Configure Data Security

Parent Previous Next

By default all sensitive data held by SigningHub (including user documents and other information) is encrypted using a uniquely generated AES-256 symmetric Data Encryption Key (DEK). When stored this symmetric DEK is protected with a higher-level AES-256 key known as the Key Encryption Key (KEK).  In turn the KEK is managed directly inside SigningHub using a secure software process. 

For an even higher-level of security it is possible to hold the KEK inside a tamper-protected Hardware Security Module (HSM). To achieve this SigningHub relies on its underlying Ascertia ADSS Server component and its associated HSM to provide the required KEK services.

For this create an ADSS Server connector in the SigningHub Admin Connectors area.
Now generate a key with the "Key Encryption Key (KEK)" Purpose in the ADSS Server instance associated inside the ADSS Server connector, see details how. After generating the key, configure it inside the same ADSS Server instance, see details how.


Configure your data security

  1. Click the "Configurations" option from the left menu.
  2. Click the "Data Security" option.
    The Data Security screen will appear.
  3. Tick the "Enable Key Encryption Key (KEK) to secure documents/links/passwords" check box to enable the SigningHub DEK encryption/decryption through the ADSS Server managed KEK. A drop down will appear to select the encryption server.
    If you want to use the default security (i.e. based on the SigningHub software managed KEK), keep this check box un-ticked.
  4. Now select an encryption server (i.e. ADSS Server connector). The ADSS Server connectors are managed through the connectors section, see details.
  5. Click the "Save" button from the screen bottom.

 

An important point to be considered while configuring Data Security settings, If your Key Encryption Key (KEK) resides on a third party server (e.g. ADSS) then there could be a possibility that the Key Encryption Key (KEK) resulted into a bottleneck due to TLS configurations where the PFX password cannot be decrypted without having KEK.


To avoid such situation, it is recommended to must configure the 'Encryption Server' that is being used to enable Key Encryption Key (KEK) as a non TLS at first in order to get KEK from client server. Once KEK has been retrieved successfully then 'Encryption Server' can be configured over TLS.