Encryption Key Management


NetDocuments is more than just a document or email management software service, but also a technology partner that provides our customers with information security and governance, which are required for the legal industry. Law firms that create and store documents on behalf of their clients must also comply with federally regulated compliance standards. NetDocuments empowers law firms to maintain their regulated clients, such as banks to meet cryptography standards required to store and archive content.

Encryption Key Management (EKM)

Recent high-profile international data privacy and access cases have prompted firms to give increased attention to security, data encryption, and the risks associated with data access if governments, courts, or other regulatory agencies seek access to confidential data. NetDocuments responded to these security risks by developing next-generation key management and encryption technology.

Unique Encryption Key per Object

As a secure cloud-based document management service (DMS), NetDocuments uses the AES-256 standard to decrypt the digital files to index, view, edit, or email objects. The DMS software encrypts and decrypts instead of using such low-value methodologies as self-encrypting disks or file system encryption. Encryption by the DMS software conceals all digital files from storage and network administrators, which is not possible with hardware-based encryption.

NetDocuments encrypts each uploaded or created document using its own unique AES-256 Object Encryption Key (OEK). After encryption, the document is placed in the Object Store data storage array, and the OEK is stored separately in a highly secure database within the Service data center. All objects (documents, emails, records, or images) are encrypted in transit (TLS) and at rest. 

Object Keys are further encrypted by an additional layer of Master Encryption Keys (MEK) used to encrypt each OEK. The MEK is held by NetDocuments in a dedicated Hardware Security Module (HSM) with fully restricted access. The HSM uses Root of Trust architecture to fully protect the MEK.

Customer-Managed Encryption Keys

OEKs are also optionally encrypted with customer-managed encryption keys (CMEK) either in a NetDocuments HSM or a customer-managed HSM. A Hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. 

Encryption Key Management is a paid add-in feature, which can be enabled at the repository level. Please contact NetDocuments Sales for more information. The new key management features are available for delivery starting from September 2017 for those who purchased the features.

NetDocuments has a next-generation encryption technology with advanced customer key management option. This new security architecture includes up to three separate encryption keys for each data file and allows customer firms and corporations to hold and control specific encryption keys relating to sensitive documents or content falling under regulatory, compliance, or client-mandated data governance policies. 

NetDocuments new key management infrastructure not only gives firms control of the keys for sensitive data but takes the security and encryption of the entire document management platform to a level beyond what a single firm could provide.

The digitally stored keys are:

  • Object (document) Encryption Key (OEK)
  • Master Encryption Key (MEK)
  • Customer-Managed Encryption Key (CMEK)

OEKs are encrypted by MEK and an optional CMEK (which is controlled by the Customer/Law Firm – revocable keys). All keys (OEK, MEK, and CMEK) are generated by the Quantum Hardware KMV for true randomness, instead of software-based pseudo-random generators. 

By using quantum random number generator technology, NetDocuments generate encryption keys using 100% true quantum physics randomization, as opposed to software-based randomization relying on decipherable algorithms. 

The new key management and multi-layered encryption technology include:

  • One Unique Encryption Key per Object – Each and every digital file is encrypted using the AES-256 cryptographic method with a unique and distinct OEK.

  • Multi-Layered Encryption – Each OEK is separately encrypted using a Master Encoding Key (MEK). You may apply the second layer of encryption to the OEK with an optional CMEK controlled by the customer. 

  • Robust Key Management Solution – A highly secure key management solution manages all MEKs and CMEKs. It also includes dedicated Hardware Security Modules (HSM). You may use the NetDocuments HSM to store and manage customer CMEKs, or you may deploy and operate your own HSM.

  • Customer Control for Workspace Encryption – The CMEKs are controlled by the NetDocuments customer firm. Firms may assign cryptographic keys to specific workspaces (matters, cases, projects), which are highly sensitive and which require additional security and encryption layers. Workspace-based encryption key management allows firms to revoke access to specific sets of data instead of the entire document management service. 

  • Cypher Strength – NetDocuments use a hardware-based 2nd generation Quantum Random Number Generator to ensure that each AES-256 key is created with full randomization to ensure maximum strength of each encryption key.

  • Private HSM – Firms can implement a customer-managed HSM to store CMEK under their control and custody. If a customer-managed HSM is selected, all the ownership, management, control, and monitoring of workspace or matter keys is directly under the custody of the firm. NetDocuments would not have any management access to customer-managed HSMs, but can only perform such authorized operations such as the ability to submit OEKs for cipher operations. In this environment, the customer-managed HSM is under the full custody of the firm.

How Do I Manage My Own Keys?

To manage your own keys, create CMEKs within a NetDocuments HSM through the NetDocuments web UI. NetDocuments provides you with a console in the web UI to manage your encryption keys. 

You cannot manage keys added to a customer-managed HSM through the NetDocuments UI. The CMEKs are managed by the owner of the HSM through the HSM management tool.