This article describes how to allow client-side encryption in your DRACOON environment so that it can be enabled for individual data rooms afterwards.
Topics of this article
About the client-side encryption in DRACOON
If desired, certain data rooms in DRACOON that have increased security requirements can be encrypted on the client side. All files in these data rooms are then end-to-end encrypted and thus specially protected against unauthorized access. However, there are some restrictions in the use of encrypted data rooms - therefore the encryption for a data room should be activated only if necessary. (Siehe: Restrictions on the use of encrypted data rooms)
Encryption can be activated separately for each data room by the respective room administrator (however, only for data rooms on the top level and as long as the room is still empty; if a data room on the top level is encrypted, all data rooms below this data room are automatically encrypted as well; likewise, all sub-rooms are automatically not encrypted if the data room on the top level is not encrypted).
Room administrators can activate the encryption of one of their data rooms only after the encryption for the whole DRACOON environment has been allowed once by the configuration manager.
Allow client-side encryption in DRACOON
Who is allowed to allow client-side encryption in DRACOON?
To allow client-side encryption in DRACOON, only users with the role Configuration manager are authorized to do so.
If you have decided that room managers should be able to encrypt their data rooms, allow encryption in your DRACOON environment as follows:
Note that allowing client-side encryption in DRACOON is a one-time operation that cannot be undone.
- In the left sidebar, click Settings and then Security.
- Enable the Enable encryption for this environment switch.
The upper switch Enable encryption system-wide is usually already active by default and cannot be changed in this case. However, if the upper switch is off, activate it first before activating the lower switch.
- You will now be prompted to set a so-called system-wide emergency password. With this system-wide emergency password, encrypted files can be decrypted and restored in an emergency (e.g. if a user has forgotten his personal decryption password) (but only if the respective room manager has selected this when activating the encryption of a room and has not set his own room emergency password, for example).
Be sure to keep the system-wide emergency password in a safe place (e.g., in the company safe) so that it does not fall into unauthorized hands or get lost, but on the other hand can be used by any authorized persons in case of need. It should be avoided that only one person has access to the system-wide emergency password - in case of need, this person may not be available or may have left the team in the meantime.
If the system-wide emergency password can no longer be found, a new one can be set, but this will result in the loss of all files that were previously encrypted only with the system-wide emergency password!
- Click Set.
- Client-side encryption is now allowed in DRACOON and can be activated immediately for individual data rooms by the respective room administrator if required.
Note: After allowing encryption, all users will see a new task in the top right corner under My Tasks after logging into the DRACOON Web App, prompting them to set a personal decryption password - this is required for individual users to use encrypted data rooms.