A Smartkey is a collection of encryption keys and a corresponding access control list of who can use them. Smartkeys can be applied to one or more files and are a replacement for passwords and traditional public key infrastructure (PKI). Data is encrypted at the file level using a Smartkey according to the organization's security policy. This data can be used, shared or stored in a variety of places including network drives, e-mail, and cloud storage.
There are three components to a Smartkey: the session key, the asset key, and the access control list (ACL).
The Session Key is the symmetric key that actually gets used to encrypt the data. It is an AES256 key, meaning that it contains 32-bytes of long, random, unique information. The PK Protect Application generates this key and uses it to encrypt data.
The Asset Key is also an AES256 key generated by the PK Protect Application. It is used to encrypt all Session Keys related to files controlled by the Smartkey.
The Access Control List (ACL) is a list of one or more e-mail addresses that should be allowed to use the Smartkey.
Smartkeys are synchronized through PK Protect to all user devices defined by the ACL. When this ACL changes, the Asset Key gets re-encrypted for and redistributed to the remaining members. By only re-encrypting the key material that defines who has access to the session key(s) all penalties associated with re-encrypting the actual data are avoided.
The below drawing illustrates how Smartkeys are delivered and stored on client devices.
For example, when a user joins a team, they can be issued the team Smartkey(s) which grants them instant access to all data encrypted with those keys. When they leave the team, access can be revoked. Any time access changes, all key material is re-encrypted and redistributed to the remaining authorized users without having to update the data directly.
Note: this type of zero-impact re-encryption is only available with Smartkeys (vs. other key types)
Smartkey access can be defined by users, removing IT complexity and improving end-user experience. Access to Smartkeys can be defined for users that don’t exist within the ecosystem yet. Once they’ve taken the steps to create or register their account, any Smartkeys they have access to are automatically delivered to their device(s).
Smartkey access can also be defined by administrators, further improving end-user experience and allowing Administrators to align PK Protect with existing IT security policy.
They solve 6 problems:
Private key sync (to all devices that need them)
Public key exchange (to all users that need them)
Identity creation and integration (PKI is integrated with existing IAM solution)
Controlled encryption that provides access to DLP people, process and technology
Solves the re-encryption problem (having to re-encrypt data every time access changes, completely unworkable in shared file locations like File Servers, Dropbox, Box, OneDrive, Google Drive, Email, FTP, etc.)
Key rotation without the overhead of re-encrypting data