Encryption Key Management



NetDocuments is more than just a document or email management software service, but also a technology partner with its customers for enabling the legal industry in information security and governance. Law firms who create and store documents on behalf of their clients must also comply to federally regulated compliance standards. NetDocuments empowers law firms to maintain their regulated clients, e.g., banks to meet cryptography standards required for content storage and archival.

Encryption Key Management (EKM)

Recent high-profile international data privacy and access cases have prompted firms to give increased attention to security, data encryption, and the risks associated with data access if governments, courts, or other regulatory agencies seek access to confidential data. NetDocuments has responded to these security risks by developing a next generation key management and encryption technology.

HSM (hardware security module) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. 

How does HSM work with NetDocuments?

Encryption Key Management is a paid add-on feature, enabled and disabled at the repository level. Please contact NetDocuments Sales for more information.  The new key management features will be available for delivery in March 2017 for those who have purchased the features.

NetDocuments has a next generation encryption technology with advanced customer key management using HSM. This new security architecture includes up to three separate encryption keys for each data file and allows customer firms and corporations to hold and control specific encryption keys relating to sensitive documents or content falling under regulatory, compliance, or client-mandated data governance policies. 

NetDocuments new key management infrastructure not only gives firms control of the keys for sensitive data, but takes the security and encryption of the entire document management platform to a level beyond what a single firm could provide.

The digital keys stored are:

  • Object (document) Encryption Key (OEK)
  • Master Encryption Key (MEK)
  • Customer-managed Encryption Key (CMEK)

OEKs are encrypted by MEK and an optional CMEK (which is controlled by the Customer/Law Firm – revocable keys). All keys (OEK, MEK, CMEK) are generated by the Quantum Hardware KMV for true randomness, instead of software-based pseudo-random generators. 

By leveraging quantum random number generator technology, NetDocuments’ encryption keys are generated using 100% true quantum physics randomization, as opposed to software-based randomization relying on decipherable algorithms. 

The new key management and multi-layered encryption technology includes:

  • One Unique Encryption Key per Object – Each and every digital file is encrypted using the AES-256 cryptographic method with a unique and distinct Object Encryption Key (OEK).

  • Multi-Layered Encryption - Each OEK is separately encrypted using a Master Encoding Key (MEK). Customers may apply a second layer of encryption to the OEK with an optional Workspace Encoding Key (WEK) which is controlled by the customer. 

  • Robust Key Management Solution – A highly secure key management solution manages all MEKs and CMEKs, and includes dedicated Hardware Security Modules (HSM). Customers may use the NetDocuments HSM to store and manage customer CMEKs, or customers may deploy and operate their own HSM.

  • Customer Control for Workspace Encryption – The CMEKs are controlled by the NetDocuments customer firm. Firms may assign cryptographic keys to specific workspaces (matters, cases, projects) which are highly sensitive and which require additional security and encryption layers. Workspace-based encryption key management allows firms to revoke access to specific sets of data instead of the entire document management service. 

  • Cypher Strength – A hardware-based 2nd generation Quantum Random Number Generator is used by NetDocuments to ensure that each AES-256 key is created with full randomization to ensure maximum strength of each encryption key.

  • Private HSM – Firms can implement a customer-managed HSM to store Customer-managed Encryption Keys under their control and custody. If a customer-managed HSM is selected, all the ownership, management, control, and monitoring of workspace or matter keys is directly under the custody of the firm.  NetDocuments would not have any management access to customer-managed HSMs, but can only perform authorized operations such as the ability to submit OEKs for cipher operations. In this environment the customer-managed HSM is under the full custody of the firm.

Configuring HSM 

On the Repository Administration page, click Encryption Key Management to go to the HSM management page:

The HSM console will appear as follows:

To add a new HSM:

  1. Enter a name for the HSM.
  2. Upload the connection pack.
  3. Click Save.


Back to Top

Was this article helpful?
0 out of 0 found this helpful


Have more questions? Submit a request
Powered by Zendesk