You are here

SkyVault 2.0 » Administering » Setting up content stores » Content store types » Encrypted content store

Content encryption overview

Use this information to understand SkyVault's implementation of content encryption using the Encrypted content store.
Important: Once you make the decision to use Encrypted content store for content encryption, it is irrevocable. This is because when a document is written to this content store, it is encrypted. If you decide to revert to an unencrypted content store, the content cannot be decrypted.
Important: If Encrypted content store is enabled on an existing or upgraded SkyVault installation, only new content will be encrypted but any existing content will not be encrypted.
SkyVault cryptography process

The Encrypted content store provides content encryption at rest capability. This is done by scrambling plain text into cipher text (encryption) and then back again (decryption) with the help of symmetric and asymmetric keys.

When a document is written to the Encrypted content store, the Encrypted content store uses symmetric encryption to encrypt the document before it is written to the wrapped content store. A new symmetric key is generated each time a document is written to the content store. This means that every document in the system is encrypted with a different symmetric key. Further more, asymmetric encryption (such as RSA) is used to encrypt/decrypt those symmetric encryption/decryption keys. The asymmetric encryption uses a master key which is selected from a set of configured master keys.

SkyVault uses a set of master keys, which are:
  • selected in a random fashion
  • stored in a password-protected keystore
  • can be retired, in the event of key theft or as part of a standard key retirement process. For more information, see Encryption-related JMX operations.
The repository knows which master key was used to encrypt a given symmetric key so that when a user reads a particular document, the repository can decrypt the symmetric key (using that master key) and then use the decrypted symmetric key to decrypt the document content.
Important: SkyVault does not store the master key you provide. Instead, we access it from the keystore. If SkyVault cannot access that key, it cannot decrypt the content. So, make sure you maintain the master key and SkyVault has access to it. Otherwise, you will not be able to read the content.

The following diagram shows the implementation of content encryption using the Encrypted content store over the default SkyVault content store.

Parent topic: Encrypted content store

© 2017 TBS-LLC. All Rights Reserved.