Enabling native encryption
Content Manager OnDemand native encryption encrypts your physical data, requires no hardware, software, or application changes, and provides transparent and secure key management.
Encryption is the process of transforming data into an unintelligible form in such a way that the original data either cannot be obtained or can be obtained only by using a decryption process. It is an effective way of protecting sensitive information that is stored on media or transmitted through untrusted communication channels. Encryption is mandatory for compliance with many government regulations and industry standards.
In an encryption scheme, the data requiring protection is transformed into an unreadable form by applying a cryptographic algorithm and an encryption key. A cryptographic algorithm is a mathematical function that is used in encryption and decryption processes. An encryption key is a sequence that controls the operation of a cryptographic algorithm and enables the reliable encryption and decryption of data.
Some data encryption solutions for protecting data at rest are suitable in cases of physical theft of disk devices, and some can protect against privileged user abuse. With Content Manager OnDemand native encryption, the system itself encrypts the data before it calls the underlying storage manager to write that data to media. Content Manager OnDemand native encryption is suitable for protecting data in cases of either physical theft of disk devices or privileged user abuse.
A local or external key manager is typically used to manage the keys. A Content Manager OnDemand data encryption key (DEK) is the encryption key with which actual user data is encrypted. A master key (MK) is a "key encrypting key"; it is used to protect the DEK. Although the DEK is stored and managed inside the Content Manager OnDemand instance database, the MK is stored and managed outside of the Content Manager OnDemand instance database.
Encrypted master keys are stored in a PKCS#12-compliant keystore, which is a storage object for encryption keys that exists at the operating system level. The keystore is only needed with the Content Manager OnDemand library server; it is not needed with object server(s).