This topic contains 3 replies, has 2 voices, and was last updated by Florent 2 years, 11 months ago.
January 1, 2017 at 22:28 #5073
I read the answer to “Does AxCrypt support password recovery for corporate use?” in your FAQ and I have a suggestion.
This is quite an important feature and not one resolved by having backups of the encrypted data. It’d be impossible for us to backup the unencrypted data. On the other hand backing up the encrypted data would put us back to square one – i.e. all the data but no password!
An employee may quit and then claim that he has forgotten his password whereas if he were to delete his files it’d be obvious and provable sabotage.
Your FAQ says: “There are enterprise solutions that do implement functionality like this, but the most common reason to use AxCrypt is because of it’s simplicity to implement. Enterprise solutions demand quite a bit of infrastructure, maintenance and can be quite complex to install.”
I’ve seen a very similar function implemented which is very simple. PKWARE have what they call a ‘contingency key’ when using their SecureZIP Enterprise software. It’s a very simple concept – the administrator creates a master key and deploys it via a policy editor. AxCrypt might go even simpler and allow the sysadmin to sideload the master key into the software before using an MSI to install the software.
Every file the user encrypts in SecureZIP is encrypted with any one, or combination of, the following:
- Simple password
- X.509 certificate
However SecureZIP detects there is a contingency key set and also applies encrypts the file with that. Thus if/when an employee quits his files can still be decrypted using the contingency key.
“Yes, SecureZIP Enterprise Edition supports using OpenPGP keys as policy-enforced contingency keys when creating OpenPGP encrypted files. Only OpenPGP keys can be used for encrypting OpenPGP files. Both X.509 and OpenPGP keys can be used when creating encrypted .ZIP files. When using OpenPGP keys as contingency keys, make sure you are using SecureZIP version 14.20.0015 or newer.”
It wouldn’t reduce the security of AxCrypt as it’d only apply to enterprises, it’d be very simple to implement an equivalent scheme and you could also have an always visible information box in the software to warn users that the company is using a master key and that they shouldn’t encrypt their personal files.
This would make AxCrypt much more attractive to companies.January 1, 2017 at 22:37 #5075
Or maybe just include an option on a corporate version of AxCrypt to forcibly share the file with a pre-determined administrator and make that email address un-editable to the end user!
Simple solution.January 1, 2017 at 22:39 #5076
You’re quite right – and the FAQ you’re referring to is outdated. AxCrypt 2 has all the basic technology in place for key recovery (AxCrypt 2 works very similar to how SecureZip does in this regard, where we have a public key based system for sharing of encrypted files. This can ‘easily’ be extended for key recovery.) It’s scheduled to be released in 2017 along with other business-related functionality.January 1, 2017 at 22:52 #5078
This is excellent news.
We currently only have a handful of our systems which still use SecureZIP because our biggest client whom we used the software with has moved towards an encrypted cloud system which means we, and their other suppliers, can now upload and download files with them directly without us needing to email our work to them.
Internally we are looking at a cheap encryption system as we only have 9 staff and AxCrypt would suit us as 216 € per annum is quite cheap. It’ll simplify things once a master key mechanism is installed in case one of the staff forgets his password or leaves the business.
Thank you for your quick reply. :-D