primedocs can encrypt individual entries such as passwords or ConnectionStrings in configurations as well as the entire offline cache of Windows clients.

Configuration

Protected data can be encrypted in primedocs configurations. This allows the template administrator to edit the rest of the configuration without seeing this data.

When configuring you have to make sure that the corresponding value is encryptable like e.g. the ConnectionString in the SQL Address Provider. In the Global Configurations this works by clicking on the encryption button:

Open

If the configuration is local on a template, the corresponding text must be swapped out to the Global Configurations. Thereby the text can be encrypted directly:

Open

Technical details

We use symmetric encryption (AES with 256-bit key length and 128-bit salt each). The key is stored in the database. The Windows clients also know the symmetric key for offline operation. It is protected in each case using the Windows Data Protection API (DPAPI) (with 256-bit NONCE as additional entropy). Security during transit is provided by HTTPS.

The WebClient, the Office add-in and the COM add-ins do not receive the key at any time.

Windows clients – Offline cache

The offline cache of the Windows clients can be stored encrypted. This is recommended if the data is not otherwise protected (e.g. by BitLocker). To do this, one of the following registry keys must be created (e.g. via Group Policy) – with the first key being the decisive one if both are set:

or

If the key is not set, the cache is not encrypted.

Technical details

The encryption is a symmetric encryption (AES with 256-bit key length and 128-bit salt each). The key is generated by each client when creating the cache and protected using the Windows Data Protection API (DPAPI) (with 256-bit NONCE as additional entropy). This means that only the current Windows user on the same computer can decrypt the key and thus the data.