How do I implement encryption in Docsvault?
Posted by Sanjeev on 17 April 2020 12:40 PM

In-Transit and At-Rest Data Encryption in Docsvault

Encryption is a great way to protect data, either in transit or at rest. However, use of encryption has some performance penalties and should be guided by careful study of how your data is being transmitted and stored.

A. Data Encryption In-Transit

Docsvault Desktop Client Connection

The Desktop Client essentially connects to two other end points - the Docsvault Server Service at port 3831 and to an SQL server database at a port number determined by SQL server configuration.   

Connection to Docsvault Server Service:

The Desktop Client connects to the Docsvault Server Service at port 3831 for many application level functionality but never includes the actual data (documents and its metadata) stored in Docsvault. When a user logs in, the desktop client first connects to the Docsvault Server at port 3831 to get information on the SQL server to connect to and to authenticate the user if necessary (i.e. when the user explicitly supplies a username and password instead of using the “Login as Current Windows User” option). The user password is encrypted (using Rijndael algorithm) during this transaction and cannot be read by anyone during transmission by any man-in-the-middle methods.  

 Connection to SQL Server Database:

All documents, metadata information, settings and user data are stored in a backend SQL Server database. Desktop client connections to the database are not encrypted by default as they are assumed to be within the same local network. However, when communicating over the open internet or in special cases, SQL server traffic can be encrypted easily using simple steps.

Once encryption is enabled Docsvault clients will connect using TLS 1.2 protocol to the database server (depends on your SQL server version - our default SQL server 2014 SP1 installation supports TLS 1.2). 

See the screenshot below for a reference on how to enable encrypted connections in SQL server configuration manager.

Restart SQL server and use the following query to verify data encryption in transit. Run it on the Docsvault database using the SQL Server Management Studio.

c.session_id, c.net_transport, c.encrypt_option,
s.host_name, c.client_net_address, c.client_tcp_port,c.local_tcp_port, s.login_name, c.connect_time
FROM sys.dm_exec_connections AS c
JOIN sys.dm_exec_sessions AS s
ON c.session_id = s.session_id
WHERE is_user_process = 1;

The query result should show encrypt_option as ‘TRUE’ when clients are connected.

Docsvault Web and API Connection

Transactions between the Docsvault Web Application and Docsvault/SQL Server follows the same encryption pattern as described above for Desktop Client connections. The IIS Web Server manages data encryption for traffic between the Docsvault Web Application/API and end user’s browser/mobile app. You can configure SSL certificates for encrypted communications to Docsvault Web application in the IIS manager dialog. Encryption depends on the IIS settings and type of SSL certificate used.

B. Data Encryption At-Rest

All user data in Docsvault is stored in SQL server database. The actual digital documents (PDFs, Office files, images, emails, drawings, etc.) are stored on SQL server hard disk using the Filestream feature of SQL server. All other information (Filenames, profiles, metadata, workflows, security information, user settings, etc.) are stored in the database itself.

Database Level Encryption

Normal versions of SQL server, including the default express edition used by Docsvault, do not offer db level at rest encryption. Higher editions of SQL server (like the Enterprise edition) do provide transparent data encryption that will encrypt data at rest as well. However, only the data in database file is encrypted while the digital documents stored in the Filestream are still not encrypted.

Disk Level Encryption

You can encrypt the entire server disks using many available volume level encryption methods like BitLocker. This will ensure security of data stored on the entire disk while still being accessible to programs running on the server with proper authentication.