By default all sensitive data held by SigningHub (including user documents and other information) is encrypted using a uniquely generated AES-256 symmetric Data Encryption Key (DEK). When stored this symmetric DEK is protected with a higher-level AES-256 key known as the Key Encryption Key (KEK).  In turn the KEK is managed directly inside SigningHub using a secure software process. 

For an even higher-level of security it is possible to hold the KEK inside a tamper-protected Hardware Security Module (HSM). To achieve this SigningHub relies on its underlying Ascertia ADSS Server component and its associated HSM to provide the required KEK services.

For this create an ADSS Server connector in the SigningHub Admin Connectors area.
Now generate a key with the "Key Encryption Key (KEK)" Purpose in the ADSS Server instance associated inside the ADSS Server connector, see details how. After generating the key, configure it inside the same ADSS Server instance, see details how.


Configure your data settings

  1. Click the "Configurations" option from the left menu.
  2. Click the "Data Settings" option.
    The Data Settings screen will appear.
  3. Tick the "Enable Key Encryption Key (KEK) to secure documents/links/passwords" check box to enable the SigningHub DEK encryption/decryption through the ADSS Server managed KEK. A drop down will appear to select the encryption server.
    If you want to use the default security (i.e. based on the SigningHub software managed KEK), keep this check box un-ticked.
  4. Now select an encryption server (i.e. ADSS Server connector). The ADSS Server connectors are managed through the connectors section, see details.
  5. Tick "Enable Data Archiving" in the Archiving section to specify information to "Archive an Account". A section will appear to add "Archive Directory Path", "Send Notification To" (i.e. email address), "Signer Key" (i.e. PFX) and the "Signer Key Password".
    The 'Send Notification To,' 'Signer Key (PFX/PKCS#12),' and 'Signer Key Password' fields are not required for document archiving, but are required for data archiving.  


  1. Click the "Save" button from the screen bottom.
  1. An important point to be considered while configuring Data Security settings, If your Key Encryption Key (KEK) resides on a third party server (e.g. ADSS) then there could be a possibility that the Key Encryption Key (KEK) resulted into a bottleneck due to TLS configurations where the PFX password cannot be decrypted without having KEK.
  2. To avoid such situation, it is recommended to must configure the 'Encryption Server' that is being used to enable Key Encryption Key (KEK) as a non TLS in order to get KEK from client server.
  3. If you wish to enable the "Enable Key Encryption Key (KEK) to secure documents/links/passwords" check box, it is recommended that you configure a non-TLS (HTTP) encryption server. 
  4. On making the user account as archival the user data (user profile, user document packages, user document packages evidence report and user document packages log) will be backed up in the path given in the field "Archived Directory Path".
  5. SigningHub requires a Signer Key (pfx) to create signature for protecting the content of ASiC-E container. 
  6. The path given in the field "Archived Directory Path" should be valid. And it should have read/write permissions.
  7. The "Data Archiving" option will be available only if the "DATA_ARCHIVING" module is enabled in the license.
  8. The archived documents will be archived at the provided directory path. The archived documents will be available with in the "Documents" folder at the directory path. Each archived document package will have an individual folder named as per the document package ID.



See Also