Keys
This section provides information on keys used for encrypting data using CTE UserSpace. These keys are created, stored, and managed on the CipherTrust Manager. These keys are referred to as encryption keys in this document.
CTE UserSpace uses AES-256 encryption for protecting data and cryptographic metadata of files on clients. A CipherTrust Manager administrator creates encryption keys for encrypting data stored on clients. When creating encryption keys for CTE UserSpace, make them exportable and grant export permissions to the ProtectFile Users group on these keys.
Note
• ProtectFile Admins must have ReadKey
permission on encryption keys when creating a client-rule association.
• ProtectFile Users must be granted ReadKey
and ExportKey
permissions on encryption keys.
• CTE UserSpace supports versioned keys. Refer to Key Version Rotation for details.
Warning
Exercise extreme caution when deleting keys. Make sure that no path is encrypted using the key to delete. If a key is erroneously deleted, that key cannot be recreated. As a result, unless a backup of that key is available, any ciphertext created by that key cannot be decrypted.
The data on clients is encrypted with encryption keys stored on the CipherTrust Manager. When the CTE UserSpace service starts, it downloads the keys needed by clients.