Protect data using encryption

Introduction

The Encrypt data at rest feature provided by the Control Panel allows you to ensure the security of sensitive data on your portal.

Encryption is a reversible conversion of information in order to maintain the confidentiality of the data stored on disk. Thus, even if intruders managed to gain access to the data stored on the hard disk, they would not be able to read it since it is encrypted.

Encryption is based on a Encrypt-then-MAC type of encryption (AES-256-CBC + HMAC-SHA256) of the entire body of data within the ONLYOFFICE instance and is compliant with AES-256 international data encryption standard. AES-256 encryption type with CipherMode.CBC symmetric algorithm is used for enciphering the data on the portal, while SHA256 hashing function paired with HMAC message authentication code screening, verify integrity and authenticity of the encrypted data.

This feature is available only for server versions.

Prepare for the encryption process

Before starting the encryption procedure, you must perform some preliminary steps.

1. Manually stop the services that make changes to the files stored on disk.

   For Docker (within the CommunityServer container):

   systemctl stop onlyofficeMail*
   systemctl stop onlyofficeThumbnailBuilder.service

   For Linux:

   sudo service onlyofficeMail* stop
   sudo service onlyofficeThumbnailBuilder stop

   For Windows:

   Go to Control Panel -> Administrative Tools -> Services and stop the following services: ONLYOFFICE Mail Watchdog, ONLYOFFICE Mail Imap, ONLYOFFICE Mail Cleaner, ONLYOFFICE Mail Aggregator, ONLYOFFICE Thumbnail Builder. To do that, right-click the service and choose Stop.

2. Sign in to your portal and click the Control Panel icon on the Start Page. Alternatively, you can go to the portal Settings and select the Control Panel link on the left-side panel.
3. Switch to the Backup section and backup data.
4. Disable the Automatic Data Backup feature.
5. Select the Local storage option for both Connect storage for static data and Connect storage as CDN.
   The Encrypt data at rest feature works only with local storage.
6. Make sure there is enough space on your hard drive.

After the preliminary preparations are ready, you can proceed to the next step.

Encrypt storage

1. Switch to the Storage section in the Control Panel.
2. Check the Notify users that the portal will be unavailable checkbox to notify all active users via email when the encryption process starts.
   Upon the successful completion of the encryption process, all active users will also receive email notifications. If an error occurs during the encryption process, then all administrators (regardless of the Notify users option) will receive email notifications of the unsuccessful encryption process.
3. Click the Encrypt storage button and then OK to launch the encryption process.

The time required to complete the procedure depends on the data volume. All portals will be unavailable during the encryption process. As soon as the encryption is over, the portal data will be available for work.

You will also need to manually start the services that make changes to the files stored on disk.

For Docker (within the CommunityServer container):

systemctl start onlyofficeMailAggregator.service
systemctl start onlyofficeMailCleaner.service
systemctl start onlyofficeMailImap.service
systemctl start onlyofficeMailWatchdog.service
systemctl start onlyofficeThumbnailBuilder.service

For Linux:

sudo service onlyofficeMailAggregator start
sudo service onlyofficeMailCleaner start
sudo service onlyofficeMailImap start
sudo service onlyofficeMailWatchdog start
sudo service onlyofficeThumbnailBuilder start

For Windows:

Go to Control Panel -> Administrative Tools -> Services and start the following services: ONLYOFFICE Mail Watchdog, ONLYOFFICE Mail Imap, ONLYOFFICE Mail Cleaner, ONLYOFFICE Mail Aggregator, ONLYOFFICE Thumbnail Builder. To do that, right click the service and choose Start.

Decrypt storage

To decrypt data on the portal,

1. Manually stop the services that make changes to the files stored on disk as described above.
2. Switch to the Storage section in the Control Panel.
3. Check the Notify users that the portal will be unavailable checkbox to notify all active users via email when the decryption process starts.
   Upon the successful completion of the decryption process, all active users will also receive email notifications. If an error occurs during the decryption process, then all administrators (regardless of the Notify Users option) will receive email notifications of the unsuccessful decryption process.
4. Click the Decrypt storage button and then OK to launch the decryption process.
   

The time required to complete the procedure depends on the data volume. All portals will be unavailable during the encryption process. As soon as the encryption is over, the portal data will be available for work.

You will also need to manually start the services that make changes to the files stored on disk as described above.