Content encryption
Content encryption helps to protect the confidentiality of content that you add to a storage area in case the content is accessed outside of FileNet® P8. This encryption pertains only to the storage of content in the storage area: when Content Platform Engine retrieves and passes content to a client in response to a client request, the content is automatically decrypted.
Content Platform Engine encrypts and decrypts content using
AES in Counter mode, a Federal Information Processing Standard (FIPS) 140-compliant algorithm, with
a 128-bit key or a 256-bit key. A new key is generated whenever you enable encryption for the
storage area. For example, when you first enable encryption, one encryption key exists, and that key
is used to encrypt new content. If you re-enable encryption, two encryption keys now exist, and the
most recent key is used to encrypt new content. If you re-enable encryption again, three encryption
keys now exist, and so on. The storage area encryption keys are stored in a secure form in the
object store database.
You incur two performance penalties with content encryption. The first penalty occurs when you upload content to a storage area because more processing time is required to encrypt the content. The second penalty occurs when you retrieve content because more processing time is required to decrypt content. For content that has been encrypted, this second penalty occurs regardless of the current encryption setting on the storage area. The size of these performance penalties is proportional to the length of the content uploaded or retrieved, and varies depending on the speed of your server processor (the cost will be less the faster the processor).
There are no additional storage requirements associated with content encryption. An
encrypted document uses the same amount of disk space as an unencrypted document.
| Existing content is not encrypted or reencrypted. | Enabling encryption causes only the new content added to the storage area to be encrypted. No existing unencrypted content is encrypted, and no previously encrypted content is reencrypted with the newly generated encryption key. |
|---|---|
| When replicated, content is not encrypted. | When replicating content to Image Services or some other external repository, Content Platform Engine passes unencrypted content to the repository. The external repository might store the content in an unencrypted form. |
| When passed for indexing, content is not encrypted. | For indexing purposes, Content Platform Engine passes unencrypted content to IBM® Content Search Services. The content is passed in a file. IBM Content Search Services deletes the file after processing it. |
Moving content to force encryption or decryption
| Encryption | You might want to encrypt the existing unencrypted content. |
|---|---|
| Reencryption | You might want to reencrypt the existing encrypted content if, for example, the security of an encryption key has been compromised. |
| Decryption | You might want to decrypt content if, for example, you no longer want to incur the performance penalty that is connected with retrieving encrypted content. |