Note: This page only applies to server owners managing encryption for a Decipher server. Only "Staff" level users can enable encryption. This is not the same as "Supervisor".
1: About Managing Data Encryption
When server encryption is enabled, data such as email lists, sample files, files uploaded to a project details page, is automatically encrypted when being stored. You can also specify to encrypt all Open End fields and partial data in a project. Additionally, you can encrypt/decrypt any individual file from the command line.
To learn about
The decryption is transparent and automatic for users with the correct permissions. Every access to encrypted data is logged in the
access-log.xlsx file which is accessible to staff or supervisor users.
Encryption is set at the server level and requires the creation of a decryption key or passphrase. The passphrase resides only in the server's memory and consequently every time the server is rebooted, the passphrase must be re-entered. Without a passphrase, data can not be decrypted.
For technical details on the encryption process, click here.
2: Viewing the Server Encryption States
Staff users can view the status of the server encryption.
From the project page in the research hub, click "User Links". The Server Encryption link displays with the server encryption state.
The server encryption states:
- Active: Server is encrypted, passpharase has been entered. No immediate user action is necessary.
In an "Active" state, You can click the "Server Encryption" link to:
- 1: Modify the list to send notification if the server reboots.
- 2: Change the passphrase.
- 3: Download the access log that reports when a new encryption key was requested, and when and for whom data was decrypted.
- Off: Encryption has not been enabled for the server. To enable server encryption, click here.
- Locked Out: Encrypted server has been rebooted and notification email has been sent to those specified. Click "Server Encryption", to enter the passphrase to unlock the server so that data can be decrypted. To unlock a server, click here.
3: Enabling Encryption
A server encryption state of "Off" means encryption has not been enabled. To enable server encryption:
First, click the "Server Encryption" link on the "User Links" menu.
Enter a 16 ASCII character (or more) passphrase or you can have the system generate one for you, if desired. The passphrase should be at least 16 characters. If it is easy to guess, a highly skilled hacker that steals all the data files on the server and carefully studies how we manage encryption, may be able to "brute force" access to them.
ASCII characters normally represent text characters on a computer and do not include Japanese characters or emoji's.
The passphrase strength displays a measure of how well the passphrase resists guessing or brute-force attack.
Re-enter the passphrase and then click "Enable Encryption."
The server is now encrypted and the state is set to "Active". Your email is automatically added to the notification list in case the server reboots.
If you forget the passphrase, contact the firstname.lastname@example.org who can escalate the situation to a few select users that are able to "escrow" the key.
4: Unlocking the Server
When a server reboots, the passphrase stored in memory is erased and must be re-entered for data decryption to occur. Staff or supervisor users on the Email Notification list are sent an email about re-entering a passphrase. To unlock the server:
From the the project page in the research hub, click "User Links". The Encryption link displays displaying a "Locked Out" state.
Click the "Server Encryption" link and Server Encryption window opens.
Enter the established passphrase and click "Submit" to unlock the server and enable data decryption.
Learn more: Data Encryption