By default all sensitive data held by SigningHub (including user documents and other information) is encrypted using a uniquely generated AES-256 symmetric Data Encryption Key (DEK). When stored this symmetric DEK is protected with a higher-level AES-256 key known as the Key Encryption Key (KEK).  In turn the KEK is managed directly inside SigningHub using a secure software process. 

For an even higher-level of security it is possible to hold the KEK inside a tamper-protected Hardware Security Module (HSM). To achieve this SigningHub relies on its underlying Ascertia ADSS Server component and its associated HSM to provide the required KEK services.

For this create an ADSS Server connector in the SigningHub Admin Connectors area.
Now generate a key with the "Key Encryption Key (KEK)" Purpose in the ADSS Server instance associated inside the ADSS Server connector, see details how. After generating the key, configure it inside the same ADSS Server instance, see details how.


Configure your data settings

  1. Click the "Configurations" option from the left menu.
  2. Click the "Data Settings" option.
    The Data Settings screen will appear.
  3. Tick the "Enable Key Encryption Key (KEK) to secure documents/links/passwords" check box to enable the SigningHub DEK encryption/decryption through the ADSS Server managed KEK. A drop down will appear to select the encryption server.
    If you want to use the default security (i.e. based on the SigningHub software managed KEK), keep this check box un-ticked.
  4. Now select an encryption server (i.e. ADSS Server connector). The ADSS Server connectors are managed through the connectors section, see details.
  5. Tick "Enable Data Archiving" in the Archiving section to specify information to "Archive an Account". A section will appear to add "Archive Directory Path", "Send Notification To" (i.e. email address), "Signer Key" (i.e. PFX) and the "Signer Key Password".



  1. Click the "Save" button from the screen bottom.

An important point to be considered while configuring Data Security settings, If your Key Encryption Key (KEK) resides on a third party server (e.g. ADSS) then there could be a possibility that the Key Encryption Key (KEK) resulted into a bottleneck due to TLS configurations where the PFX password cannot be decrypted without having KEK.


To avoid such situation, it is recommended to must configure the 'Encryption Server' that is being used to enable Key Encryption Key (KEK) as a non TLS at first in order to get KEK from client server. Once KEK has been retrieved successfully then 'Encryption Server' can be configured over TLS.


On making the user account as archival the user data (user profile, user document packages, user document packages evidence report and user document packages log) will be backed up in the path given in the field "Archived Directory Path".


SigningHub requires a Signer Key (pfx) to create signature for protecting the content of ASiC-E container. 


The path given in the field "Archived Directory Path" should be valid. And it should have read/write permissions.


Data Archiving configuration option will only be displayed, if the user has the archiving rights in the license.


See Also