Filter
Top Products
Using Enhanced Security Features
262 EncrypTight User Guide
● Strong password enforcement
ETEPs with software version 1.6 or later can be configured to use strong password enforcement. The
conventions used with strong password enforcement are far more stringent than those used with the
default password management. To learn more about strong password enforcement, see “Configuring
the Password Enforcement Policy” on page 103.
● Strict authentication
With strict authentication, all communications between EncrypTight components is authenticated
using certificates. To learn more about strict authentication and using certificates see “About Strict
Authentication” on page 262.
● Hardware Security Module
A hardware security module (HSM) is available as an option for your ETKMSs. HSMs provide
tamper-proof storage for encryption keys and certificates. To learn more about working with an HSM,
see “Working with Certificates and an HSM” on page 275.
● Common Access Cards
EncrypTight supports the use of smart cards such as the Common Access Cards used by the U.S.
Department of Defense. The use of smart cards provides user authorization in addition to certificate-
based authentication. To learn more, see “Using a Common Access Card” on page 294.
About Strict Authentication
EncrypTight uses the Transport Layer Security (TLS) protocol for secure communication between the
different components of the system (the management workstation, the ETKMS, and the PEPs).
EncrypTight can use either:
● TLS with encryption only
● TLS with encryption and strict authentication enabled
When strict authentication is enabled, all TLS communications between EncrypTight components is
authenticated using certificates. Authenticating the communications between components provides an
extra level of security. Optionally, you can also set up the system to validate certificates by checking
Certificate Revocation Lists (CRLs) or by using the Online Certificate Status Protocol (OCSP).
Strict authentication is available for ETEPs with software version 1.6 or later. Strict authentication is
disabled by default. After you install certificates on all of the devices that you are going to use, you can
enable strict authentication.
CAUTION
Do not enable strict authentication before you install certificates on all of the EncrypTight components.
Doing so can lead to errors and communication failures.
A certificate is an electronic document that contains a public key that corresponds to the private key of
the entity named as the subject of the certificate. Certificates can be generated by the entity itself (self-
signed) or they can be issued by a certificate authority (CA). A CA is a trusted organization that
authenticates certificate applications, issues and revokes certificates, and maintains status information
about certificates. CA-signed certificates help establish a chain of trust. Keys and certificates are stored in
an encrypted, password-protected keystore.