File Encryption Agent configuration reference
We designed the configuration text file to allow the creation of a static version of the File Encryption Agent that you can package and install onto multiple servers. This works well in enterprise environments where many endpoints or servers require file encryption functionality. The first step is to create and test a configuration file that works for your organizational needs. After a successful test, you typically conduct a phased deployment.
Summary of File Encryption Agent configuration
- Servers: Settings that define connection details for the remote servers that handle cryptographic key management.
- TLS: Settings and files related to mutual authentication with the remote servers that handle cryptographic key mangement.
- Auth: Settings for authentication credentials with the remote servers.
- Logging: Settings related to the logs generated by the File Encryption Agent, including the verbosity, file size, location, and more.
Administrators can also configure the agent through the File Encryption Agent GUI. Find more information in the File Encryption Agent GUI Reference section of this administrative guide.
The following descriptions of the configuration items for each of the agent configuration sections apply to both GUI-based configuration and text file-based configuration. To generate an example configuration file as a template, open the File Encryption Agent GUI, apply settings, and save the file.
You must include the section header labels defined in the following sections in the configuration text file. The labels are not case-sensitive, but the individual configuration parameters are.
The following table includes recommended default settings, marked by an asterisk (*). These recommended settings might not be right for all environments but apply to typical installations.
Configuration | Description | Values or example |
|---|---|---|
level | How verbose the debugging logs should be. | none, error, info*, debug, traffic |
file | Location to write debugging logs. | C:\Program Files\Futurex\fenca\fenca_log.txt |
console | Whether or not to print messages to the console (true) or log it to the defined log file (false). | true, false* |
time-format | The time format to use for the logs. Local is based on the system time of the server, utc is the UTC system time of the server, and offset uses ISO 8601 structure for time. | utc, local*, offset |
max-file-size | Maximum log file size, in kilobytes. The File Encryption Agent supports encrypting files up to 9999 MB, or 10238976 KB. | 102400 |
threads | When enabled (true), adds thread identifiers to log messages. This is useful for debugging multithreaded environments. If threading is not wanted, this configuration setting should be omitted altogether | true* |
The TLS configuration of the File Encryption Agent is flexible to meet your organizational security requirements. You can mutually authenticate or -authenticate the TLS connection, which ensures the file encryption server does not communicate with any untrusted device. The trusted CA certificates for the TLS authentication can be read from a file on the file encryption server's hard drive or from a network share.
Configuration | Description | Values or example |
|---|---|---|
verify | Whether all certificates in the peer chain must be validated. | true*, fase |
key | The PKCS #12 key used for mutually authenticating with the . | C:\Program Files\Futurex\fenca\KeyManager\PKI.p12 |
password | Cleartext password to use to decode the key. | Variable |
certificate | File on the hard drive or network share containing the TLS certificate. | C:\Program Files\Futurex\fenca\KeyManager\client_certificate.pem |
ca | File on the hard drive or network share containing TLS CA certificates (can be listed multiple times). | C:\Program Files\Futurex\fenca\KeyManager\intermediate_ca.pem |
crl | File on the hard drive or network share containing the Certificate Revocation List (CRL). | C:\Program Files\Futurex\fenca\KeyManager\crl.pem |
Configuration | Description | Values or example |
|---|---|---|
name | The name associated with the . | Test Server |
address | The IP address and port of the . | 192.168.1.34:2001 |
If adding multiple devices to the configuration text file, you can submit multiple instances of these parameters. The agent associates each IP address with the name listed immediately following it in the configuration file.
Configuration | Description | Values or example |
|---|---|---|
username | The username of the first identity with file encryption and decryption permissions enabled. | variable |
password | The cleartext password of the first identity. | variable |
username | The username of the second identity with file encryption and/or decryption permissions enabled. | variable |
password | The cleartext password of the second identity. | variable |
If you need multiple identities to authenticate, you can include the username and password fields multiple times in the configuration file. The agent associates each username with the password listed immediately following it in the configuration file.
We recommend PKI-based application authentication for authenticating with the . Find more information about setting up PKI-based authentication in the Configure KMES Series 3 section of this administrative guide.
Configuration | Description | Values or example |
|---|---|---|
key | The key associated with the identity. | C:\Program Files\Futurex\fenca\KeyManager\client_key.p12 |
cert | The certificate that authenticates with the . | C:\Program Files\Futurex\fenca\KeyManager\client_auth_cert.pem |
password | The cleartext password used to decode the PKI login key. | Variable |
The following sample configuration file includes both PKI-based login and credential-based login examples. In a production configuration file, use one or the other but not both simultaneously.