Data Settings

By default, all sensitive data held by SigningHub (including user documents and other information) is encrypted using a uniquely generated AES-256 symmetric Data Encryption Key (DEK). When stored, this symmetric DEK is protected with a higher-level AES-256 key known as the Key Encryption Key (KEK). In turn, the KEK is managed directly inside SigningHub using a secure software process. For an even higher level of security, it is possible to hold the KEK inside a tamper-protected Hardware Security Module (HSM). To achieve this, SigningHub relies on its underlying Ascertia ADSS Server component and its associated HSM to provide the required KEK services. For this, create an ADSS Server connector in the SigningHub Admin Connectors area. Now generate a key with the "Key Encryption Key (KEK)" Purpose in the ADSS Server instance associated with the ADSS Server connector. After generating the key, configure it inside the same ADSS Server instance.

Configure the data settings

  1. Click the 'Configurations' option from the navigation panel.

  2. Click the 'Data Settings' option.

  3. The 'Data Settings' page is displayed for you to make the necessary changes. See the table below for field descriptions.

  4. Tick the "Enable Key Encryption Key (KEK) to secure documents/links/passwords" check box to enable the SigningHub DEK encryption/decryption through the ADSS Server-managed KEK. A drop-down will appear to select the encryption server. If you want to use the default security (i.e. based on the SigningHub software-managed KEK), keep this check box unticked.

  5. Now select an encryption server (i.e. ADSS Server connector). The ADSS Server connectors are managed through the connectors section. See details.

  6. Tick "Enable Data Archiving" in the Archiving section to specify information to "Archive an Account". A section will appear to add "Archive Directory Path", "Send Notification To" (i.e. email address), "Signer Key" (i.e. PFX) and the "Signer Key Password". The 'Send Notification To,' 'Signer Key (PFX/PKCS#12),' and 'Signer Key Password' fields are not required for document archiving, but are required for data archiving.

  7. Click the "Save" button.

  1. An important point to be considered while configuring Data Security settings is that if your Key Encryption Key (KEK) resides on a third-party server (e.g. ADSS), then there could be a possibility that the Key Encryption Key (KEK) results in a bottleneck due to TLS configurations where the PFX password cannot be decrypted without having the KEK.

  2. To avoid such a situation, it is recommended to configure the 'Encryption Server' that is being used to enable Key Encryption Key (KEK) as a non-TLS in order to get KEK from the client server.

  3. If you wish to enable the "Enable Key Encryption Key (KEK) to secure documents/links/passwords" check box, it is recommended that you configure a non-TLS (HTTP) encryption server.

  4. On making the user account archival, the user data (user profile, user document packages, user document packages evidence report and user document packages log) will be backed up in the path given in the field "Archived Directory Path".

  5. SigningHub requires a Signer Key (pfx) to create a signature for protecting the content of the ASiC-E container.

  6. The path given in the field "Archived Directory Path" should be valid. And it should have read/write permissions.

  7. The "Data Archiving" option will be available only if the "DATA_ARCHIVING" module is enabled in the license.

  8. The archived documents will be archived at the provided directory path. The archived documents will be available within the "Documents" folder at the directory path. Each archived document package will have an individual folder named as per the document package ID.

PreviousDocument SettingsNextBilling

Last updated