How are Encryption Keys derived and maintained?
Article ID: SEC0003 How are Encryption Keys derived and maintained?
Software Encryption keys are generated using a random number generator (ANSI 9.31) with seeding based on random OS-supplied data. RSA key pairs are created for every chunk written to protected storage and initial vectors (IV) are created for CBC chaining during data encryption.
Data encryption keys are stored in the CommServ database encrypted with RSA public key of the client. RSA private key of the client is stored encrypted with a built-in pass-phrase. Every key is stored with embedded CRC32. CRC32 is used only to check whether a key has been entered incorrectly.
Keys are identified only by their storage location in the database. Keys are authenticated using a shared secret.
Keys can optionally be written to the backup media for manual recovery of data using Media Explorer utility or Catalog Media feature.
When chunks are pruned (erased) the database entry and associated key for that chunk is deleted. “Open” keys in memory are deleted using memset().