Best practices for managing private keys

The effectiveness of fusion stream encryption relies on an external public key infrastructure to manage the private keys. The entire security of the system is based on the fact that the private keys remain secret. Hence, the transfer and handling of the private keys must be done in a secure manner.

Safeguarding the private keys

The safest way to handle a public-private key pair is to generate the encryption certificates directly on the client machine, then assign this certificate (only the public key part) to the Archiver responsible for performing the encryption. This way, you reduce the attack surface by ensuring that the private key never leaves the client machine where it is used.

If you want to use the same private key on multiple client machines, make sure you distribute it in a secure way. Use a strong password to encrypt the private key while in transit. To learn how to do this, see Import or export certificates and private keys.

After all copies of the private key are installed on the client machines, you can safely delete the temporary files that were used to distribute the private key.

BEST PRACTICE: If your company uses Active Directory Domain Services (ADDS), it is recommended to use the Credential Roaming mechanism, where private keys are associated to user group profiles instead of specific machines.

Preventing private key disclosure

You might worry about users exporting the private keys from their client machines. To reduce this risk, you can follow any of these defense in depth best practices.
  • Mark private keys as non-exportable:
    To prevent Windows clients from extracting private keys, you can mark private keys as non-exportable.

    You set the non-exportable flag when you import a certificate.

    This is how:
    1. Create a certificate and export the public and private keys in PFX format. Use a strong password to encrypt the private key.
    2. Import only the public key for the Archiver servers.
    3. Import the private key for each individual machine, and set the private key as non-exportable.
      certutil -importPFX [PFXfile] NoExport
    4. When the private key has been imported for all machines, destroy the original PFX file.
    IMPORTANT: There are third-party applications that do not enforce the non-exportable flag. Because it is possible to export private keys by using these third-party applications, marking private keys as non-exportable is not entirely foolproof.
  • Run the operator account in unprivileged mode:
    You can prevent your Security Desk users from exporting the private keys by installing the certificates on the local computer store instead of the users' personal stores, and by denying them administrator privileges. However, Security Desk still needs to have access to the private keys. This means that you need to run Security Desk as an administrator, and enter the password for the Security Desk users.
  • Restrict the use of applications through Windows Group Policy:
    You can prevent the Security Desk users from accessing the private keys by blocking the tools used to manipulate the certificates, such as certmgr.msi, through Windows Group Policy.

Creating a private key backup

If you lose your private keys, you cannot recover your encrypted data. It is recommended that you use of a secured backup client machine to create an extra encryption certificate for all of the data that you encrypt. The private key corresponding to this certificate must not be used on any other client machine. The sole purpose of this backup machine is so that you have a backup solution in case all private keys used on your client machines are lost.