Skip to end of metadata
Go to start of metadata

Introduction

FileCloud supports storage encryption as of the latest release. This section explains the technical details of the FileCloud encryption process.

Initialization

FileCloud storage encryption has to be initialized properly, before it can be used for file encryption. To initialize encryption, administrator may supply an optional master password and start the initialization process. Once the initialization process is started, the following steps happen as part of the process:

  1. An asymmetric key pair (private/public) known as "Master" key is generated with the optional master password.
  2. A symmetric key known as "Plain File" key is generated.
  3. The File key created in step 2 is encrypted using the Master private key resulting in an "Encrypted File" key.
  4. All the existing uncrypted files (if they exist) in the FileCloud storage will be encrypted before the system will be ready for use. Look at the next section for more information on file encryption.

 

Warning On Master Password

If an optional master password was specified, then administrator has to retain the password for future use. Without this password the encryption module cannot encrypt/decrypt files in the FileCloud storage.

 

Additional details on the keys:

KeyKey DetailsUser InputPersistenceRemarks
Master public/private key pair
  • Asymmetric
  • 4096 bits
  • RSA
  • sha512 digest
Password (optional)Both private and public keys are persisted.
  • It is important to save the password (if one was provided).
Plain File Key
  • Symmetric
  • AES
  • 128 bits
NoneNot persisted
  • Plain file key will be used to encrypt/decrypt all files using symmetric encryption.
  • This key will not persisted but will be cached for performance.
  • The cache will be valid for the lifetime of the FileCloud server process.
Encrypted File Key
  • Encrypted using master public key
NoneEncrypted file key is persisted
  • Decryption of the encrypted file key results in plain file key.
  • Decryption of the encrypted file key will be done using the master private key and optional master password.
  • Encrypted file key is decrypted every time FileCloud server is started.
  • The plain key that is a result of decryption process is cached for the lifetime of the FileCloud server process.
    Restarting the server will need a fresh decryption. 

File Encryption

Once the storage encryption is initialized, the generated plain file key will be automatically used to encrypt all files stored in the FileCloud. Since this encryption process is a symmetric operation, the time overhead added for this encryption is insignificant. The following steps happen during file encryption:

  1. A check will be made to lookup the plain file key in the local key cache.
  2. If the key is not found, a decryption process will be started to decrypt the plain file key from the encrypted file key (which is stored in the database). For this decryption process the master private key and the optional master password will be used. 
    At the end of decryption, the plain file key will be cached.
  3. Plain file key will be used to symmetrically encrypt on all incoming files.

When the storage encryption is enabled, the file encryption routine will automatically triggered for the following events:

NoEvent
1When a new file is uploaded completely.
2When a thumb is created.
3When a slide image is created.
4When a slide image is rotated.
5When a request to encrypt all existing plain files is initiated.

File Decryption

The storage encryption will remain transparent to the end user. This means that the decryption will automatically happen everytime a file is accessed without any additional steps to perform. The following steps happen during file decryption:

  1. A check will be made to lookup the plain file key in the local key cache.
  2. If the key is not found, a decryption process will be started to decrypt the plain file key from the encrypted file key (which is stored in the database). For this decryption process the master private key and the optional master password will be used. 
    At the end of decryption, the plain file key will be cached.
  3. Plain file key will be used to symmetrically decrypt an encrypted file.

When the storage encryption is enabled, the file decryption routine will automatically triggered for the following events:

NoEvent
1When a file is downloaded.
2When a thumb is downloaded.
3When a slide image is downloaded.
4When a document preview is requested.
  • No labels