Encryption
OneOffixx can encrypt individual entries such as passwords or ConnectionStrings in configurations as well as the entire offline cache of Windows clients.
Configuration
Caution
Once encrypted, items can no longer be used without the corresponding security key. The key is stored in the database.
Protected data can be encrypted in OneOffixx configurations. This allows the template administrator to edit the rest of the configuration without seeing this data.
When configuring you have to make sure that the corresponding value is encryptable like e.g. the ConnectionString in the SQL Address Provider. In the Global Configurations this works by clicking on the encryption button:
If the configuration is local on a template, the corresponding text must be swapped out to the Global Configurations. Thereby the text can be encrypted directly:
Tip
The key can be managed in the Admin-Dashboard in Settings → General Settings → SymmetricEncryptionKey. Make sure that you re-encrypt the data after importing data between different databases or make sure that both databases are configured with the same key.
Technical details
We use symmetric encryption (AES with 256-bit key length and 128-bit salt each). The key is stored in the database. The Windows clients also know the symmetric key for offline operation. It is protected in each case using the Windows Data Protection API (DPAPI) (with 256-bit NONCE as additional entropy). Security during transit is provided by HTTPS.
The WebClient, the Office add-in and the COM add-ins do not receive the key at any time.
Windows clients – Offline cache
The offline cache of the Windows clients can be stored encrypted. This is recommended if the data is not otherwise protected (e.g. by BitLocker). To do this, one of the following registry keys must be created (e.g. via Group Policy) – with the first key being the decisive one if both are set:
[HKEY_CURRENT_USER\Software\Policies\Sevitec Informatik AG\OneOffixx]
EncryptCache="true"
or
[HKEY_CURRENT_USER\Software\Sevitec Informatik AG\OneOffixx]
EncryptCache="true"
If the key is not set, the cache is not encrypted.
Note
If the encryption is disabled or enabled, this means that all affected Windows clients will rebuild their offline cache. Therefore it is recommended to set the key before installing the OneOffixx clients to avoid unnecessary synchronization effort.
Technical details
The encryption is a symmetric encryption (AES with 256-bit key length and 128-bit salt each). The key is generated by each client when creating the cache and protected using the Windows Data Protection API (DPAPI) (with 256-bit NONCE as additional entropy). This means that only the current Windows user on the same computer can decrypt the key and thus the data.
Note
Decryption can only be done with known key. If the key can no longer be accessed (e.g. because the corresponding Windows user has been deleted), all data is irrevocably lost. Normally, however, all data is also available on the server and therefore this is not a problem. Note that the encrypted cache can therefore not be moved or copied to other machines/users.