Enabling Field Encryption for an Instance

Archer allows you to encrypt the following fields in an application: Attachment, Date, Image, IP Address, Numeric, and Text. Encryption protects sensitive data stored in the database.

On this page

Using field encryption

To use field encryption, you must either select the Hardware Security Module (HSM) or the Windows Certificate key store option. The file repository and Windows certificate store must be located on separate machines. You must also enable field encryption at the instance level. For a multi-instance setup, it is recommended that you use a different certificate for each instance.

Note: If you intend to select HSM as your key store option, you must first configure the Hardware Security Module on the Installation tab. For more information, see Configuring the Hardware Security Module.

After you have enabled encryption:

  • If you select the HSM option, then no more configuration is required on the Instance tab.
  • If you select the Windows Certificate Store option, then you must enter the Key Encryption Key (KEK) Certificate Thumbprint value from your certificate. The system uses the certificate you provided as a KEK and from that key, generates a Data Encryption Key (DEK). The DEK is used to encrypt data and is stored in the database. The KEK encrypts the DEK and is stored in your Windows certificate.

Certificate requirements

Certificates must meet the following requirements:

  • Present in the local machine store
  • Exportable
  • Not expired
  • Key size of 2048 bits
  • Private key
  • The following user accounts must have read access to the certificate:
    • The IIS_IUSRS account
    • The Service account (Local System or any custom service account)

      Note: If the system does not have sufficient permissions to the certificate, a "Keyset does not exist" error message is logged.

  • For a multiple-server setup, a certificate must be present on each Web Server and Services Server.

Important: After you have enabled field encryption for an instance, you cannot disable it. If you lose access to your keys, you lose access to data.

Enable field encryption for an instance

  1. Locate and copy the thumbprint value of the Windows certificate that you plan to use.

  2. On the General tab, go to the Field Encryption section.

    1. Open the Archer Control Panel.
    2. Go to Instance Management and select All Instances.
    3. Select the instance.
  3. In the Field Encryption section, select Enable Field Encryption.
  4. Select a Key Store option.
  5. Do one of the following:
    • If you have selected the Hardware Security Module key store option, go to the next step.
    • If you have selected the Windows Certificate Store option, enter the thumbprint value from your certificate in the KEK Certificate Thumbprint field.
  6. On the toolbar, click Save.