Set up file encryption
This section covers creating keys on the KMES for encrypting the files. It also describes creating an encryption profile that defines the criteria the KMES uses to determine which files to encrypt on the SFTP or CIFS share and where to store the files.
Perform these tasks after logging in locally to the Excrypt Touch with the print1 and print2 identities created in the previous section.
From the Excrypt Touch Dashboard, bring online the Connection Profile you created for connecting to the KMES Series 3.
After the device comes online, access the application manager for that device by selecting [ Go ] in the right column.
Log in to the KMES using the print1 and print2 identities.
Go to the Keys menu and select [ Add Key Group ].
In the Key Group Editor window, configure the following settings:
Setting
Required configuration
Name
file_printing
Algorithm
None
Owner group
Select the printers role created in a previous section.
Ownership
Select Do not apply to child key groups in the drop-down list.
Owner name
Leave blank
Owner address
Leave blank
Select [ OK ] to finish creating the key group.
Right-click the newly created key group, and select Add > Random.
In the Generate Key window, configure the following settings:
Setting
Required configuration
Name
version1
Key Type
File Encryption Key
Encrypting Key
PMK
Algorithm
AES
Key Length
AES-256
Key Usage
Wrap/Unwrap
Exportability
Leave unchecked
Select [ Next ] twice. Then on the summary page, select [ Finish ].
The new key now displays under the file_printing key group.
Right-click on the file_printing key group, and select Add > Random.
In the Generate Key window, configure the following settings:
Setting
Required configuration
Name
version2
Key Type
File Encryption Key v2
Encrypting Key
PMK
Algorithm
AES
Key Length
AES-256
Key Usage
Encrypt/Decrypt
Exportability
Leave unchecked
Select [ Next ] twice. Then on the summary page, select [ Finish ].
The new key now displays under the file_printing key group.
From the Excrypt Touch Dashboard, bring online the Connection Profile that you created for connecting to the KMES Series 3.
After the device comes online, access the application manager for that device by selecting [ Go ] in the right column.
Log in to the KMES using the print1 and print2 identities.
Go to the File Encryption menu and select [ Add ].
On the Info tab of the File Encryption Profile window, enter protected in the name field and change the key mode to HSM Protected. In the key field, select [ Choose ] and select the version2 key, which is in the file_printing key group.
Go to the Input tab and enter the following required information:
Option
Description
Source
Select the type of file share that the KMES mounts to for this file encryption profile (SFTP or CIFS). You can also set this field to Disabled if you want to set the mount point at a later time.
Extension
Specify the file extension for which the KMES should monitor on the mount point and then encrypt.
Directory
When you select [ Browse ], a file browser opens on either the SFTP or CIFS share (depending on which type of share you set in the Source field). In the file browser, navigate to and select the folder that contains the files that you want to be encrypted.
Subfolders
If this box is checked, the KMES looks for files that are contained within subfolders of the folder configured in the Directory field.
Delete original
If this box is checked, the KMES deletes the original unencrypted file after it stores the encrypted version of the file.
Exclude
Specify file paths to exclude from file encryption (for example, exampledirectory/examplesubdirectory/*.txt). The exclude path that you specify is relative to the file encryption profile input directory. Also, note that the asterisk symbol is the only regular expression that you can use.
Go to the Output tab and enter the following required information:
Option
Description
Destination
Select the location where you want to store the encrypted files (such as SFTP, CIFS, or KMES). The KMES option stores the encrypted files on a data partition on the KMES device. You can set this field to Disabled if you want to set the location at a later time.
Extension
In this field, specify the extension that you want encrypted files to have.
Directory
If the destination is set to either SFTP or CIFS, select [ Browse ], which opens a file browser on whichever file share you configured. In the file browser, navigate to and select the directory where you want to store the encrypted files. If you selected KMES as the destination, you don't need to configure this field.
Overwrite
In the drop-down menu, select either Overwrite or Version.
Include Path
If this box remains unchecked, the file header uses only the original file name. If this box is checked, the file header uses the entire path and original file name.
Select [ OK ] to finish creating the file encryption profile.