Encryption

CDC Arkhinéo can offer a new layer of additional (and optional) security to protect the archives in the event of a "data leak" or unwanted access, which, while unlikely, should be considered.

Uploaded document encryption

CDC Arkhinéo can offer a new layer of additional (and optional) security to protect the archives in the event of a "data leak" or unwanted access, which, while unlikely, should be considered.

This function delivered by Cryptoneo is completely transparent to the user: encryption and decryption are done on the fly when uploading and viewing your archives, as well as at delivery.
 
The platform encryption process uses robust algorithms and compliant with standard industry standards based on both asymmetric key encryption and symmetric data encryption using a 256-bit AES (Advanced Encryption Standard) algorithm in CBC mode. Each archive is encrypted with its own, individual symmetric key.

Encryption operations are executed in streamline on Arkhineo platform servers without interruption or human intervention. Decryption of documents are executed on Arkhinéo platform servers (Cryptoneo encryption centre).




When this function is activated, CDC Arkhinéo generates a different key pair for each client kept in a secure and dedicated area, based on physical HSMs.
 
CDC Arkhinéo issues an encryption certificate and, therefore, has the private key associated with this certificate to decrypt the archive during the viewing process. This key is kept highly secure in hardware-segregated HSMs (Hardware Security Modules).

The encryption is configured by CDC Arkhinéo while configuration your spaces' archiving profiles. It implies the set up of an encryption certificate specific to each client, in the multi-tenant logic of CDC Arkhineo’s platform.  
When viewing an encrypted archive, the service automatically and transparently decrypts it, automatically using CDC Arkhinéo's encryption centre (Cryptoneo) to decrypt the archive.

If the user wishes, he or she can, in addition to the CDC Arkhinéo certificate, provide their own encryption certificate (BYOK: Bring Your Own Key) and preserve his or her associated private key. This certificate is used if the client wishes to have the archives returned using his or her own private key for decryption.

In this case, if the customer loses their certificate, CDC Arkhinéo will be able (on request) to give them a version of the decrypted archive because the document is encrypted with the two keys (that of CDC Arkhinéo and that of the client) when it is uploaded.




 

In this case, two return options are possible:
-    traditional decrypted return,
-    encrypted return which the client can decrypt with their private key.

Encryption is an option that can be activated at various points:
-    throughout the client area,
-    in lower lever: the vault, section, or compartment.

This can be useful, especially for those of you who are CDC Arkhinéo service resellers because you can then implement the encryption for one or more of your customers independently of your other customers. Each client having a dedicated space in which encryption is activated, can have its own encryption certificate.

A client who wishes to encrypt some of its sub-spaces (sections or compartments) may request different keys for each of them. Therefore, a compartment can have an encryption key different from a section.

An option called transencryption (RE-KEY) is also possible. Transencryption allows you to change the key in case of a leak or corruption of the algorithm etc.

All encryption certificates and keys are protected in HSMs; qualified RQ (Reinforced Quality) by the French national digital security agency ANSSI (EAL4+).

NB: Cryptoneo is not a tool to define the company privacy policy. This topic must be managed ahead by the client, which can for confidential reasons, give documents already encrypted to CDC Arkhineo.

It is important to note that an archive previously encrypted by the client itself and uploaded and encrypted on the servers of CDC Arkhinéo cannot be decrypted by CDC Arkhinéo (it is then the customer's responsibility to keep their decryption key and manage the obsolescence and durability of the algorithm that they have chosen).