The effectiveness of fusion stream encryption relies on an external public key
infrastructure to manage the private keys. The entire security of the system is based on the
fact that the private keys remain secret. Hence, the transfer and handling of the private keys
must be done in a secure manner.
Safeguarding the private keys
The safest way to handle a public-private key pair is to generate the encryption certificates directly on the
client machine, then assign this certificate (only the public key part) to the Archiver
responsible for performing the encryption. This way, you reduce the attack surface by
ensuring that the private key never leaves the client machine where it is used.
If you want to use the same private key on multiple client machines, make sure you
distribute it in a secure way. Use a strong password to encrypt the private key while in
transit. To learn how to do this, see Import or export certificates and private keys.
After all copies of the private key are installed on the client machines, you can safely
delete the temporary files that were used to distribute the private key.
BEST PRACTICE: If your company uses Active Directory Domain Services (ADDS), it is
recommended to use the
Credential Roaming mechanism, where private keys are associated to
user group profiles instead of specific machines.
Preventing private key disclosure
You might worry about users exporting the private keys from their client machines. To
reduce this risk, you can follow any of these
defense in depth best practices.
Mark private keys as non-exportable:
To prevent Windows clients from extracting private keys, you can mark private keys
as non-exportable.
You set the non-exportable flag when you import a
certificate.
This is how:
- Create a certificate and export the public and private keys in PFX format. Use
a strong password to encrypt the private key.
- Import only the public key for the Archiver servers.
- Import the private key for each individual machine, and set the private key as non-exportable.
certutil -importPFX [PFXfile] NoExport
- When the private key has been imported for all machines, destroy the original
PFX file.
IMPORTANT: There are third-party applications that do not enforce
the non-exportable flag. Because it is possible to export private keys by using
these third-party applications, marking private keys as non-exportable is not
entirely foolproof.
Run the operator account in unprivileged mode:
You can prevent your Security
Desk
users from exporting the private keys by installing the certificates on the local
computer store instead of the users' personal stores, and by denying them
administrator privileges. However, Security
Desk still needs to have access to the
private keys. This means that you need to run Security
Desk as an administrator, and enter
the password for the Security
Desk
users.
Restrict the use of applications through Windows Group Policy:
You can prevent the Security
Desk
users from accessing the private keys by blocking the tools used to manipulate the
certificates, such as certmgr.msi, through Windows Group Policy.
Creating a private key backup
If you lose your private keys, you cannot recover your encrypted data. It is recommended
that you use of a secured backup client machine to create an extra encryption certificate
for all of the data that you encrypt. The private key corresponding to this certificate must
not be used on any other client machine. The sole purpose of this backup machine is so that
you have a backup solution in case all private keys used on your client machines are
lost.
