Understanding the effects of software data encryption

The disk subsystems used by Meridian should be as fast as possible. Third-party programs and Windows itself (BitLocker, for example) support data encryption for additional security. However, software data encryption adds overhead to the computer CPUs that will reduce Meridian performance. When Meridian application server security is properly configured as described elsewhere in this guide, direct access to the Meridian stream files (document content) is only permitted for server administrators, the same persons who would administer the data encryption software and have access to unencrypted files. Casual misuse of the Meridian stream files is also obstructed by the fact that the stream folders have 4- or 8-character hexadecimal names, for example, 3D0C or 1FF20BD3, and the document content files all use the same counterintuitive file name with variable 3-character hexadecimal file extensions, for example, CONT.3D2.

All other access to vault documents is only possible through authentication by the Meridian client software and application of the vault security roles. The same is true for the Meridian vault metadata stored in Hypertrieve, SQL Server, or Oracle. Therefore, software data encryption provides no useful additional security and should not be used on folders containing the Meridian database or stream files.

Note    If Local Workspace is enabled, working copies of documents also reside there on the client computers and these principles and guidelines also apply.

Meridian is not routinely tested with software encryption products. However, if software data encryption is a system requirement, it can be accomplished by following these guidelines:

• Configure the EDM Server service to run under the same account as the account whose Encrypting File System (EFS) certificate is used to encrypt the files. Or vice versa: use the EFS certificate of the EDM Server service account to encrypt the files. Otherwise, security of the documents will not work correctly.
• Add the EFS certificates of any other accounts under which Meridian services or administrative applications access the files, for example, the tools in the Vault Consistency Toolkit, vault recovery tool, and so on. Otherwise, the documents may not be accessible, particularly in the case of a critical system failure.
• Exclude the vault database files from encryption. Rely on the security of the database management system instead.
• Ensure that passwords for the encryption accounts either are not changed or are updated immediately in the properties of the services that access the files.
• Back up the EFS certificates that are used to encrypt the files in a safe place. If a certificate is lost or becomes corrupted, access to documents will be lost.