Since Version 2.1 of DRACOON (previously Secure Data Space), the so-called Triple-Crypt® Technology has been embedded deeply in the product and expands the previous double encryption by now including client-side encryption (Local Encryption).
With this additional encryption, files can be encrypted on the user’s device even before uploading them to DRACOON so that only authorized users who have a corresponding decryption key can decrypt and access these files. To use this feature, a Config Manager must activate the Triple-Crypt® Technology for the entire system. After doing so, Data Room Admins can activate Triple-Crypt® Technology for their Data Rooms. The individual steps to do so are explained in this chapter in detail.
Concept of Triple-Crypt® Technology
As the name suggests, all files saved in DRACOON are encrypted in three places:
- On the transport route via SSL/TLS (Channel Encryption)
- When saving in encrypted file systems (Server Side Encryption)
- Optionally on the client side in order to ensure a real-time end-to-end encryption (Local Encryption)
A detailed description of the employed technologies, procedures, and concepts can be found under the following link: [Definitions#Encryption]
Activating Triple-Crypt® Technology for a Data Space
Triple-Crypt® Technology can be activated for the entire DRACOON in the settings.
If this item cannot be selected, please contact your Administrator or Host and ask them to activate this feature for the entire system.
Activating Triple-Crypt® Technology for a Data Room
After a Data Room has been created you have the option of encrypting it with Triple-Crypt® Technology. However, this must be done before files are uploaded or Data Rooms are created.
Important: The uppermost Data Room level defines the encryption for all subordinate Data Rooms. If a first-level Data Room is encrypted, all of its subordinate Data Rooms will also be encrypted. If a first-level Data Room is not encrypted, its subordinate Data Rooms will also not be encrypted.
The following pop-up will appear after clicking “Protect [Data Room name] with Triple-Crypt® Technology now”.
In this window, you have the option of setting an additional decryption method via “Data Space Rescue Key” or “Data Space Room Rescue Key”, in case a user should forget the decryption key.
Should you decide against enabling this additional decryption method, important files can potentially permanently remain encrypted and therefore inaccessible if Data Room users forget the decryption key.
Restrictions for encrypted Data Rooms
If Triple-Crypt® Technology has been activated for a Data Room, the following features will no longer be available to this Data Room:
- Copying and moving files to unencrypted Data Rooms (Data Rooms for which Triple-Crypt® Technology hasn’t been activated yet).
- Integrating a Data Room as a WebDAV drive or accessing it via an SFTP client.
- Uploading to and downloading files from a Data Room using Internet Explorer, Mozilla Firefox, or Safari if Java isn’t installed.
- Sharing an entire Data Room or a folder (individual files can be shared).
- Downloading several files, folders or entire Data Rooms as a packaged ZIP file.
Initial definition of the encryption key
Once Triple-Crypt® Technology has been activated in DRACOON, every user must set their own encryption key.
Every user is suggested to do so by a notification on the top bar:
Additionally, a notice is continuously shown on the Dashboard until a user has set their encryption password:
By clicking Set encryption password now the following pop-up will appear:
You must enter your encryption password in this window and then re-enter it for verification. The password must be at least 8 characters long and contain at least one upper and one lower-case letter, a number as well as a special character.
Once an appropriate encryption key has been entered and confirmed by clicking Next, the following window will be shown:
The process of creating the key pair can take a few seconds. The window is closed automatically once the process is complete.
Uploading files to encrypted Data Rooms
Click (+) Files to add a file to the encrypted Data Room. When you have selected a file, the following window will be shown:
Files can be selected either manually by clicking Select files… or via Drag & Drop. Additionally, it is possible to add a comment, set an expiration date, and define the classification. DRACOON supports file names of up to 150 characters.
Downloading files from encrypted Data Rooms
A file is automatically downloaded from a Data Room if it is clicked on.
After clicking on a file, the following window will be shown:
Enter your personal encryption password in this field. In case you have forgotten this password, you can alternatively decrypt the file using the Data Room Rescue Key or the Data Space Rescue Key, in case one of these procedures has previously been activated.
Changing/redefining the encryption password
You can change your personal password at any time, e.g. if you can’t remember your password or if it has been compromised.
Changing the encryption password is only possible in the Web Client and requires three steps:
- Deleting the current encryption password
- Entering a new encryption password
- Being granted access to existing encrypted files by another user
If you change your encryption password you will not have access to any existing files within encrypted Data Rooms for a certain amount of time – until another user has helped you regain access to these files. You should therefore keep in mind that you might not immediately be able to access all encrypted files after changing your encryption password.
How to define a new encryption key:
- In the header click on your user name to access your user profile.
- On your profile, click the red button Delete your encryption password.
- A warning will appear and inform you about the consequences of deleting your encryption password. Carefully read the message and then select the check box, signalling that you have understood the consequences of deleting your password. To complete the process, click Yes, delete my encryption password.
If there are any files in encrypted Data Rooms to which only you have access, the will be deleted when you delete your encryption password and cannot be recovered!
- Your encryption password has now been deleted. You will subsequently be prompted to define a new encryption password.
- Click Next to save the new encryption password. From now on, your new encryption password is effective.
- IMPORTANT: After deleting and redefining your encryption password you will initially not be able to access existing files in any encrypted Data Room and require the help of another user that has access to these Data Rooms in order to be able to again access and download these files. For this reason, the following message will be visible to other users once you delete your encryption password:
The other users are thereby prompted to help you regain access to existing encrypted files. As soon as another user clicks Make encrypted files available to all granted users and then enters their personal encryption password, you will again have access to all encrypted files to which the other user also has access to.
If you want to ensure that you will regain access to all encrypted files as soon as possible after changing your encryption password, ask another user to help you by doing the following, e.g. via email or chat: The other user should log into the Web Client and click on Make encrypted files available to all granted users and subsequently enter their personal encryption key.
Perhaps it will not be necessary to reach out to other users, as they might have already spotted the notification in the Web Client and subsequently helped you regain access.
Generating file keys
If a user wants to access files in an encrypted Data Room or subordinate Data Room, but has created an encryption password after these files were added or the Data Room was created, they only gain access to these files after an already authorized user generates new file keys.
The non-authorized user will be shown the following window when they click on a file:
Additionally, it is possible for the user to decrypt the file by entering the Data Room Rescue Key or the Data Space Rescue key, in case one of these procedures has previously been activated.
If a non-authorized user wants to access such a file, all already authorized users will be shown the following message:
By clicking Make encrypted files available to all granted users, new file keys are generated and all pending permissions are granted.