safend

Securing Your Endpoints

Safend Encryptor Key Management

Overview: Safend Encryptor utilizes Total Data Encryption technology that encrypts all data files, while avoiding unnecessary encryption of the operating system and program files. This innovative concept minimizes the risk of operating system failure, and poses negligible performance impact on user productivity. Leveraging this unique encryption technology, Safend Encryptor provides a genuinely transparent Hard Disk Encryption solution, by using the existing Windows login interface for user authentication. This document will outline the Safend encryption procedure and Key Management infrastructure.

Key Management Lifecycle

The Key Management Lifecycle is the group of processes and procedures required to generate, renew, distribute, revoke and dispose of cryptographic keys. Additional key management lifecycle components include: key storage, key backup, archiving, and escrowing.

Key Renewal

Operational key storage and backup Key recovery Manual key entry Key generation Key distribution Online key store Key Recovery Key deletion Application key usage Key retirement

Key Archiving

Key archive

Key archiving

Cryptographic Key Management Safends Key management architecture follows the well known and defined key management lifecycle: Key Generation Key Distribution Key Usage Key Storage o Key Storage - Operational Storage o Key Storage - Archive Storage o Key Storage - Backup Storage Key Recovery Key Retirement.

The Key Management implementation is presented in the following figure:

Safend Management Server Archive storage Key usage Key recovery

Key generation
n tio

Key retirement

Backup storage

m om LC SS

ica un

SSL Encrypted Log

L SS

Key Distribution
om a nic mu n tio

C om m a ic un

LC SS

n tio

Encrypted Endpoint Computer

Online key store

Safend Management Console Key usage

Key recovery

Key retirement

Safends cryptographic key management module uses a variety of keys, including: a machine encryption key, file encryption keys, SSL keys, data recovery keys, OTA secrets and a server public key. The AES 256 encryption algorithm in used in all of Safends products and all encryption keys are AES keys. The server public key is a RSA1024 key. Safend is FIPS 140-2 certified and Common Criteria certified to EAL2, for sensitive data protection. The following table lists all encryption keys used in Safends Key Management: Key type Machine encryption key File encryption key TLS keys OTA secrets Server public key Purpose Used to protect file encryption keys and for data recovery. A unique and random (per file) key used to encrypt files. Used for TLS/SSL communication encryption. Used in the one-time access challenge response process. Used to encrypt all encryption keys for recovery purposes.

Safend Key Management Implementation Described below are the technical details of Safends Key Management infrastructure, regarding each and every step in the Key Management Lifecycle. 1. Key Generation Safend Encryptor incorporates a fully automated key management solution. All encryption keys are centrally generated and securely stored on the management server before encryption is initialized. Encryption keys are generated using a FIPS-approved PRNG. 2. Key Distribution In the key distribution process the keys are securely distributed from the Management Server where they are generated. The process is completely automatic and the transport method used to distribute the keys is TLS-encrypted transport. The key distribution process also implements integrity protection against modification and substitution of the encryption keys (both intentional and unintentional). 3. Key Usage The key usage process mandates the separation of encryption keys for each cryptographic function: separate keys are used for file encryption, data recovery and the one-time access mechanism. Separate key usage strengthens the overall security level of the product and ensures that in case a certain encryption key is exposed, it does not compromise the entire products security. Safends unique recovery process allows decryption of complete hard drives or quick recovery of any specific file (even if only a single file can be salvaged from a malfunctioning hard drive). 4. Key Storage Key Storage defines the different functions used for the management of cryptographic key material. Generally the functions are described as: Operational storage Backup storage Archive storage. a. Operational storage: Once the check-in process is completed successfully, the machine key is stored securely in the encrypted endpoint memory and is used to decrypt the individual file key used to protect each and every file. The key is securely wiped during the shutdown of the endpoint and is also protected against cold boot attack and DMA Firewire attacks. b. Archive storage: The archive store is implemented in the database used by Safends Management Server, all the encryption keys and secrets are stored and encrypted in the database, and can be securely accessed by the Management Server. Audit logs are generated for administrative actions performed on the archive storage. In case of server/database failure the keys can be restored from the server configuration backup. c. Backup storage: Safend implemented the encryption keys backup storage as a part of the server configuration backup process. This automatic backup process can be configured to perform the backup at a predefined time interval, to a remote and secure network location (to prevent a single point of failure). The backup file is compressed and password protected. This backup store insures that a server can be recovered from any failure scenario.

5. Key Recovery Key Recovery is the process of retrieving keys from backup or archive storage. This process applies to several different key recovery techniques which result in the recovery of a key and other information associated with that key. The Safend Key Recovery process allows complete key recovery in the following cases: 1. Loss or corruption of a machine local encryption store: In this case the encryption store will be recreated automatically performing machine registration, after a user logs in to the encrypted endpoint. 2. Decrypting old encrypted data, such as that on encrypted backup tape: All encrypted files can be decrypted in the same manner, by using the data recovery challenge response process. 3. Lost smart cards or tokens that contain keys or key components: This scenario can be easily recovered from: after a new smart card is created for the user, a user re-registration process will occur automatically, and a new user secret store will be generated (encrypted by the new smart card credentials). 4. Forgotten passwords that control access to a machine encryption key: In this scenario, after the password is reset by the administrator user re-registration will be performed automatically the next time the user logs in, and a new user secret store will be generated (encrypted by the users password). 5. Hard drive hardware malfunction: Even a single file that is salvaged from a malfunctioning hard drive, can be decrypted using the data recovery utility challenge response process. 6. Key Retirement (Key Deletion) Key Deletion is the process of permanent removal of keys from all systems for all intended purposes. This includes operational stores, backup stores and archive stores. Key Deletion is performed on the encrypted client and Management Server when the endpoint is decrypted and product is uninstalled.