Customer-managed encryption keys overview

Connected keeps the files that it backs up secure while they are in motion as well as at rest. Using escrowed encryption keys by default, Agents encrypt files on user devices, and then transmit them over SSL to Connected for storage. Files remain encrypted while stored outside of your company's environment except when viewed by users (a feature available only with escrowed encryption keys).

The use of escrowed encryption keys provides ample security for many customers. However, if you require enhanced data security, Connected also supports a customer-managed encryption key option. When using this option, you maintain full control over the encryption keys that protect your company's data—Connected never has access to them. It creates, encrypts, and decrypts keys in memory and never stores or caches them. As a result, only those within your company can ever access your valuable corporate data.

When deciding whether to manage your own encryption keys, here are a few points to consider:

  • The following hardware and software components are required in your environment:

    • A tamper-resistant hardware security module (HSM) compliant with Key Management Interoperability Protocol (KMIP)

      Currently, Connected supports OpenText Enterprise Secure Key Manager (ESKM), a complete key management solution for generating, storing, serving, controlling and auditing access to data encryption keys in a secure server appliance. You must install and configure this device in your own environment before you begin to use Connected.

    • OpenText Connected Key Management Server (CMX-KMS) software

      This software services Connected requests for encrypted and decrypted copies of encryption keys. You can download the CMX-KMS software package, which includes documentation, from the Downloads page of the Connected web application. For more information, see Download Connected Key Management Server (CMX-KMS) software.

    • A load balancer (optional, but recommended)

      CMX-KMS supports both single- and multi-node deployments. However, OpenText recommends that you deploy this software in a distributed multi-node environment, serviced by a load balancer, such as HAProxy.

      Using a multi-node environment improves CMX-KMS performance and reliability by distributing Connected requests across multiple nodes. In contrast, if the node in a single-node deployment becomes inaccessible, Connected stops protecting user data and all data currently stored in Connected becomes inaccessible until access to the node is restored.

  • Only a subset of Connected features are supported.

    Connected does not have access to your encryption keys so it cannot decrypt data on its servers. As a result, not all product features are available when managing your own encryption keys. Currently, only data backup and restore are supported when managing your own keys.

    The following list identifies the product features available when managing your own encryption keys:

    • Backup: Yes

      Actions on backed up data:

      • Print: No.
      • Search: Yes.

      • View: No.

        To view the contents of a specific file stored in Connected, download the file and view it locally.

    • Restore: Yes, including data restoration by data administrators on behalf of users.
    • Sync: No.
    • Share: No.
    • Collaboration: No.
    • Device migration: Yes, including migration performed by data administrators on behalf of users.
    • Data retention. Yes; works the same way regardless of whether you manage your own keys.

  • Connected cannot convert your currently protected data from encryption with its own keys to those managed by you, or vice-versa.

    Switching the type of encryption keys in use requires a new Connected corporate account and the recreation of all users, groups, and policies. In addition, Connected must store all user data again because it requires encryption with the new keys.

For more information about the support of customer-managed encryption keys, see Types of customer-specific encryption keys.