The PK Endpoint Manager (PEM) Communities tab is a place where administrators can define Smartkeys. These keys are owned by PEM's own PK Protect identity and can be assigned to users and groups within an organization. Read more about Smartkeys below.
A Smartkey is a collection of encryption keys and a corresponding access control list of who can use them. Smartkeys can be applied to one or more files and are a replacement for passwords and traditional public key infrastructure (PKI). Data is encrypted at the file level using a Smartkey according to the organization's security policy. This data can be used, shared or stored in a variety of places including network drives, e-mail, and cloud storage.
There are three components to a Smartkey: the session key, the asset key, and the access control list (ACL).
The Session Key is the symmetric key that actually gets used to encrypt the data. It is an AES256 key, meaning that it contains 32-bytes of long, random, unique information. The PK Protect Application generates this key and uses it to encrypt data.
The Asset Key is also an AES256 key generated by the PK Protect Application. It is used to encrypt all Session Keys related to files controlled by the Smartkey.
The Access Control List (ACL) is a list of one or more e-mail addresses that should be allowed to use the Smartkey.
Smartkeys are synchronized through PK Protect to all user devices defined by the ACL. When this ACL changes, the Asset Key gets re-encrypted for and redistributed to the remaining members. By only re-encrypting the key material that defines who has access to the session key(s) all penalties associated with re-encrypting the actual data are avoided.
The below drawing illustrates how Smartkeys are delivered and stored on client devices.
For example, when a user joins a team, they can be issued the team Smartkey(s) which grants them instant access to all data encrypted with those keys. When they leave the team, access can be revoked. Any time access changes, all key material is re-encrypted and redistributed to the remaining authorized users without having to update the data directly.
Note: this type of zero-impact re-encryption is only available with Smartkeys (vs. other key types)
Smartkey access can be defined by users, removing IT complexity and improving end-user experience. Access to Smartkeys can be defined for users that don’t exist within the ecosystem yet. Once they’ve taken the steps to create or register their account, any Smartkeys they have access to are automatically delivered to their device(s).
Smartkey access can also be defined by administrators, further improving end-user experience and allowing Administrators to align PK Protect with existing IT security policy.
They solve 6 problems:
Private key sync (to all devices that need them)
Public key exchange (to all users that need them)
Identity creation and integration (PKI is integrated with existing IAM solution)
Controlled encryption that provides access to DLP people, process and technology
Solves the re-encryption problem (having to re-encrypt data every time access changes, completely unworkable in shared file locations like File Servers, Dropbox, Box, OneDrive, Google Drive, Email, FTP, etc.)
Key rotation without the overhead of re-encrypting data
Adding Community Smartkeys
When you open the Archive > Communities page, you see a searchable list of existing Community Smartkeys. To add a new Community:
- Click Add.
- Give the Community Smartkey a name.
- Begin typing the name of an Active Directory Group or User. PEM will display matching users and groups. Select the item you want.
- (Optional) Add a Comment to explain the nature of this community.
- Click Save to confirm your choices.
Advanced Definitions of Users and Groups
Admins can use Boolean expressions to identify people and groups that expand beyond the limits of standard Active Directory Groups. You can select multiple users and groups, exclude some users with the NOT operator, and add other users
In this example, this Community Key includes the LargeData Marketing group but excludes user email@example.com.
To generate this result:
- Click in the Users/Groups field to display your options. The icon changes to .
- Start typing the name of the User or Group you want to apply this policy to. PK Endpoint Manager will display a list you can select from.
- Click Add Row.
- In the left-most field, change to User.
- To exclude a user, change the second field to not equal.
- Start typing the user name and select the user you want to exclude from this community key.
- At the top, change the Boolean operator. By default, the OR operator is selected. Change this to AND.
- Click outside the box to confirm the changes.
Transferring Community Keys
At some point, you may need to move your PK Endpoint Manager environment from one server to another. When you do this, any files encrypted with a community key will be inaccessible if those keys are not on the new server. PEM allows you to export the existing keys from the old server to the new server. Follow these steps:
- Start on the new server. Go to Archive > Communities.
- Click Import/Export.
- Click Download Public Key. Save the generated JSON file to a convenient location.
- On the old server. go to Archive > Communities.
- Click Import/Export.
- Click Export.
- In the Upload Public Key to Target Server, browse to the JSON file saved in Step 3.
- In Select Keys to Export, all existing Communities are checked by default. You may uncheck the box next to any keys you don't want to export. Click OK.
- Save the generated Key Transfer file to a convenient location.
- Return to the new server.
- Click Import.
- Browse to the Key Transfer file. Click OK.
After the import, you will see the imported Community Keys in the Communities list. Add the relevant Users/Groups to imported Community.