For each vendor or customer account SAFEQ Cloud server provides several advanced options to configure public key infrastructure and data encryption at rest. These options can be set under account settings, PKI and encryption section:
Public key infrastructure settings
For internal communication (the one used to send messages between servers and PC clients) SAFEQ Cloud server uses either the built-in certificates or the customer-provided certificates.
If the “built-in certificates” (default) are used it is necessary to authorize each server or PC client connection from the corresponding web UI section. Authorization can be temporarily disabled by checking the “Automatically trust new clients/servers” checkbox.
If the “trusted CA certificates” option is selected is it necessary to configure the particular account for custom PKI. It is assumed that the system administrator is familiar with the PKI infrastructure and it is deployed and provisioned on client PCs:
- Secondary servers/gateways must be installed in unattended mode with custom keychain configured in the configuration file (see section 4.5 for details)
- PC clients which are operating in local storage mode must be installed with the enabled option to use the system (Windows) certificate store.
- Root and intermediate CA certificates for the custom PKI must be uploaded to this account via the web UI under CERTIFICATES / Trusted CA certificates section.
Optionally it is possible to enable OCSP revocation checks for the certificates and configure a custom OCSP URL if the provisioned certificates do not contain it.
The following settings can be configured:
- Certificate policy for internal communication – this option defines which certificates will be used in the internal SAFEQ Cloud communication between servers and PC clients.
- Automatically trust new clients/servers – only applies to built-in certificate policy. When unchecked any new PC client/server connections will require manual authorization by the administrator
- Enable OCSP revocation check – only visible when trusted CA certificates are used. Enables certificate revocation check via OCSP protocol
- Custom OCSP URL – allows to specify custom URL for OCSP service if the provisioned certificates do not contain it
Data encryption at rest
SAFEQ Cloud server provides a possibility to transparently encrypt stored documents. When encryption is enabled the documents in the persistent storage will be encrypted with the randomly generated account key. This applies to primary server, gateways and PC clients.
Keys are rotated automatically and are expired after the specified time. Rotation means that after each “key rotation period” (8 hours by default) a new key is generated which will be used to encrypt new documents. When a particular key is expired it is not possible to decrypt or recover the document which was encrypted with it. When the document is sent to printer it will be decrypted automatically.
Encryption keys are stored in the central database and are exchanged via the internal secure channel between the trusted servers and/or PC clients. Encryption keys are account-specific so the documents are encrypted per vendor or customer account. When the document is encrypted the account encryption key is combined with the local key which is specific to a server or PC client. The document can only be decrypted on this particular server or client.
The following settings can be configured:
- Enable data encryption at rest – enable data encryption for all servers/clients on this particular account. This will only apply to new documents, existing ones will remain unencrypted.
- Encryption key retention – number of hours after which the key will expire. Default is 168 (7 days).
- Encryption key rotation – number of hours after which the new key will be generated. Default is 8.
Token lifetime settings
Here you can set lifetimes for device and user access and refresh tokens respectively. Please note that lifetime for access tokens is measured in minutes while for refresh ones – in days.
Post your comment on this topic.