This encryption key management solution provides data protection and encryption key custody:
- Encryption functions available as a Web service or in a desktop application
- Centralized custody of encryption keys with role-based access control
- Parameterization of encryption algorithms and policy-based data classification
- Centralized auditing of key and data accesses
- Centralized key management
Data encryption is becoming increasingly important owing to the new regulations and the externalization of data centers. TrustedX supports centrally managing all the encryption keys, which safeguards against losing data because owing to the unavailability of the encryption keys.
- Encryption policy management
Our solution allows centrally determining, at all times, the cryptographic parameters suitable for the encryption and decryption policies defined according to, for example, the type of information, roles or applications.
- Centralized control and auditing
Centralized management of the data protection policies and the auditing and control system. Data accesses and data protection mechanisms are audited, which allows reacting quickly to security problems and preparing auditing reports.
- Service-oriented integration
The encryption and key custody mechanisms are integrated in the corporate information systems as services. TrustedX is designed for service-oriented architectures (SOA) and is accessible via the SOAP/WS and REST/WS protocols.
- Integration with the user's desktop
TrustedX's data protection services can be used via Safelayer's KeyOne Desktop application. Encrypting documents located in the user's desktop is transparently integrated into the platform's data protection system.
When information is encrypted using TrustedX's custody or encryption services, the groups of recipients to receive the data are specified (by selecting access policies) and, optionally, the type of data protected is specified. The data encryption algorithms can be symmetric or a combination of symmetric and asymmetric.
The following options are supported:
- Encryption without key custody. Data is encrypted and decrypted by applying the encryption policies defined in TrustedX (and for one or more recipients). The encrypted documents can be decrypted by the owners of the digital certificates used in the encryption.
- Encryption with key custody. This mode extends the data encryption service with symmetric key custody. To decrypt data, the encryption key protected by TrustedX is required. Requesters need to authenticate in the platform to obtain the keys associated to their roles.
Options (i) and (ii) can be invoked from an application using the interfaces provided by the TrustedX platform (SOAP/WS, REST/WS) or by a Java API. Option (ii) can also be integrated in the desktop application, Safelayer KeyOne Desktop.
The following figure illustrates how the applications interact with the encryption and key custody services of the TrustedX platform.
Depending on the operation required (encrypt data or store keys), the applications interact with the TrustedX encryption and decryption or key custody service.
The key custody service uses a secure keystore based on a cryptographically protected database (database for keys in custody). This keystore is protected by a master encryption key managed by a NIST FIPS 140-2 level 3 HSM.
As illustrated in the figure, the TrustedX authorization and authentication service (AuthN and AuthZ) controls the access to all the services.