Encryption Key Management



NetDocuments is more than just a document or email management software service, but also a technology partner with its customers for enabling the legal industry in information security and governance. Law firms who create and store documents on behalf of their clients must also comply to federally regulated compliance standards. NetDocuments empowers law firms to maintain their regulated clients, e.g., banks to meet cryptography standards required for content storage and archival.

Encryption Key Management (EKM)

Recent high-profile international data privacy and access cases have prompted firms to give increased attention to security, data encryption, and the risks associated with data access if governments, courts, or other regulatory agencies seek access to confidential data. NetDocuments has responded to these security risks by developing a next generation key management and encryption technology.

Unique Encryption Key per Object

As a secure cloud-based document management service (DMS), NetDocuments uses the AES-256 standard to decrypt the digital files to index, view, edit, or email objects.  The encryption and decryption is done by the DMS software, instead of using low-value methodologies such as Self-Encrypting disks or File System encryption.  Encryption by the DMS software ensures that all digital files are concealed from storage and network administrators, which would not be the case with hardware base encryption.

Each individual document uploaded into or created in the NetDocuments Service is encrypted using its own unique AES-256 Object Encryption Key (OEK).  After encryption, the document is placed in the Object Store data storage array, and the OEK is separately stored in a highly secure database within the Service data center.  All objects (documents, emails, records, or images) are encrypted in transit (TLS) and at rest. 

Object Keys are further encrypted by an additional layer of Master Encryption Keys (MEK) which are used to encrypt each OEK.  The MEK is held by NetDocuments in a dedicated Hardware Security Module (HSM) with fully restricted access.  The HSM uses Root of Trust architecture to fully protect the MEK.

Customer-managed Encryption Keys

OEKs are also optionally encrypted with customer-managed encryption keys (CMEK), either in a NetDocuments HSM, or a customer-managed HSM.  An HSM (hardware security module) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. 

Encryption Key Management is a paid add-on feature, enabled and disabled at the repository level. Please contact NetDocuments Sales for more information.  The new key management features will be available for delivery in September 2017 for those who have purchased the features.

NetDocuments has a next generation encryption technology with advanced customer key management option. This new security architecture includes up to three separate encryption keys for each data file and allows customer firms and corporations to hold and control specific encryption keys relating to sensitive documents or content falling under regulatory, compliance, or client-mandated data governance policies. 

NetDocuments new key management infrastructure not only gives firms control of the keys for sensitive data, but takes the security and encryption of the entire document management platform to a level beyond what a single firm could provide.

The digital keys stored are:

  • Object (document) Encryption Key (OEK)
  • Master Encryption Key (MEK)
  • Customer-managed Encryption Key (CMEK)

OEKs are encrypted by MEK and an optional CMEK (which is controlled by the Customer/Law Firm – revocable keys). All keys (OEK, MEK, CMEK) are generated by the Quantum Hardware KMV for true randomness, instead of software-based pseudo-random generators. 

By leveraging quantum random number generator technology, NetDocuments’ encryption keys are generated using 100% true quantum physics randomization, as opposed to software-based randomization relying on decipherable algorithms. 

The new key management and multi-layered encryption technology includes:

  • One Unique Encryption Key per Object – Each and every digital file is encrypted using the AES-256 cryptographic method with a unique and distinct Object Encryption Key (OEK).

  • Multi-Layered Encryption - Each OEK is separately encrypted using a Master Encoding Key (MEK). Customers may apply a second layer of encryption to the OEK with an optional Workspace Encoding Key (WEK) which is controlled by the customer. 

  • Robust Key Management Solution – A highly secure key management solution manages all MEKs and CMEKs, and includes dedicated Hardware Security Modules (HSM). Customers may use the NetDocuments HSM to store and manage customer CMEKs, or customers may deploy and operate their own HSM.

  • Customer Control for Workspace Encryption – The CMEKs are controlled by the NetDocuments customer firm. Firms may assign cryptographic keys to specific workspaces (matters, cases, projects) which are highly sensitive and which require additional security and encryption layers. Workspace-based encryption key management allows firms to revoke access to specific sets of data instead of the entire document management service. 

  • Cypher Strength – A hardware-based 2nd generation Quantum Random Number Generator is used by NetDocuments to ensure that each AES-256 key is created with full randomization to ensure maximum strength of each encryption key.

  • Private HSM – Firms can implement a customer-managed HSM to store Customer-managed Encryption Keys under their control and custody. If a customer-managed HSM is selected, all the ownership, management, control, and monitoring of workspace or matter keys is directly under the custody of the firm.  NetDocuments would not have any management access to customer-managed HSMs, but can only perform authorized operations such as the ability to submit OEKs for cipher operations. In this environment the customer-managed HSM is under the full custody of the firm.

How Do I Manage My Own Keys?

Customers wishing to manage their own keys can create CMEKs within a NetDocuments HSM through the NetDocuments web UI. NetDocuments provides customers a console in the web UI to manage their encryption keys. 

Keys added to a customer-managed HSM through the NetDocuments UI will not be able to be managed through the NetDocuments UI. Rather, those CMEKs are managed by the owner of that HSM through that HSM’s management tool. 

Back to Top

Was this article helpful?
0 out of 0 found this helpful
Powered by Zendesk