By default all sensitive data held by SigningHub (including user documents and other information) is encrypted using a uniquely generated AES-256 symmetric Data Encryption Key (DEK). When stored this symmetric DEK is protected with a higher-level AES-256 key known as the Key Encryption Key (KEK). In turn the KEK is managed directly inside SigningHub using a secure software process. For an even higher-level of security it is possible to hold the KEK inside a tamper-protected Hardware Security Module (HSM). To achieve this SigningHub relies on its underlying Ascertia ADSS Server component and its associated HSM to provide the required KEK services.
For this create an ADSS Server connector in the SigningHub Admin Connectors area.
Now generate a key with the "Key Encryption Key (KEK)" Purpose in the ADSS Server instance associated inside the ADSS Server connector, see details how. After generating the key, configure it inside the same ADSS Server instance, see details how.
Configure your data security
Click the "Configurations" option from the left menu.
Click the "Data Security" option.
The Data Security screen will appear.
Tick the "Enable Key Encryption Key (KEK) to secure documents/links/passwords" check box to enable the SigningHub DEK encryption/decryption through the ADSS Server managed KEK. A drop down will appear to select the encryption server.
If you want to use the default security (i.e. based on the SigningHub software managed KEK), keep this check box un-ticked.
Now select an encryption server (i.e. ADSS Server connector). The ADSS Server connectors are managed through the connectors section, seedetails.
Click the "Save" button from the screen bottom.
Click the "Publish Changes" button from the top right corner, to make these configurations take effect.