Welcome to PKWARE Smartcrypt, the most powerful way to safeguard your company’s data! This guide will walk you through the installation of Smartcrypt Manager and get you familiar with the Smartcrypt Manager tool.
Smartcrypt provides a unique set of software solutions for data-level security that is unbreakable, cost-effective and easy-to-implement. It provides persistent security everywhere business data goes. It has been designed for high performance, easy integration into your public key infrastructure and has embedded encryption key management to help organizations meet and exceed compliance objectives.
This guide has two parts:
- In this section, you’ll learn how to install and configure the Smartcrypt Manager environment.
- In the second section, you’ll learn how to set up the Smartcrypt Manager and identify system administrators to manage and monitor Smartcrypt activities.
- Windows Server joined to your domain running Microsoft Internet Information Server (IIS) v7 or later
- Incoming HTTPS connection to IIS site for customer Administration
- Incoming HTTPS connection to IIS site used by Smartcrypt Application Agents
- Microsoft SQL Server
- An outgoing HTTPS connection to: https://cmds.pkware.com on port 443 (Activation)
Smartcrypt Manager Requirements
Note: An “Island” mode is supported for deployments where no Internet access is available. This mode is covered in “Creating an Isolated (“Island”) Server” later in this document.
Setting Up SQL Server
Before installing Smartcrypt Manager, you must create an empty database and supply a database user for the Smartcrypt Manager to use.
The database should use the Latin1_General_CI_AS collation.
The database user requires db_owner of the Smartcrypt database.
Please consult the documentation for your version of SQL Server, if necessary.
Configuring Smartcrypt Manager Web Application
Follow these steps to configure the Smartcrypt Manager Web Application:
- Install the Visual C++ 2012 Runtime
- Install Web Deploy with Microsoft Web Platform Installer
- Configure Internet Information Server for Smartcrypt
- Configure Windows Authentication for the Application
- Install Smartcrypt Manager
Install the Visual C++ 2012 Runtime
Smartcrypt is developed with Microsoft® Visual Studio® 2012. The Microsoft Visual C++ redistributable enables some required features for Smartcrypt.
- Go to https://www.microsoft.com/en-us/download/details.aspx?id=30679. This site hosts the current version of this runtime application.
- Click Download.
- Select the vcredist_x86 file. This is the 32-bit version of the runtime.
- Click Next to begin the download.
- Run the file to install.
Install Web Deploy with Microsoft Web Platform Installer
The last step before you install Smartcrypt is to include the Web Deploy tool from Microsoft. Get Web Deploy through the Microsoft Web Platform Installer (WPI), a free Microsoft tool to install a variety of products into IIS. Download WPI from http://www.microsoft.com/web/downloads/platform.aspx
After you download wpilauncher.exe, run this file to see the Web Platform Installer screen. Click the Search box in the upper right corner and type Web Deploy. Several options may appear, depending on what applications are supported. For your initial installation, we recommend you select the most recent version of Web Deploy with bundled SQL support. Click Add on the latest version of Web Deploy (version 3.6 as of January 2016). WPI will install everything you need.
Configure Internet Information Server for Smartcrypt
Prior to installing the Smartcrypt Manager website, you must have two features installed and configured on IIS. There are important, if slight, differences in the setups depending on which version of Windows Server you are running.
If you already have these features installed and configured, no changes are required. Skip to “Install Smartcrypt Manager.”
Setting up IIS in Windows Server 2012 R2
- From Server Manager, go to IIS.
- Click Add Roles and Features.
- Skip the Before you begin page. Click Next.
- On the Installation Type page, select Role-based or feature-based installation. Click Next.
- On the Select destination server page, choose the server you will install Smartcrypt on. Click Next.
- On the Server Roles page, select Web Server (IIS).
- On the Features page, check ASP.NET 4.5. Click Next.
- Under Web Server Role (IIS), go to Role Services.
- On the Role Services page, check Windows Authentication (under Security) and ASP.NET 4.5 (under Application Development). Click Next.
10. Click Add Features when the Wizard asks you to Add:
- .NET Extensibility 4.5
- ISAPI Extensions
- ISAPI Filters
11. Confirm your installation selections and click Install.
These features are now active.
Setting up IIS in Windows Server 2008 R2
- From the Server Manager, go to Web Server (IIS).
- If ASP.NET and/or Windows Authentication appear as Not Installed in the Role Services list, click Add Role Services.
- Under Application Development, check ASP.NET.
- Click Add Required Role Services when the Wizard asks you to Add:
- .NET Extensibility
- ISAPI Extensions
- ISAPI Filters
- To enable Windows Authentication, open Security.
- Check the Windows Authentication box.
- Click Install to add these features.
Enabling .NET Framework 4 Support in IIS (Windows Server 2008)
After installing the ASP.NET features in the Server Manager, you must still enable the .NET Framework in Windows Server 2008. This is done from an Administrator command prompt.
- Open the Command Prompt.
- Go to C:\Windows\Microsoft.NET\Framework64\v4.0.XXXXX.
- Run aspnet_regiis.exe -i.
- ASP.NET RegIIS will install ASP.NET.
Configure Windows Authentication for the Application
After adding Windows Authentication to the Windows Server configuration, you must further configure the IIS Manager to permit this. The steps to allow single sign on are the same for both Windows Server 2008 and 2012:
- Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager)
- In the Management section, select Feature Delegation
- Change the Authentication - Windows setting to Read/Write
- From the main window, click Authentication.
- Select Windows Authentication
- In the Actions panel on the right, click Enable.
- Click Providers.
- Use the Move Up button to bring NTLM to the top of the list. Save.
Install Smartcrypt Manager
As a web application, there are several steps to deploying Smartcrypt Manager.
Adding an Application Pool
While not always necessary, if you have a website already configured in IIS, you should add an Application Pool to your configuration.
- Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager).
- Click View Application Pools to display existing pools.
- Click Add Application Pool.
- Give the application pool a name (possibly something like “MDS"). It is appropriate to accept the remaining default options.
- Under Edit Application Pool, click Advanced Settings for your new pool.
- Select Enable 32-Bit Applications, Select True from the dropdown menu. This allows 32-bit applications (like Smartcrypt) to run on 64-bit Windows.
Configuring SSL (Required)
Ensure that your site has been configured with an SSL certificate matching the name you will be using for the Smartcrypt Manager.
Note: This certificate must be trusted by devices running deployed instances of the Smartcrypt Application as well as any browsers used by your Security and Administration teams.
- Download the latest package ZIP file from PKWARE to your server. Note: Do not extract the contents of the ZIP archive.
- In IIS Manager, go to Sites.
- Click Add Web Site. Name it Smartcrypt Manager. Select the application pool you created.
If you are setting up IIS solely to run Smartcrypt, we recommend that you rename Default Web Site to Smartcrypt Manager.
- In the Action menu on the right side of the screen, select Import Application from the Deploy section.
- Browse to the directory where the Smartcrypt package is located, select the ZIP, and click Next.
- Review the contents of the package, and click Next to confirm.
- Enter Application Package Information:
- Application Path: Where Smartcrypt sits on your server. This should be set to mds, but can be edited.
- Smartcrypt Manager Server Password: This is the password that secures your Satellite account with PKWARE. It is used for encryption of all your keys. It should be securely backed up. If this password is lost, no user will be able to use any existing Smartkey in Smartcrypt. It’s important the password is secure.
Define the System Administrator
Smartcrypt Manager needs to have one System Administrator to do the initial setup. Choose to authenticate the first System Administrator through Active Directory or a local username and password. If you are installing multiple instances of the Smartcrypt Manager, the values need to be the same on all installations.
- AD SysAdmin: Select the preferred Active Directory account here. Leave empty to use a local account instead.
- Local SysAdmin: Enter the username to select a locally defined user. Leave empty if you are using an Active Directory account.
- Local SysAdmin Password: If you selected a locally defined username, enter that user’s password here. Leave empty if you are using an Active Directory account.
- Connection String: Connects Smartcrypt Manager to the database you set up at the start. Edit this line with the data source (database server), initial catalog (the name of the database to be used by Smartcrypt), and the login credentials of the database admin (dbuser and dbpassword).
- Click Next to install Smartcrypt Manager.
- To populate the database, run SmartCryptDB.exe. This file is included in the ZIP package (Step 1).
Point your browser to https://<server>/<ApplicationPath>/SuperUser to login with the System Administrator credentials (Active Directory or Local) and start using Smartcrypt.
Simple Startup Guide to Smartcrypt Manager
After you log in to the Smartcrypt Manager for the first time with the first system administrator credentials, you’ll see the Smartcrypt Manager Actions page with the Getting Started list of tasks to configure Smartcrypt Manager. Complete these items (in order) to configure the server to accept client connections. Click Do it next to any task with a To Do box to go to the right page to perform each task. Most of these tasks are performed on the Basics page.
This section covers the primary tasks for new Smartcrypt system administrators:
- Creating Sys Admin accounts
- Registering Smartcrypt Manager
- Setting and deploying data encryption policies
- Managing the Smartcrypt Manager
Creating Sys Admin Accounts
The first system administrator account is the all-powerful Super Sys Admin on the Smartcrypt system. We highly recommend creating a new, less powerful Sys Admin before administering Smartcrypt Manager.
As with the first SysAdmin defined during the install, you can identify an Active Directory account (Domain User) or a local user as a SysAdmin. You can also identify an AD (Domain) Group as SysAdmins, but for this first user/SysAdmin, we recommend selecting just one user.
- Go to Advanced > Admins.
- Choose one user type to set up: Domain User, Domain Group or Local User
- Enter the required fields:
- Domain User: Active Directory account
- Domain Group: Active Directory group account
- Local User: Username/Email address and Password
- Select Sys Admin from the Role drop-down menu
- Click Save. The action of creating a new Sys Admin has now been queued for approval.
Normally, every action (creation, modification, deletion) on system entities like Sys Admins or Smartcrypt Policies needs to be confirmed by another Sys Admin. As the Super Sys Admin, you can approve your own actions. The new Sys Admin needs to be approved before the account will have access.
- Go to the Actions page. You should see the Create Admin item in Pending Actions. Click Approve to give this admin access to Smartcrypt Manager.
- Log out as the all-powerful Sys Admin, and log back in with your newly created account.
Registering the Smartcrypt Manager
The Smartcrypt Manager needs to be registered before it can function. The registration process alerts PKWARE that your Smartcrypt Manager is online and ready for activation. A Server URL is required in this process to direct future traffic to this Smartcrypt Manager. Once the Smartcrypt Manager is registered with PKWARE, all Smartcrypt users with an email domain associated with the Smartcrypt Manager will be directed to use the server for all Smartcrypt actions.
On the Basics page under App Registration, you’ll see these fields highlighted in red text:
- Account Created
- Logged in
- Account Registered
You must create a site account to allow other users to connect. What type you create is dependent on your product.
Understanding the Basics Page: App Registration
Your company name. Click link text to edit this.
Server Identity Email
Identifies your server to the PKWARE central server. Also used to sign and encrypt data going through this server.
Server Public URL
The external URL for the server. Must match the Server Base URL in the Server Status section.
Domain name(s) allowed to access this Smartcrypt Manager. This will be completed after the initial account is created on the PKWARE central server.
Is there a site account? When you have created a site account, this section displays Yes. If not, you must create one. See “Creating an Online Site Account” and “Creating an Isolated Server.”
Creating an Online Account
To create an online site account, enter a site account user name for Smartcrypt Manager in the email field. Click Create Account Online. Smartcrypt Manager will connect to PKWARE, register your Smartcrypt Manager and log your domain account.
When this process completes, the three fields in red will be colored green and will all say Yes.
Licenses are then transmitted from the PKWARE central server.
Creating an Isolated (“Island”) Server
Up to this point, the installation process is identical between Online and Offline (Isolated) servers. At this point, you will see two significant differences for isolated servers:
- When you create an Isolated account, you must register the server with PKWARE
- You will also manually import the software license to the Licenses page.
Registering an Isolated Server
- Under App Registration, enter a site account user name in the Email field.
- Click Create Account Isolated. This button creates the site account and logs it in to the database. The Logged In field will read Yes (Isolated mode).
- You will be asked to generate a registration/login token. This will appear on a separate screen.
- Copy the generated text, and follow the instructions on the bottom to send this text back to PKWARE.
- PKWARE will generate a final authorization code. Copy this text to the Clipboard.
- Click Import Authorizations and paste the authorization code into the window.
Importing an Isolated Server License
As with the registration code, PKWARE will provide a license key to permit your company to use Smartcrypt (Server and Client). To install this code and make Smartcrypt operational:
- Copy the license text.
- Go to Advanced > Licenses.
- Click Import License.
- Paste the license text into this page.
- Click Import License.
The license will appear under Active Licenses.
Understanding the Basics page: Server General
If the host is already implicitly attached to the desired domain and the app is running under the account of an AD user that is permitted to query domain info, this should read "Use IIS/Machine Account".
External Polling Interval (seconds)
How often (in seconds) Smartcrypt Manager connects to the PKWARE central server to receive changes. Default is 60. Click link text to edit this interval.
Smartcrypt Polling Interval (seconds)
How often the Smartcrypt clients deployed in your organization will check with the Smartcrypt Manager for changes. The changes could be new Smartkeys, new policy changes, or account access changes.
Data Security Intelligence
Data Security Intelligence enables Smartcrypt clients deployed in your organization to report back to the Smartcrypt Manager a file audit log. It will transmit file encryptions, decryptions and different Smartkey access control list changes.
Before users can use Smartcrypt successfully, system administration must establish effective data encryption policies. The Policies page simplifies this process. Configure policies at Advanced > Policies.
Smartcrypt Manager defines a default Site-wide policy. You may edit this policy, and apply it to everyone who connects with Smartcrypt.
In addition, you can create separate policies for defined groups. Group-based policies always override the site-wide policy. Click Add in the Policies page.
Understanding the Policy Page
The name can be anything but we suggest a naming convention that will remind you who is affected by the policy within the name.
Active Directory Groups or Users who should be controlled by this policy. Policies can be prioritized so the first policy that affects a user is the policy that applies, even though their Active Directory group memberships might qualify them for several policies.
Sys Admins that are allowed to control and modify this policy. If a user is defined that is not currently a Sys Admin, the user will be added as a Security Sys Admin.
Authentication Check Interval (minutes)
When a user changes AD domain password, this setting determines when to force re-authentication (in minutes) to Smartcrypt Manager. Default is 15 minutes. Click link text to edit this interval.
Offline Access Limit (hours)
Users should always sync with the Smartcrypt Manager when working with Smartcrypt data. Set the maximum time (in hours) without authenticated communication with Smartcrypt Manager. After this time elapses, any user running Smartcrypt in offline mode will be logged out and will lose access to encrypted data until they go online and login. Default is 24 hours. Click link text to edit this interval.
See FIPS section
Select the strength of encryption. The Advanced Encryption Standard (AES) algorithm was originally adopted by the U.S. federal government and is in increasingly widespread use in banking and credit card operations.
Different key lengths are supported for the AES algorithm. In general, the longer the key, the stronger the encryption. Encryption also takes slightly longer in proportion to the length of the key.
By default, Smartcrypt uses the strongest available key length (AES-256). Use the drop-down menu to select a different key length.
See Contingency Keys Section
See Contingency Group Section
Beside some settings, you’ll see an open padlock icon. This feature allows administrators to set a default preference that users cannot change. If you want, for example, users to always encrypt data with the highest level of encryption, set the Encryption Algorithm at AES-256 and click the padlock. Applying this policy requires this setting for all users subject to this policy file.
FIPS is an abbreviation for Federal Information Processing Standards, a set of standards for information processing in federal agencies in the United States. In FIPS 140 mode, encryption and decryption are done using only encryption and hashing algorithms that have been validated for compliance with FIPS 140-2 security requirements for cryptographic modules by NIST (National Institute of Standards and Technology), a branch of the US government.
Prefer fastest available algorithms
Use the fastest version of the Advanced Encryption Standard (AES) available on the system. This is the default.
Use FIPS 140 mode
Use only FIPS-validated algorithms to encrypt or decrypt files, email messages, and email attachments.
Use FIPS-validated algorithms; allow AE extraction
Always choose FIPS-validated algorithms for encryption and decryption, but allow unzipping files encrypted with the AE-2 algorithm used by some compression applications.
Prefer FIPS validated algorithms
Choose FIPS-validated algorithms over others, but does not require them.
A list of existing contingency keys associated with this installation. Contingency keys enable an organization to decrypt files encrypted by anyone in the organization, whether the files are password encrypted or encrypted for specific recipients.
To define a contingency key, return to the Policies page and click Add in the Contingency Public Keys section. See also “Add a New Contingency Key” later in this guide.
A Contingency Group is an RSA 2048-bit public key, a corresponding encrypted private key, and a specification describing who is allowed to have access to that private key. Smartkeys that are created after a user is part of a policy will be affected by the contingency group. Smartkeys that existed before a user was controlled by a policy will not be given access through the contingency group. This is an important distinction because all Smartcrypt users get a Smartkey created when their account is created. We suggest that you define contingency groups in policies before deploying Smartcrypt clients in your organization to best utilize contingency groups.
Enter usernames in the Contingency Groups box to define the contingency group associated with this policy file.
Add a New Contingency Key
Contingency keys enable an organization to decrypt files encrypted by anyone in the organization, whether the files are password encrypted or encrypted for specific recipients. Contingency keys are a safeguard to be sure that important information belonging to the organization does not become inaccessible because no one in the organization can decrypt it.
A contingency key is an ordinary cryptographic key from a public/private key pair. The special thing about it is that, once the key is designated as a contingency key, it is automatically included with every encrypted file. This enables the owner of the key to decrypt the files.
You must have access to a key file to designate a contingency key. This key is either a X.509 certificate, or an OpenPGP key. You’ll upload the key file to Smartcrypt.
Follow these steps to add a contingency key to Smartcrypt data:
- Go to the Policies page.
- Click Add in the Contingency Public Keys section.
- Name the contingency key.
- Browse your system for the public key file.
- Click Upload.
Setting up an Email Server with Smartcrypt for System Notifications
Open the Basics page in Smartcrypt Manager.
Understanding the Basics Page: Mail Settings
Require mails to be secure
Mail Server hostname
25 by default, unless TLS enabled
If your mail server requires authentication, identify the Active Directory Domain here.
(Optional) If your mail server requires authentication, enter the Active Directory user name.
(Optional) If your mail server requires authentication, enter the Active Directory user password.
Enter what should appear in the From: line when Smartcrypt Manager sends log reports
System Event Recipients
Enter the email addresses for people who should be notified when high priority errors occur on Smartcrypt Manager.
Billing Event Recipients
Smartcrypt Manager checks periodically for license consumption usage and will notify this person when the allocated license count is reached and when the system will stop distributing new licenses to Smartcrypt clients.
When you have configured the Mail Settings, click Send Test Mail to confirm that everything works.