H
H
Hideez Authentication Service (EN)
Search…
H
H
Hideez Authentication Service (EN)
v3.11
Hideez Authentication Service for Enterprises
Quick Start Guides
Key features of the Hideez Authentication Service in 5 minutes
Admin Guide (first steps)
Admin Guide (advanced steps)
User Guide – first steps with the Hideez Client
User Guide – first steps with the Hideez Client (for PCs without internal Bluetooth)
User Guide (advanced steps with the Hideez Client)
FIDO2 and U2F Authentication Guide
Guide for Pilot projects
Use cases
End user Use cases
Admin cases
Hideez Enterprise Server
Glossary
Deployment
Administration
How to change the password for an administrator account?
How to recover a forgotten admin password?
Adding an admin account
Deleting an admin account
How to enable two-factor authentication at the Hideez Enterprise Server?
Authorization on the HES server via a FIDO key
Platform authentication on the HES server
Connecting Linux server to Active Directory
Setting HES server parameters
Configuring DNS server
How to create and set Device Access Profiles
How to manage companies and departments?
How to manage Positions?
Enable load balancing
Data Protection
Dashboard
Employees
Workstations
Hardware Vaults
Accounts
Keys Management
Audit
Licenses
Configuring SAML Protocol
Hideez Client App
Windows Client deployment
Application interface
Account management
Shortcuts
Remote Vault connection
Experimental settings section
Mobile Authenticator
Troubleshooting
Hideez Key (Enterprise Edition)
Technical Specifications
Principles of operation
Device Layout
Battery maintenance
Hideez Key modes
How to update the Hideez Key (Enterprise) firmware
How to enter credentials with the Hideez Key
How to unlock PC
Key for Physical doors
Product Updates
Hideez Authentication Service Update
Hideez Key firmware updates
Hideez Client updates
API
Hideez Enterprise Server web API
FAQ
Hideez Enterprise Server
Hideez Key
Documentation portal
Powered By GitBook
Data Protection
Hideez Enterprise Server – Data protection

What is the purpose of Data Protection?

Data Protection solves the problem of secure data storage in the database (DB).

What confidential data is stored in the DB?

The database stores Device Keys – encryption keys that provide access to the information stored on the Security Key. Passwords and OTP Secrets that are awaiting transfer to devices are also temporarily stored in the DB. Passwords to the “Shared Account” are permanently stored in the database. If Data Protection is turned off, all passwords and keys are stored in plain text. If you have a Device Key and the device itself, you can read all the content of the Security Key memory.

Do I need to enable Data Protection?

First of all, you need to evaluate which employees have a direct to potential access to the server database. If some of them should not have access to the sensitive data listed above than Data Protection must be enabled. Please also note, that the data can be physically read from the HDD/SDD on which it is stored. It is necessary to consider the possibility of both software and physical access to the data. In some cases, for example, if the web application and the database server are running on the same physical server that can be accessed by a limited number of trusted people, then Data Protection can be omitted.

How does it work?

All the confidential fields in the DB are encrypted using the AES-256 algorithm.
The master encryption key is stored in the DB. To protect the master key itself it is encrypted by the certificate installed in the system. You can generate a new certificate file in .pfx format on this page or use an existing one. The master key is decrypted at server startup and stored in the server’s RAM. If the server reboots the master key is loaded from the DB and decrypts using the installed certificate. Other protected data decrypts on the fly by the master key.
At any time, the certificate can be replaced.

Risks and best practices

The main risk of Data Protection use is the loss of the certificate. In such a case, you lose access to the encrypted data on the server, as well as access to all the data on all of your Security Keys. All the devices will have to undergo manual reset procedure with full memory wipe, and then to be bonded again with the employees. All the accounts should be added to the devices from scratch. Therefore, we recommend that the Data Protection certificate and the password for its private key should be backed up.
If for some reason you lose your HES server, but you have a database backup, then you can restore the server only if you have a data protection certificate and a password for its private key.
If the certificate backup or the password to it has been lost, but the server continues to operate normally, then you can install another certificate and re-encrypt the data.
It is recommended to use multiple servers (primary and backup). In this case, the certificate must be installed on each of them and the risk of losing it will be minimal.
An update of the Data Protection certificate should be done according to the company’s information security regulations.
Previous
Enable load balancing
Next - Hideez Enterprise Server
Dashboard
Last modified 11d ago
Copy link
Contents
What is the purpose of Data Protection?
What confidential data is stored in the DB?
Do I need to enable Data Protection?
How does it work?
Risks and best practices