Content encryption

Content encryption helps to protect the confidentiality of content that you add to a storage area in case the content is accessed outside of FileNet® P8 . This encryption pertains only to the storage of content in the storage area: when Content Platform Engine retrieves and passes content to a client in response to a client request, the content is automatically decrypted.

Content Platform Engine encrypts and decrypts content using AES in Counter mode, a Federal Information Processing Standard (FIPS) 140-compliant algorithm, with a 128-bit key or a 256-bit key. A new key is generated whenever you enable encryption for the storage area. For example, when you first enable encryption, one encryption key exists, and that key is used to encrypt new content. If you re-enable encryption, two encryption keys now exist, and the most recent key is used to encrypt new content. If you re-enable encryption again, three encryption keys now exist, and so on. The storage area encryption keys are stored in a secure form in the object store database.

As an alternative to using AES for content encryption, you can configure usage of the SM4 encryption cypher for FileNet content encryption. You must provide a version of the bouncycastle.jar for use by the Content Platform Engine services. To view a list of IBM FileNet recommended versions from bouncycastle.org, review the information available in the IBM Software Product Compatibility Reports for the FileNet Content Manager. To understand how to enable the use of the SM4 encryption, see the related task Encrypting content.

You incur two performance penalties with content encryption. The first penalty occurs when you upload content to a storage area because more processing time is required to encrypt the content. The second penalty occurs when you retrieve content because more processing time is required to decrypt content. For content that has been encrypted, this second penalty occurs regardless of the current encryption setting on the storage area. The size of these performance penalties is proportional to the length of the content that is uploaded or retrieved, and varies depending on the speed of your server processor (the cost will be less the faster the processor).

There are no additional storage requirements that are associated with content encryption. An encrypted document uses the same amount of disk space as an unencrypted document.

Restriction: The Content Platform Engine administration console and other Content Platform Engine clients can freely write unencrypted content to the file system after requesting and receiving decrypted content from Content Platform Engine. For Content Platform Engine, however, the following rule applies: for an encryption-enabled storage area, no storage area content is written to the file system in an unencrypted form. This rule is subject to the following exceptions:
Existing content is not encrypted or reencrypted. Enabling encryption causes only the new content added to the storage area to be encrypted. No existing unencrypted content is encrypted, and no previously encrypted content is reencrypted with the newly generated encryption key.
When replicated, content is not encrypted. When replicating content to Image Services or some other external repository, Content Platform Engine passes unencrypted content to the repository. The external repository might store the content in an unencrypted form.
When passed for indexing, content is not encrypted. For indexing purposes, Content Platform Engine passes unencrypted content to IBM® Content Search Services. The content is passed in a file. IBM Content Search Services deletes the file after processing it.
Important: The retrieval of encrypted content relies upon information that is stored in the object store database. If that information is lost, the content is effectively lost also. To avoid such problems, regularly back up the object store database.

Moving content to force encryption or decryption

You can use a custom program to move content from one storage area to another. Moving content is functionally equivalent to adding content to the destination storage area. Consequently, based on the current encryption setting for the destination storage area, you can move content for the following purposes:
Encryption You might want to encrypt the existing unencrypted content.
Reencryption You might want to reencrypt the existing encrypted content if, for example, the security of an encryption key has been compromised.
Decryption You might want to decrypt content if, for example, you no longer want to incur the performance penalty that is connected with retrieving encrypted content.