ OK ] to finish creating the Symmetric HSM Trusted key group.
You must create a file encryption key for all file encryption and decryption operations. Perform the following steps to generate a new random file encryption key:
Go to Key Management > Keys.
Select the Symmetric HSM Trusted key group created in the previous section, and select Create > Random under Keys.
We also support Batch, Key Template, and XOR Components key loading mechanisms, but this example uses the Random option.
In the Key tab, specify a Name for the key, select either File Encryption Key or File Encryption Key v2 in the Key type drop-down list, and set the desired validity dates.
Refer to the File Encryption Techniques section of this guide, which explains important differences between the File Encryption Key v1 and File Encryption v2 key types. Understanding these differences is essential for optimizing file encryption for your specific use case.
Optionally, in the Info tab, you can set values in the Owner and Address fields.
Select [ OK ] to finish creating the file encryption key.
It should display under Keys.
In the history of modern cryptography, there have been many instances where algorithms were weakened or broken, causing major industry shifts. Historically, these transitions were complex, time-consuming, and expensive for organizations deploying or designing cryptosystems. You should reasonably expect algorithm transition over time, and the techniques mitigate the risks and downsides of these processes. For forward-looking organizations implementing file encryption for long-term use, key rotation is a fundamental component of this process.
Cryptographic agility refers to the ability to switch between algorithms without rewriting applications or deploying new hardware. Agile cryptosystems can react quickly if an algorithm is vulnerable or a weakness is discovered, reducing the risk of a breach. Additionally, system-wide upgrades are significantly less complex when you implement cryptographic agility, encouraging early adoption of new standards and best practices.