BDS supports back-end encryption for files that are stored in the file system. BDS uses Advanced Encryption Standard (AES), a symmetric key encryption algorithm that is the current NIST-approved encryption algorithm, to encrypt files. Encryption is an optional module and can be enabled or disabled using a command line utility. Key management is also performed using the command line utility.
Encryption and Decryption
When you enable encryption, files that are uploaded and saved in packages are encrypted automatically. When an encrypted file is downloaded, BDS automatically decrypts the file and sends the unencrypted file to the requester.
Keys and Key Management
AES is a symmetric encryption algorithm that uses secret keys to perform the encryption. Managing these keys is an important aspect of encryption, and includes tasks such as key generation, selection, storage, and backup.
The secret keys used to encrypt files are also stored on the file system in an encrypted format. BDS internally manages the encryption of the secret keys. The encrypted keys are stored by default in the <BDS HOME>/kr directory. This location
can be changed using the utility.
When you enable encryption for the first time, a secret key is generated. The generated key will be selected as the default secret key for BDS. You can generate additional keys later, and change the default key to one of the newly generated keys. Additional key management features, such as removing keys, can be found in the utility’s Advanced Options.
Encryption Utility
The encryption utility is a command line tool that is accessible only to BDS users with the Administrator role. The utility is available in the <BDS HOME>/tools directory, and can be started by running enctool.bat on Windows, and enctool.sh on Linux.
Note: Before starting the encryption utility, all BDS components should be shut down.
C:\BDS\tools>enctool.bat
NOTE: All BDS components must be shut down before using this tool. Please verify that all BDS components have been shut down. Then enter C to continue or X to exit. Continue/exit (C/X)? C
Username: admin1 Password: ******
If sign in succeeds, the user will see the current encryption setting and the main menu:
Encryption is not enabled. Main menu:
1. Enable/Disable encryption 2. Encrypt file system
3. Decrypt file system 4. List keys
5. Create a new key
6. Change key storage location 7. Change the default key 8. Advanced options
9. Exit Option:
Enable/Disable encryption
This menu item will be Enable encryption if the current system is not encrypted. If the system is already encrypted, then the menu will be Disable encryption.
If encryption is enabled, all files uploaded from that point forward will be encrypted. Existing files stored in unencrypted form will not be encrypted automatically. If encryption is disabled, all files uploaded from that point forward, will not be encrypted. Existing files that are encrypted will not be automatically decrypted. Because this option can be toggled at any time, it is possible that some files in the system may be encrypted while others will not. The system handles both encrypted and unencrypted files automatically and no input or maintenance is needed by an administrator.
Encrypt file system
If encryption is enabled, then selecting this option will encrypt all unencrypted files in the file system. This is a potentially lengthy operation, and time considerations should be factored in before selecting this option.
Example:
Are you sure you want to encrypt all unencrypted files (Y/N)? Y
Processing file 386 of 4828 (8% complete); Time remaining: 1 hr 29 min
When all files have been processed, the following should be displayed:
Encrypted 4828 files. Total time: 1 hr 20 min. Press any key to continue...
Decrypt file system
Decrypting the entire file system will decrypt all encrypted files in the file system. Like the encryption option, this is potentially a lengthy operation and should be considered before proceeding.
Example:
Are you sure you want to decrypt all encrypted files (Y/N)? Y
Processing file 3476 of 4828 (72% complete). Time remaining: 23 min
When all files have been processed, the following should be displayed:
Decrypted 4828 files. Total time: 41 min. Press any key to continue...
Listing keys
This option lists all existing keys used in the system. The current key used for encryption will be highlighted.
Example:
1. k1 07/04/07 2. k25 12/26/07
3. k1003 01/01/08 default Press any key to continue...
Creating a new key
This option is used to add a key to the system. Keys are generated automatically by the system and no input is required from the user.
Example:
Press any key to continue...
Changing key storage location
The default storage location is <BDS_HOME>/kr. Use this option to change the location.
Example:
Current directory for keys: C:\BDS
Are you sure you want to change the directory (Y/N)? Y Please enter new directory: D:\SecretKeyLoc
Directory for storing keys updated successfully. Press any key to continue...
Changing the default key
To change the default key used to encrypt files, select the key from the list of keys. When the default key is changed, all files moving forward will be encrypted using the new default key. Existing files will not be re-encrypted. To change all existing files to use the new default encryption key, set the default key here, and then encrypt the entire file system using the Advanced Options menu (see below).
Example:
List of keys:
1. k1 07/04/07 2. k120234 12/26/07
3. k1230 01/01/08 default
Are you sure you want to change the default key (Y/N)? Y Please enter the number of the key you want to select as default: 2
Default key changed to k120234 successfully. Press any key to continue...
Advanced options: encrypt full file system
The encryption option in Advanced Options provides the ability to change the encryption of all files, including existing files encrypted using different keys. (The standard encryption option, described above, only encrypts unencrypted files, and leaves encrypted files alone.)
Example:
Processing file 3882 of 32357 (12% complete); Time remaining: 9 hr 20 min
When all files have been processed, the following should be displayed:
Encrypted 32357 files. Total time: 10 hr 29 min. Press any key to continue...
Advanced options: remove a key
Removing keys from the system requires all files encrypted using the key to be decrypted first. If encryption is currently set to “enabled,” the files must also be re- encrypted using the default encryption key. Once all files have been decrypted, the selected key is removed from the system.
Example:
List of keys:
1. k120234 12/26/07
3. k1230 01/01/08 default
Are you sure you want to remove a key (Y/N)? Y
Please enter the number of the key you want to remove: 1 Are you sure you want to remove key k120234 (Y/N)? Y Processing file 3781 of 8795 (43% complete) encrypted using key k120234; Time remaining: 2 hr 23 min
When all files have been processed, the following should be displayed:
Processed all files encrypted using key k120234. Key k120234 has been removed.