This section provides information on keys used for encrypting data using ProtectFile. These keys are created, stored, and managed on the CipherTrust Manager. These keys are referred to as encryption keys in this document.
ProtectFile uses AES-256 encryption for protecting data and cryptographic metadata of files on clients. A CipherTrust Manager administrator creates encryption keys for encrypting data stored on clients. When creating encryption keys for ProtectFile, make them exportable and grant export permissions to the ProtectFile Users group on these keys.
• ProtectFile Admins must have
ReadKey permission on encryption keys when creating a client-rule association.
• ProtectFile Users must be granted
ExportKey permissions on encryption keys.
• DO NOT create versions of keys used by ProtectFile for encryption.
Exercise extreme caution when deleting keys. Make sure that no path is encrypted using the key to delete. If a key is erroneously deleted, that key cannot be recreated. As a result, unless a backup of that key is available, any ciphertext created by that key cannot be decrypted.
The data on clients is encrypted with encryption keys stored on the CipherTrust Manager. When the ProtectFile service starts, it downloads the keys needed by clients.