Encrypting Document Files

In addition to applying SSL transport encryption to all of your data, you can also encrypt document files in order to store them on non-secured storage media and transfer them.

Document files are encrypted using the Microsoft Crypto API, which is part of the Windows operating system, together with the 'AES-256' encryption method.

The 'RC2' encryption process was used up to version 7.50. If document files are edited, they are encrypted using the 'AES 256' method. Document files can be subsequently encrypted using 'AES 256' encryption using the 'Object encryption' action.

Both enaio® client and enaio® server provide a document file encryption function. Both encryption methods can be used together or separately and use their own symmetric keys that are part of the program code.

enaio® client encrypts all document files that it sends to enaio® server with the client key and decrypts all document files that it receives from the server. All document files are decrypted before they are saved to the client cache.

Before saving them, enaio® server uses the server key to encrypt document files transferred by enaio® client. If a client requests a document, enaio® server decrypts the document file using the server key before transferred it.

Use the 'Object encryption' automatic action to subsequently encrypt or decrypt existing documents.

Client Encryption

enaio® client uses the client key to encrypt all document files that have the property 'Encrypted filing' in their document type before transferring them to enaio® server.

To enable encryption, the 'KRY' license key is additionally required at the workstation. If no license is available, enaio® client cannot decrypt document files and will not encrypt files before transferring them to enaio® server.

Client encryption is managed using the Encrypted filing property in enaio® editor.

Server Encryption

enaio® server encrypts all document files with the server key before saving them in the WORK area, regardless of whether the Encrypted filing property is set. Server encryption is separate from client encryption. Document files that have been encrypted by enaio® client will additionally be encrypted with the server key.

When document files are transferred from enaio® server to enaio® client, the server first decrypts them before transferring them.

Server-side encryption is set up in enaio® enterprise-manager in the Server properties > Category: General area.

Double-click the Encrypted data area parameter to open a dialog where you can enable or disable encryption.

The 'SKR' license key is required for server-side encryption. If enaio® server was licensed with a test license, server encryption is not available.

enaio® client can create a full-text index for document files that have not been encrypted by enaio® server. Unencrypted files are then sent by enaio® server to the indexing component. The unencrypted file is deleted immediately after it is processed.

In order to perform full-text indexing of black-and-white as well as color images using the OCR component, specify a path by saving the unencrypted files for the indexing component. The path is specified as the value of the OCR decryption directory parameter.

For the subsequent encryption and decryption of document files, you can use the 'Object encryption' automatic action.

'Object Encryption' Action

The 'Object encryption' automatic action can be used to encrypt or decrypt documents of a particular type. The action uses the client key for encryption or decryption. If server encryption is activated, the server encrypts all documents called by the action before saving them. If server encryption is deactivated, the server saves all documents called by the action without server encryption.

To use this action, add the axaccrypt.dll library (see ''Additions' Tab').

To set up the automatic action (see 'Setting Up Automatic Actions'), enter a configuration name and choose a query file in the configuration dialog.

The query file is used to specify which documents will be encrypted or decrypted using the client key.

The 'Encrypted filing' property of the document type is modified with enaio® editor to specify whether the documents will be encrypted or decrypted; it is specified for the server encryption using the Encrypted data area property in enaio® enterprise-manager.

You can start the action manually or schedule a time at which enaio® start will launch it automatically (see 'enaio® start').

You can create the query file with any text editor. It has the following structure:

[QUERY]	The file begins with the 'query' section.
CABINET=cabinet name	Enter the name of the cabinet that the documents originate from in the first line.
DOCUMENT=document type name	The document type of the documents is then shown in the second line.
CLAUSE1=object@field=value... CLAUSEn=object@field=value	Optional clauses allow you to limit the selection to those documents that fulfill these conditions. Clauses must be numbered consecutively.

Use internal names and enclose the name in percent signs.

Clauses

Optional clauses allow you to limit the selection to those documents that are indexed with the entered value in the specified field.

Example:

Clause1=Customer@Status=completed

Only documents of the specified document type that are indexed with the 'completed' value in the 'Status' field of the 'Customer' archive object type index data (e.g., a folder) are encrypted or decrypted.