Using this screen, administrators can define Smartkeys. The keys are owned by PEM Administrator's own PK Protect Identity and can be assigned to users and groups within an organization.
A Smartkey is a collection of encryption keys and an access control list that specifies who can use them. The keys can be applied to one or more files and are used as a replacement for passwords and traditional public key infrastructure (PKI). Data is encrypted at the file level using a Smartkey according to the organization's security policy. This data can be used, shared, or stored in a variety of places including network drives, e-mail, and cloud storage. There are three components to a Smartkey.
- Session Key – Is the symmetric key which is used for encrypting the data. It is an AES256 key that contains 32-bytes of long, random, unique information. The PK Protect application generates this key and uses it to encrypt data.
- Asset Key – It is also an AES256 key which is generated by the PK Protect Application. It is used to encrypt all session keys related to files controlled by the Smartkey.
- Access Control List (ACL) - ACL contains a list of one or more email addresses of the users or groups allowed to use the Smartkey.
Smartkeys are synchronized through PK Protect to all user devices defined by the ACL. When the ACL changes, the Asset key gets re-encrypted and redistributed to remaining members. By only re-encrypting the key material that defines who has access to the session key(s), the penalties associated with re-encrypting the actual data are avoided. The following diagram illustrates how Smartkeys are delivered and stored on client devices.
For example, when a user joins a team, they are issued team's Smartkey using which grants them immediate access to all data encrypted with that team’s keys. When they leave the team, access can be revoked. Any time access changes, all key material is re-encrypted and redistributed to the remaining authorized users without updating the data directly.
*Note: This type of zero-impact re-encryption is only available with Smartkeys (vs. other key types).
Smartkey access can be defined by end-users directly, which helps remove the complexity and dependancy on IT and improves end-user experience. Access to Smartkeys can be defined for users who do not exist in the ecosystem yet. Once an account has been created and registered, any Smartkeys they have access to are automatically delivered to their devices
The Smartkey solves six problems:
- Private Key sync to all devices that need them.
- Public Key exchange to all users that need them.
- Identity creation and integration, PKI is integrated with existing IAM solution.
- Controlled encryption that provides access to DLP people, process, and technology.
- Solves the re-encryption problem; having to re-encrypt data every time access changes, completely unworkable in shared file locations like File Servers, Dropbox, Box, OneDrive, Google Drive, Email, FTP, etc.
- Key rotation without the overhead of re-encrypting data.
Adding a Community Key
To add a key, execute the following steps:
- Click Add button in the Community Smartkeys This opens the Add Community screen.
- Enter the name of the community key.
- Enter the name of an Active Directory user or group. This is used to assign the keys to the specified users or groups in the organization. You can make use of Advanced Definition feature for searching users or groups.
- Enter any additional comment, if desired.
- Click Save button if you want to save the configuration.
Transferring Community Keys
Using Import/Export feature, admins can transfer keys from one server to another. When this is done, any files encrypted with a community key becomes inaccessible if those keys are not present on the new server. To transfer keys between servers, execute the following steps:
You must start on the new server (server 2)
- Click Import/Export button in the Community Smartkeys. This opens the Community Smartkeys Import/Export panel.
- Click Download Public Key. This generates a JSON file that gets downloaded to the Downloads folder.
- From the old server (server 1), where you want to export the key from Go to Archive > Communities.
- Click Import/Export.
- Click Export. This opens the Export – Community Smartkeys Transfer To.
- In Upload Public Key to Target Server field browse to the JSON file saved in step 2.
- Select the keys which you want to export in the Select Keys to Export By default, all keys are selected.
- Save the generated Key Transfer file to a convenient location. From the new server (server 2), click lick Import. This opens the Import – Community Smartkey Transfer From screen.
- Browse to the Key Transfer file. Click Ok to save the details.
After successful import, you will see all the imported community keys in the Community SmartKeys panel of the new server. You can then assign relevant users or groups to the keys.