{"id":24210,"date":"2024-02-15T14:53:34","date_gmt":"2024-02-15T22:53:34","guid":{"rendered":"https:\/\/docs.extraview.com\/v25\/book\/encryption-key-management-1\/"},"modified":"2025-02-24T15:49:55","modified_gmt":"2025-02-24T23:49:55","slug":"encryption-key-management-1","status":"publish","type":"page","link":"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/","title":{"rendered":"Encryption Key Management"},"content":{"rendered":"<p>ExtraView is a secure application and has been developed to adhere to the strictest standards.\u00a0 Additional security is important and should be deployed by ensuring the environment within which ExtraView resides is secure, using firewalls and encryption of the network traffic with SSL, etc.<\/p>\n<p>It is possible to protect sensitive data within the database using a further level of encryption.\u00a0 This protects against your database from unauthorized access, and unauthorized users using SQL commands to extract data.\u00a0 This encryption is provided for fields with a display type of text and is applied on a field-by-field basis.\u00a0 This can be used, for example, to provide added protection for fields such as social security numbers and bank account numbers.<\/p>\n<p>The precise name of the method used to encrypt this data is termed AES\/ECB\/PKCS5Padding (128-bit).\u00a0 This is widely recognized as a state-of-the-art algorithm that provides a very high level of protection.<\/p>\n<ul>\n<li class=\"rteindent1\">AES = Advanced Encryption Standard<\/li>\n<li class=\"rteindent1\">ECB = Electronic CodeBook blocking of data<\/li>\n<li class=\"rteindent1\">PKCS5Padding = the type of padding to encrypted value.\u00a0 This causes the same text to produce different encrypted values from one encryption to the next<\/li>\n<\/ul>\n<p>Authorized users will still see data that is encrypted within the database in the normal way.\u00a0 It is assumed that users will be educated on the sensitivity and privacy of data, and that the screens and reports they view may contain proprietary data that should not be shared with unauthorized personnel.<\/p>\n<p>To provide the security, secret keys (or passwords) are stored in what is termed a keystore, within ExtraView.\u00a0 You may use a single key for all the fields you protect or use different keys for different fields.\u00a0 The keystore may also be used to store certificates, for example certificates that grant access to SAML authentication servers.<\/p>\n<p><span style=\"color: #b22222;\">These keys must be stored safely\u00a0by the administrator, and <strong>there is no way to ever retrieve a lost key<\/strong>.\u00a0 This is critical to understand and neither the ExtraView application nor ExtraView Corporation personnel can ever retrieve a lost key.\u00a0 It cannot be stressed too much how important it is to have a process to record the keys used, and to keep them safe.<\/span><\/p>\n<p>Further, here are items that should be considered before implementing encrypted fields:<\/p>\n<ul>\n<li>Only text fields that do not have data stored as yet may be encrypted<\/li>\n<li>Once encrypted, you cannot revert a field to being non-encrypted<\/li>\n<li>You cannot use an encrypted field as a filter in a query or report<\/li>\n<li>Encrypted fields cannot be sorted within reports<\/li>\n<\/ul>\n<p>The above limitations may be relaxed within future versions of the product.<\/p>\n<p>There are\u00a03 possibilities of how the secret keys may be used to unlock the data, dependent upon your requirements:<\/p>\n<ol>\n<li>The secret key(s) must be entered manually by the administrator on each and every occasion after starting the application.\u00a0 This is accomplished by the administrator going to the <strong>Encryption Key Management<\/strong> utility and entering the passwords for each of the secret keys<\/li>\n<li>The passwords may be entered into the <code>Configuration.properties <\/code>file which is read by ExtraView upon startup of the application.\u00a0 This is more convenient than entering the passwords manually, but not quite as secure.\u00a0 Of course, the filesystem with the <code>Configuration.properties <\/code>(and other) files should be protected<\/li>\n<li>You can encrypt the entries within the <code>Configuration.properties <\/code>file using the technique described in the ENCRYPT_PROPERTIES section of the <a href=\"v25\/configurationproperties-file-1\/\">Installation &amp; Configuration Guide<\/a>.<\/li>\n<\/ol>\n<h3>Setting Up Encryption<\/h3>\n<ol>\n<li>Enter the administrative utility, <strong>Encryption Key Management<\/strong>,\u00a0on the <strong>Advanced <\/strong>administration tab<\/li>\n<li>Carefully read the directions, remembering lost keys can never be retrieved<\/li>\n<li>Click <strong>Add a new encryption key to the keystore<\/strong><\/li>\n<li>Provide a fixed name for the key.\u00a0 This follows the usual naming conventions of all ExtraView names<\/li>\n<li>Enter the secret key password<\/li>\n<li>Re-enter the secret key password<\/li>\n<li>Now, use the <strong>Data Dictionary<\/strong> to add the field whose contents you wish to encrypt.\u00a0 It must have a display type of text, and you must select the option to <strong>Encrypt this Field.<\/strong>\u00a0 Note that encrypted fields may not be used as filters, nor may they be made sortable fields<\/li>\n<li>You will be prompted for the secret key to use for the encryption.\u00a0 Enter the password you entered into the keystore<\/li>\n<li>From this point, the field is configured like all other fields and may be placed on any applicable layout or report.<\/li>\n<\/ol>\n<p>Unused keys may be deleted from the database, and the keys within the keystore may be updated by the administrator after providing the current key.<\/p>\n<h3>Recommendations<\/h3>\n<ul>\n<li>Only encrypt fields that contain sensitive data.\u00a0 There is an overhead to encrypt and decrypt their contents and you do not want to impact performance negatively<\/li>\n<li>Only provide multiple secret keys if different administrators each maintain the field contents that are encrypted within each field.\u00a0 You do not want to create an excessive administrative burden<\/li>\n<li><span style=\"color: #b22222;\">Again &#8211; make sure you keep the passwords safe.\u00a0 ExtraView Corporation cannot retrieve lost passwords.\u00a0 This is the essence of security, and there is no &#8220;back door&#8221; to work around this.<\/span><\/li>\n<\/ul>\n<h3 style=\"background-color: transparent; color: #555555; font-family: Arial,Verdana,Helvetica,sans-serif; font-size: 16px; font-style: normal; font-variant: normal; font-weight: bold; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;\">Certificate Storage for SAML Authentication<\/h3>\n<p style=\"background-attachment: scroll; background-color: transparent; background-image: none; color: #333333; font-family: Arial,Verdana,Helvetica,sans-serif; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; padding: 0px; margin: 12px 0px 12px 0px;\">SAML authentication schemes typically require a certificate in a specific format known as PEM (Privacy Enhanced Mail).\u00a0 The name is somewhat of a misnomer as the certificates for SAML have no connection with email.\u00a0 The format is a Base 64 encoded string of characters which should be pasted into the <strong style=\"background-attachment: scroll; background-image: none; color: #333333; font-family: Arial,Verdana,Helvetica,sans-serif; font-size: 12px; padding: 0px; margin: 0px;\">Enter certificate PEM<\/strong> field.\u00a0 If there is no entry in this field, the new entry you create for the certificate is added as a secret key only and is not used for SAML authentication.<\/p>\n<p style=\"background-attachment: scroll; background-color: transparent; background-image: none; color: #333333; font-family: Arial,Verdana,Helvetica,sans-serif; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; padding: 0px; margin: 12px 0px 12px 0px;\">The entry in the keystore should look like this:<\/p>\n<ul style=\"background-attachment: scroll; background-color: transparent; background-image: none; color: #333333; font-family: Arial,Verdana,Helvetica,sans-serif; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; padding: 0px 0px 0px 40px; margin: 12px 0px 12px 0px;\">\n<li style=\"list-style-image: url('http:\/\/docs.stg.extraview.com\/misc\/menu-collapsed.png'); list-style-position: outside; list-style-type: disc; padding: 0px 0px 3px 0px;\">Select\u00a0<strong>Add certificate<\/strong><\/li>\n<li style=\"list-style-image: url('http:\/\/docs.stg.extraview.com\/misc\/menu-collapsed.png'); list-style-position: outside; list-style-type: disc; padding: 0px 0px 3px 0px;\">Name for the entry &#8211; this should be <strong style=\"list-style-image: url('http:\/\/docs.stg.extraview.com\/misc\/menu-collapsed.png'); list-style-position: outside; list-style-type: disc; padding: 0px;\">spkey<\/strong><\/li>\n<li style=\"list-style-image: url('http:\/\/docs.stg.extraview.com\/misc\/menu-collapsed.png'); list-style-position: outside; list-style-type: disc; padding: 0px 0px 3px 0px;\">Certificate PEM &#8211; this is where you paste the certificate.\u00a0 The certificate must conform to a specific format.\u00a0 The following is an example displaying the necessary format (the certificate value is not real):<\/li>\n<\/ul>\n<p class=\"rteindent1\" style=\"list-style-image: url('http:\/\/docs.stg.extraview.com\/misc\/menu-collapsed.png'); list-style-position: outside; list-style-type: disc; padding: 0px 0px 3px 0px;\"><img decoding=\"async\" style=\"width: 60%;\" src=\"\/v25\/extraview-media\/images\/ag\/encryption\/certificate.png\" alt=\"\" \/><\/p>\n<p style=\"background-attachment: scroll; background-color: transparent; background-image: none; color: #333333; font-family: Arial,Verdana,Helvetica,sans-serif; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; padding: 0px; margin: 12px 0px 12px 0px;\">The action to save a certificate in this field builds the appropriate credentials for the SAML certificate.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ExtraView is a secure application and has been developed to adhere to the strictest standards.\u00a0 Additional security is important and should be deployed by ensuring the environment within which ExtraView resides is secure, using firewalls and encryption of the network traffic with SSL, etc. It is possible to protect sensitive data within the database using&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_lmt_disableupdate":"","_lmt_disable":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"class_list":["post-24210","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Encryption Key Management - Product Documentation<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Encryption Key Management - Product Documentation\" \/>\n<meta property=\"og:description\" content=\"ExtraView is a secure application and has been developed to adhere to the strictest standards.\u00a0 Additional security is important and should be deployed by ensuring the environment within which ExtraView resides is secure, using firewalls and encryption of the network traffic with SSL, etc. It is possible to protect sensitive data within the database using...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/\" \/>\n<meta property=\"og:site_name\" content=\"Product Documentation\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-24T23:49:55+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/\",\"url\":\"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/\",\"name\":\"Encryption Key Management - Product Documentation\",\"isPartOf\":{\"@id\":\"https:\/\/docs.extraview.com\/v25\/#website\"},\"datePublished\":\"2024-02-15T22:53:34+00:00\",\"dateModified\":\"2025-02-24T23:49:55+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/docs.extraview.com\/v25\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Encryption Key Management\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/docs.extraview.com\/v25\/#website\",\"url\":\"https:\/\/docs.extraview.com\/v25\/\",\"name\":\"ExtraView Product Documentation\",\"description\":\"ExtraView Documentation\",\"publisher\":{\"@id\":\"https:\/\/docs.extraview.com\/v25\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/docs.extraview.com\/v25\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/docs.extraview.com\/v25\/#organization\",\"name\":\"ExtraView Corporation\",\"url\":\"https:\/\/docs.extraview.com\/v25\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/docs.extraview.com\/v25\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/docs-stg.extraview.com\/wp-content\/uploads\/2024\/03\/favicon.png\",\"contentUrl\":\"https:\/\/docs-stg.extraview.com\/wp-content\/uploads\/2024\/03\/favicon.png\",\"width\":512,\"height\":512,\"caption\":\"ExtraView Corporation\"},\"image\":{\"@id\":\"https:\/\/docs.extraview.com\/v25\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Encryption Key Management - Product Documentation","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/","og_locale":"en_US","og_type":"article","og_title":"Encryption Key Management - Product Documentation","og_description":"ExtraView is a secure application and has been developed to adhere to the strictest standards.\u00a0 Additional security is important and should be deployed by ensuring the environment within which ExtraView resides is secure, using firewalls and encryption of the network traffic with SSL, etc. It is possible to protect sensitive data within the database using...","og_url":"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/","og_site_name":"Product Documentation","article_modified_time":"2025-02-24T23:49:55+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/","url":"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/","name":"Encryption Key Management - Product Documentation","isPartOf":{"@id":"https:\/\/docs.extraview.com\/v25\/#website"},"datePublished":"2024-02-15T22:53:34+00:00","dateModified":"2025-02-24T23:49:55+00:00","breadcrumb":{"@id":"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/docs.extraview.com\/v25\/encryption-key-management-1\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/docs.extraview.com\/v25\/"},{"@type":"ListItem","position":2,"name":"Encryption Key Management"}]},{"@type":"WebSite","@id":"https:\/\/docs.extraview.com\/v25\/#website","url":"https:\/\/docs.extraview.com\/v25\/","name":"ExtraView Product Documentation","description":"ExtraView Documentation","publisher":{"@id":"https:\/\/docs.extraview.com\/v25\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/docs.extraview.com\/v25\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/docs.extraview.com\/v25\/#organization","name":"ExtraView Corporation","url":"https:\/\/docs.extraview.com\/v25\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/docs.extraview.com\/v25\/#\/schema\/logo\/image\/","url":"https:\/\/docs-stg.extraview.com\/wp-content\/uploads\/2024\/03\/favicon.png","contentUrl":"https:\/\/docs-stg.extraview.com\/wp-content\/uploads\/2024\/03\/favicon.png","width":512,"height":512,"caption":"ExtraView Corporation"},"image":{"@id":"https:\/\/docs.extraview.com\/v25\/#\/schema\/logo\/image\/"}}]}},"taxonomy_info":[],"featured_image_src_large":false,"author_info":{"display_name":"carl.koppel","author_link":"https:\/\/docs.extraview.com\/v25\/author\/carl-koppel\/"},"comment_info":0,"_links":{"self":[{"href":"https:\/\/docs.extraview.com\/v25\/wp-json\/wp\/v2\/pages\/24210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/docs.extraview.com\/v25\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/docs.extraview.com\/v25\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/docs.extraview.com\/v25\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/docs.extraview.com\/v25\/wp-json\/wp\/v2\/comments?post=24210"}],"version-history":[{"count":0,"href":"https:\/\/docs.extraview.com\/v25\/wp-json\/wp\/v2\/pages\/24210\/revisions"}],"wp:attachment":[{"href":"https:\/\/docs.extraview.com\/v25\/wp-json\/wp\/v2\/media?parent=24210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}