Decrypting a user's data with an old key or a delegation key

With the help of decryption keys, SDS Enterprise makes it possible to decrypt files and messages transparently when they are encrypted by a key other than the user's current key.

SDS Enterprise allows two types of decryption keys:

  • Former private keys. When users renew their encryption keys (or personal keys), their former keys are automatically moved to a location where all their former decryption keys are kept,
  • Delegation keys. These are encryption keys that coworkers can share with other users, to allow them to decrypt documents or messages that were encrypted for their use.

Delegated decryption consists of allowing User A to decrypt messages or files encrypted for User B in the latter's absence. To do so, User A must be given User B's encryption key.

With this encryption key, User A can only decrypt messages. To ensure that User A can sign on behalf of User B, we recommend using separate keys for encryption and signature.

To set up delegation, User B must export their encryption key from their SDS Enterprise account, which User A must then import into their own SDS Enterprise account by following the steps below:

  1. User B logs in to their SDS Enterprise account by clicking on the grayed out SDSE icon icon in the task bar .

  2. They then double-click on the Key ring icon.

  3. In the Encryption tab, User B selects the Operations > Export key menu.

  4. User B then sends the exported file to User A.

  5. User A logs in to their SDS Enterprise account.

  6. They then double-click on the Key ring icon.

  7. In the Decryption tab, they select the Operations > Import key menu.

  8. They then indicate the name of the file containing the key to be imported and the password.

    SDS Enterprise displays a list of certificates present in the file, that is the certificate associated with the key contained in the file and its trust chain.

  9. To view a certificate from the list, the user can click on it.
  10. User A selects the certificates in the trust chain if they wish to import them into their trusted address book, then proceeds to the next screen.
  11. They then choose the type of key to import (delegation or former key), then continue to the next screen.
  12. They click on Finish once they checked the result of the operation.

    The imported key then appears in the list:

  13. The user can right-click on a key in the list to rename it, display its properties or delete it when delegation is no longer necessary, for example.

NOTE

Keys imported this way cannot be exported by the person who received the key. In other words, the delegated people cannot forward the delegation.

SDS Enterprise also manages decryption keys for messages in OpenPGP format. These keys are used by the Stormshield Data Mail feature to read messages secured by PGP and GnuPGP applications, or any other application compatible the OpenPGP format.

When the Stormshield Data Mail is installed on the machine, the OpenPGP keyring tab in the properties of the user account will make it possible to manage these keys.

To import an OpenPGP keyring:

  1. On the user workstation, right-click on the SDS Enterprise icon in the SDS Enterprise icon Windows system tray.
  2. Select Properties.
  3. Select the Configuration tab.
  4. Double-click on the Key ring icon.
  5. Select the OpenPGP keyring tab.
  6. Click on Operations then on Import a keyring.
  7. Select a file in OpenPGP format (.gpg, .pgpor .asc). The file may contain several keys.
  8. Enter the password that protects the file.