Encryption for Documents, Passwords, and Internal Blogs
LuxSci’s WebAide collaboration tools enable storage and sharing of all sorts of information through LuxSci’s web site, e.g. address books, calendars, tasks, blogs, files, password libraries, links, notes, and more. These tools allow online access from anywhere and fine grained sharing with selected users, or groups of users.
The items that typically contain the most sensitive information are internal Blogs, Document storage, and Password Libraries. These items are, of course, saved in a secured database and backed up, like all other WebAides. However, for these sensitive items, LuxSci has special optional encryption options that provide both enhanced security and finer grained access control.
Per-Entry PGP Encryption
These WebAides support the optional use of PGP encryption on a per-entry basis (it’s not optional for Password Libraries … its required for them).
What does this mean? This is best explained by an example.
- Lets say that we are storing a sensitive Human Resources document in our shared corporate WebAide. It needs to be encrypted at rest and we need to be sure that only a few people can access it … even though the corporate file share is shared with everyone.
- When saving this document to the corporate file share WebAide, we check the “encrypt” checkbox to enable per-entry encryption for it and enter our encryption password.
- When we press “Save”, we then choose exactly who can decrypt the document from a list of available users. We choose just those who “need to know” what it contains.
- The document is encrypted and digitally signed and stored in the corporate file share.
- Everyone with access to that file share can see that it is there, but only the selected “recipient” users can now open it.
How the encryption works
Each user who needs to be able to save encrypted items or open encrypted items individually saved for them needs to have a PGP certificate. These can be created quickly in the LuxSci WebMail interface under “My Profile > Security Certificates“.
When you make your PGP certificate, you enter a password for it. This password is used when making new encrypted entries and when opening entries encrypted for you. It provides a second layer of security beyond your normal LuxSci login.
When an entry is encrypted:
- It is digitally signed using your own PGP certificate. This allows anyone opening the document later to verify exactly (a) who saved it, (b) when, and (c) that it was not modified since then.
- It is encrypted using a new long random password.
- This password is encrypted using the PGP certificates of each of the selected recipients and saved along with the document.
The only way to unlock the encrypted document is to obtain the password used to encrypt it. The only way to get that is to decrypt it using the security certificate and password of one of the recipients. Thus:
- The document is encrypted at rest and in all backups
- Only someone with the PGP certificate of a recipient (which LuxSci stores for them) and their specified password to that certificate (which LuxSci does not store ever, unless they specifically request it*) can unlock that file
- LuxSci staff and developers cannot access these files, even if we had to, without one of the recipients giving us their password.
- There is no way a software glitch could expose the content of these encrypted objects to unauthorized users.
*We do save password to customer security certificates in an encrypted area if the customer specifically requests it. This is to provide a way for the customer to recover these passwords if lost — as there is no way to reset a security certificate password without knowing the original one and if you lose your password, you lose access to everything that requires it.
Group Certificates for Simplified Encryption
LuxSci’s User Groups WebAide allows you to define groups of users for:
The Group Encryption option is of particular note, and we use it constantly at LuxSci. Example:
- You have defined groups of users for your company: Operations, Sales, Support, Development, etc.
- You place all the relevant people in each group
- You have lots and lots of passwords that need to be stored and accessed by / updated by people in the various groups
- Some passwords should be accessible only to certain groups of people
You edit your WebAide User Group (e.g. your “Operations” group) and create a “Group PGP Certificate”. Then, when you save a new password to your shared Password Library, you can choose to have it encrypted for “anyone in the Operations user group”.
- You only have to select the Group and not the individuals
- Adding and removing people to/from the group effectively adds/removes decryption access to the saved password
- Anyone in the Operations group can use the chosen Group PGP Password to decrypt the saved entry
Thus, using User Groups combined with group encryption allows for quick sharing, quick encryption, and simple group management.