How do I implement encryption in Docsvault?
Posted by Sanjeev on 17 April 2020 12:40 PM
In-Transit and At-Rest Data Encryption in Docsvault
A. Data Encryption In-Transit
Docsvault Desktop Client Connection
The Desktop Client connects to the Docsvault Server Service at port 3831 for many application level functionality but never includes the actual data (documents and its metadata) stored in Docsvault. When a user logs in, the desktop client first connects to the Docsvault Server at port 3831 to get information on the SQL server to connect to and to authenticate the user if necessary (i.e. when the user explicitly supplies a username and password instead of using the “Login as Current Windows User” option). The user password is encrypted (using Rijndael algorithm) during this transaction and cannot be read by anyone during transmission by any man-in-the-middle methods.
Connection to SQL Server Database:
All documents, metadata information, settings and user data are stored in a backend SQL Server database. Desktop client connections to the database are not encrypted by default as they are assumed to be within the same local network. However, when communicating over the open internet or in special cases, SQL server traffic can be encrypted easily using simple steps.
Once encryption is enabled Docsvault clients will connect using TLS 1.2 protocol to the database server (depends on your SQL server version - our default SQL server 2014 SP1 installation supports TLS 1.2).
Restart SQL server and use the following query to verify data encryption in transit. Run it on the Docsvault database using the SQL Server Management Studio.
All user data in Docsvault is stored in SQL server database. The actual digital documents (PDFs, Office files, images, emails, drawings, etc.) are stored on SQL server hard disk using the Filestream feature of SQL server. All other information (Filenames, profiles, metadata, workflows, security information, user settings, etc.) are stored in the database itself.
Normal versions of SQL server, including the default express edition used by Docsvault, do not offer db level at rest encryption. Higher editions of SQL server (like the Enterprise edition) do provide transparent data encryption that will encrypt data at rest as well. However, only the data in database file is encrypted while the digital documents stored in the Filestream are still not encrypted.
Disk Level Encryption
You can encrypt the entire server disks using many available volume level encryption methods like BitLocker. This will ensure security of data stored on the entire disk while still being accessible to programs running on the server with proper authentication.