Chrometa is not just a time-tracking software service but also acts as a technology partner, offering information security and governance, essential for any industry. Companies that monitor their work on behalf of clients must adhere to federal compliance standards. Chrometa enables firms, including those serving regulated clients like banks, to meet the necessary cryptography standards for content storage and archiving.
Encryption Key Management (EKM)
In response to growing concerns about data security and privacy, Chrometa has developed advanced encryption technology. High-profile cases around international data privacy have prompted organizations to focus on encryption and the risks tied to data access by governments, courts, or regulatory bodies.
Unique Encryption Key per Object
As a secure cloud-based service, Chrometa employs AES-256 encryption to decrypt digital files for indexing, viewing, editing, or emailing. Unlike less secure methods such as self-encrypting disks, Chrometa’s software-based encryption ensures files are hidden from storage and network administrators, a level of security hardware encryption can’t match.
Each time entry uploaded or created in Chrometa is encrypted using a unique AES-256 Object Encryption Key (OEK). After encryption, the data is stored in the Object Store, while the OEK is saved in a highly secure, separate database. Time records for apps (e.g., documents, emails, records) are encrypted during both transmission (TLS) and storage.
Object Keys are further secured with a second layer of encryption via Master Encryption Keys (MEK), which are stored in a dedicated Hardware Security Module (HSM) with restricted access. The HSM’s Root of Trust architecture fully protects the MEK.
Customer-Managed Encryption Keys
OEKs can also be encrypted with customer-managed encryption keys (CMEK), either within Chrometa’s HSM or a customer’s HSM. An HSM is a physical device that manages digital keys and performs cryptographic operations.
Encryption Key Management is a paid add-on, available at the repository level. Chrometa's advanced key management features, released in June 2021, allow clients to control encryption for sensitive documents or data governed by compliance or regulatory policies.
Chrometa’s next-generation encryption system includes up to three unique encryption keys per file. Firms can control keys for sensitive data, elevating platform security beyond what individual firms can typically provide.
The keys managed by Chrometa include:
- Object Encryption Key (OEK)
- Master Encryption Key (MEK)
- Customer-Managed Encryption Key (CMEK)
OEKs are encrypted with both MEK and, optionally, a CMEK, which can be controlled by the customer and revoked when needed. All keys are generated using Quantum Hardware KMV for true randomness, unlike traditional software-based generators.
By leveraging quantum random number generation, Chrometa ensures 100% true randomness in key creation, enhancing encryption strength.
Key Features of the New Encryption System
-
Unique Encryption Key per Object – Each digital file is encrypted using AES-256 with its own distinct OEK.
-
Multi-Layered Encryption – Each OEK is encrypted using a MEK, with an optional customer-controlled CMEK for an additional layer of security.
-
Robust Key Management – Chrometa’s key management system, which includes HSMs, secures all MEKs and CMEKs. Customers can choose to store and manage their CMEKs in a Chrometa HSM or their own HSM.
-
Customer Control of Workspace Encryption – Clients can assign encryption keys to specific workspaces (e.g., projects or cases), allowing for enhanced security. This also enables firms to revoke access to specific data sets without affecting the entire platform.
-
Cipher Strength – Chrometa’s hardware-based second-generation Quantum Random Number Generator ensures each AES-256 key is fully randomized for maximum security.
-
Private HSM – Firms can use a customer-managed HSM to store their CMEKs, retaining complete control and custody over encryption keys. Chrometa only has limited access for authorized operations, with no management control over customer-managed HSMs.
How to Manage Your Own Keys
To manage your own keys, you can create CMEKs within a Chrometa HSM through the Chrometa web interface. However, if using a customer-managed HSM, key management is handled externally through the HSM management tools, not through the Chrometa UI.
Comments
0 comments
Please sign in to leave a comment.