Topics of this article
About encrypted data rooms
For data rooms with increased security requirements, in DRACOON the client-side encryption can be activated - these data rooms are called referred to as encrypted data rooms and are displayed with an additional Lock symbol represented:
All files that are uploaded to encrypted data spaces are are automatically encrypted on the client side and decrypted again on the client side if required (e.g. download).
About encrypted data rooms
- Encryption can only be enabled for a data room if it is empty and has no sub rooms yet. Also the recycle bin of the data room must be empty at the time encryption is activated. It therefore makes sense to activate encryption for a data room immediately before additional users/groups have been added to the data room.
- Encryption can only be enabled for data rooms that are located at the the top level in DRACOON. If a room is encrypted at top level, the encryption will be automatically apply also for all later created subrooms of the room. It is not possible to encrypt only a child room while the parent room is unencrypted.
- If encryption has been enabled for a data room, it cannot be undone.
- Although for end users working with encrypted data rooms generally does not differ from unencrypted data rooms (except for the required entry of the personal decryption password), there are some some limitations when using encrypted data rooms. Therefore you should carefully activate encryption only for those data rooms with increased security requirements. What are the limitations of encrypted data rooms?
- Before encryption can be enabled for individual data rooms, the encryption must be activated in DRACOON by the configuration manager.
Who is allowed to enable client-side encryption for a data room?
Only the room administrators of a particular data room are allowed to enable encryption for that data room. of the respective data room are allowed to enable it.
Enable encryption for a data room
How to enable client-side encryption for a specific dataroom:
- Click All Files in the left sidebar. and then click on the data room you want to encrypt.
- When opening the data room, a dialog is displayed. Encrypt data room appears, asking you, whether encryption should be enabled for the data room. Possible causes if dialog box is not displayed
- Click the Encrypt button.
- If you have not yet created a personal decryption password in DRACOON. you will now be prompted to do so - you can only activate encryption for a data room if you already have a personal decryption password in DRACOON. So create a personal decryption password, should you be asked for it, and then start again above at step 1.
- Select whether an emergency password should be enabled for the data room.
- . The emergency password can be used to give users of the data room access to the files in the room again to files in the room should they forget their personal decryption password. In addition, the system-wide emergency password can be used by the configuration manager to participate in the distribution of missing file access keys. You have three options:
If necessary, for the decryption of files in the room, in addition to the user's personal decryption passwords, the system-wide emergency password can also be used, which the configuration manager has configured for DRACOON. This is the recommended setting, since thereby if necessary the configuration manager can participate in the distribution of missing access keys for the files in the room. This is the case, for example, if a user of the room has forgotten his personal decryption password or if a new decryption password or if a new user has been added to the room.
With this setting, you create a special room emergency password that is only valid for this data room, which can be used for decrypting files in the files in the room. If you select this setting the system-wide emergency password cannot be used to access files in this room - therefore a configuration manager cannot be involved in generating missing access keys for files in the room. With this setting, you as the room administrator are yourself responsible to keep the room emergency password you have set and to pass it on to any other room administrators so that they can use it in the event of an emergency (forgotten password, new user).
With this setting, the room will not be secured with any emergency password - so files in the room can only be accessed with the personal decryption passwords of the room users. If a user forgets his decryption password, access to the files in the room is only possible for the user if other users in the room already have access keys for these files and are also available so that they can generate new access keys for the affected user - the configuration manager or room administrator cannot help out with the room emergency password.
. This setting is useful at best if you will be the only user of the data room and you are sure that you will never forget your personal decryption password.
- If you have selected the setting Set emergency password for this data room: You will now be prompted to specify an emergency password for the data room. Specify an emergency password that matches the policies set by the configuration manager (these are displayed in a balloon - change the password if necessary until the password until all required policies are marked with a green check mark). green check mark), and finally click on Set.
- Also provide the room emergency password you set to the other room administrators of the data room (if any), so that they can also use it in case of need.
- Should the room emergency password ever be lost, a new one can be set in the Room settings, a new one can be set. Since this is however u.U. associated with data loss (files for which only a single only one user who has forgotten his personal decryption password has access access keys, are irretrievably lost when the room emergency password is changed). lost irretrievably), you should keep the room emergency password keep well!
- After a short waiting period, in which the cryptographic keys for possibly defined emergency passwords are generated, the encryption is is activated in the data room. Files that are uploaded to the data room from now on are automatically encrypted client-side.