Encrypting File System ​

Overview ​

In order to secure data processed by AlphaTrust e-Sign™, it is possible to use the Microsoft Windows Server's Encrypting File System (EFS) to secure certain file-based data.

Single vs. Multi Server ​

These instructions assume you have installed AlphaTrust e-Sign™ on a single server, are using a local file store for data directories, and a locally installed SQL Server instance with the instance name of MSSQLSERVER.

If you are setting up a Web-farmed instance (two or more servers) connected to shared file storage (i.e. SAN storage) and connected to a remote SQL server instance, the same principles apply, however you will need to use the same EFS keys and certificates (keyset), that is the system account's EFS keyset and the ProntoDRA DRA keyset, on all servers. If you choose to encrypt the SQL Server data files on the remote SQL server, you will need to manage that separately.

Using EFS ​

EFS can be used to encrypt two folders (and their sub-folders) where document data resides as well as the SQL Server data files:

1. The \AlphaTrust\Pronto\DB\ folder,
2. The \AlphaTrust\Pronto\Images\ folder and,
3. The files which have been defined to hold the Pronto and Pronto_ProcessTemplates databases. These are the .mdf, .ndf (optional), and .ldf files. The default location for these files is: \Program Files\Microsoft SQL Server\(MSSQL_VersionSpecificNumber)\MSSQL\Data\
4. If you are running SQL Server on the same local machine as AlphaTrust e-Sign™ (single server instance), you can encrypt the entire Data directory for this local SQL instance, as you will configure the local SQL Instance to run as the ProntoServer service account, tied to an EFS encryption certificate.

These folders and files will be encrypted with public keys provided by a digital certificate generated by Windows Server. The data will be decrypted by the corresponding private key that is matched to one or more of these digital certificates.

Key concept ​

The primary AlphaTrust e-Sign™ software components run as IIS Application Pools. During setup these application pools, they are configured to run in the security context (i.e. under the account of) the localMachine service user account. Additionally, the AlphaTrust e-Sign™ Service, along with 11 other Windows services prefixed by AlphaTrust, also runs as the service user account.

Important ​

If you will be using EFS to encrypt the SQL Server Pronto data files, all of the SQL Server… Windows services must also run as the service user account. These services typically include:

• SQL Server (MSSQLSERVER)
• SQL Server Agent (MSSQLSERVER)
• SQL Server Browser
• SQL Server VSS Writer

ONLY the service account will have access to the encrypted files. The only way to have manual access to these files is to log in as the service account, or access the files over a network connected as the service account. As an additional safety precaution you must also use an EFS Data Recovery Agent.

Normally you would have server administration performed by another account. When logged into an Administrator account that is not service, these files will be visible and listable, but they cannot be read as they will be encrypted (unless that account is an EFS recovery agent).

CRITICAL ​

Once the EFS digital certificates and private keys are created, you MUST store the password protected PFX files that are generated. You must then store these files in an absolutely safe place. For example, burn it to CD and store it in a bank safe deposit box. Better yet, make multiple permanent copies and store them in geographically diverse safe locations. In the event of server failure, corruption, etc., you must have these keys in order to decrypt your data files (which you would have backed up, and the backed up files will be encrypted). Instructions for creating this PFX file will be covered in this document. Your data will be unrecoverable without these keys.

Assumptions: ​

• AlphaTrust e-Sign™ is properly installed and functioning correctly on Windows Server 2012 R2 or later supported OS and the data files are local to the server and not on a remote machine.
• The server is a stand-alone server, and not part of a domain.
• The service account is a localMachine account and a member of the local machine Administrators group.

EFS Setup Instructions ​

1. Familiarize yourself with the EFS documentation. Search for "EFS" in Help and Support for Windows Server or online search for Windows Server Encrypting File System.
2. Create two new local machine accounts and make them part of the Administrators Group:
   • Account name = ProntoAdmin The ProntoAdmin account will be an account you should use for normal server administrative functions. Unless you have a very good reason you should not normally login as the ProntoServer account after the system is setup and operational. The ProntoServer account will have full access to all files protected by EFS. The ProntoAdmin account will not have this local file access.
   • Account name = ProntoDRA The ProntoDRA account will be an account used to create the Data Recovery Agent keyset and can be used to recover encrypted data using the DRA keyset. You will not use this account for normal administrative use. The ProntoDRA account will not have access to encrypted files protected by EFS, unless you install the DRA private key which will be created in a later step.
3. Login locally as the newly created "ProntoDRA" account.
4. Stop the "AlphaTrust e-Sign™ Service" and stop the "Windows Process Activation Service". This will also stop the services dependent on the Windows Process Activation Service.
5. Open an administrative command prompt and change directories to the \AlphaTrust\Pronto\ directory:
6. Steps:
   • Enter: cipher /r:ProntoDRA
   • Enter a password to protect the keyset file (PFX file). This should be at least 12 characters long to protect against brute force attacks.
   • Re-enter the password to confirm.
   • The cipher tool will generate a certificate file named ProntoDRA.cer and a keyset file named ProntoDRA.pfx.
7. Copy the ProntoDRA.pfx file off the server and archive it securely along with the password to this file. If you ever need to recover the data from the server you this file may be your only hope.
8. After safely archiving the ProntoDRA.pfx file and password, delete this file from the server, but leave the ProntoDRA.cer file.
9. Under Administrative Tools, open Local Security Policy. Navigate to Security Settings, Public Key Policies, Encrypting File System. Right click and select Add Data Recovery Agent…:
10. Step though the wizard and browse to and select the \AlphaTrust\Pronto\ProntoDRA.cer file
11. You may receive a warning about Adding the Recovery Agent certificate. Click Yes, Next, Finish.
12. You should now see the recovery agent certificate listed:
13. Files will now be encrypted using both the data recovery agent certificate as well as the ProntoServer account EFS certificate that you will create below.
14. Log out of the ProntoDRA account and log in as the ProntoServer account.
15. Be sure that the AlphaTrust e-Sign™ Service is stopped as well as the Windows Process Activation Service.
16. Open an administrative command prompt and change directories to the \AlphaTrust\Pronto\ directory.
17. Enter cipher /k at the command prompt. This will create the ProntoServer account's EFS keyset:
18. Enter cipher /x ProntoEFS.pfx at the command prompt: Click OK to approve backing up this keyset.
    • Enter a password to protect the keyset file (PFX file). This should be at least 12 characters long to protect against brute force attacks.
    • Re-enter the password to confirm.
    • This will generate a keyset file named ProntoEFS.pfx.
19. Copy the ProntoEFS.pfx file off the server and archive it securely along with the password to this file. If you ever need to recover the data from the server you this file may be your only hope. Note: you should be able to recover encrypted files by re-installing either the ProntoDRA.pfx keyset or the ProntoEFS.pfx keyset.
20. After safely archiving the ProntoEFS.pfx file and password, delete this file from the server. This is the backup file only. The private key and public key certificate exist within the ProntoServer user account data. The public key is used to encrypt files and the private key is used to decrypt files. This happens automatically and is managed by Windows anytime protected files are accessed.
21. Next we will encrypt two folders used to store documents and related data files.
22. While still at the \AlphaTrust\Pronto\ directory in the command prompt window, enter cipher /e /a /b /s:DB
    • This will set the DB directory to require files to be encrypted and will encrypt all the current files and folders.
    • Check the output to make sure there are no error messages:
23. While still at the \AlphaTrust\Pronto\ directory in the command prompt window, enter cipher /e /a /b /s:Images. This will encrypt the Images folder.
24. If you wish to encrypt the Pronto database files, then make sure all SQL Server… Windows services are running as the ProntoServer account.
    • Stop all SQL Server services.
    • Using the Services management console, change the log on account under the Log On tab to use the ProntoServer account. You must also set the password for the account, HOWEVER, this tools does not check to see if the password is correct, so take extra care when entering the password.
    • Repeat this for all SQL Server services.
25. Ensure that all files in the Data directory (or in every directory containing SQL data files that you wish to encrypt) have security permissions set to allow, at a minimum, Full Access by Administrators and the ProntoServer account. You will likely need to change the permissions to meet this requirement. The screen shot below shows setting permissions on the Data folder and forcing the replacement of all child object permissions:
26. Encrypt the database files you wish to encrypt. At a minimum these should be the database and log files defined for the Pronto database and the Pronto_ProcessTemplates database. These are, by default, named:
    • Pronto.mdf
    • Pronto_log.ldf
    • Pronto_ProcessTemplates.mdf
    • Pronto_ProcessTemplates_log.ldf
      • Example: Encrypt all files in the Data folder using the Cipher.exe tool:
        • Open an administrative command prompt and change directories to the directory containing the Data folder, which is usually the MSSQL folder:
        • Enter cipher /e /a /b /s:Data.
      • Example: Encrypt all files in the Data folder using File Explorer:
        • Open File Explorer
        • Navigate to the …\MSSQL\ folder
        • Right click on the Data folder and select Properties.
        • In the General tab click Advanced…
        • Check the box Encrypt contents to secure data. The Details button will show the encryption and data recovery certificates to be used:
        • Click OK
        • Select the option: Apply changes to this folder, subfolders, and files.
        • Click OK
27. Your data is now encrypted and new data added to these directories will be encrypted.
28. Reboot the server to startup all services.
29. Check the Windows Application Log for any errors reported by ProntoServer or SQL Server. Run the installation tests to ensure new transactions can complete correctly.

Recovering Encrypted Data ​

1. On a new Windows Server installation that matches the OS of the presumably lost server, create two localMachine Administrators accounts called ProntoServer and ProntoDRA.
2. Login locally as the ProntoServer account.
3. Copy the saved ProntoEFS.pfx file to this server and double-click on it to launch the Certificate Import Wizard. Accept all default settings, except choose "Mark this key as exportable", and complete the wizard.
4. Restore all encrypted files to the local machine from backup, ensuring that the ProntoServer account, SYSTEM account, and Administrators group have Full Access to the files and directories.
5. You should now be able to access them.
6. You can repeat this process using logging in as ProntoDRA account and using the ProntoDRA.pfx file, if needed.