Ekran System Encryption


Table of Contents


General Information


On the first startup, the Ekran System server generates the Ekran System Master Certificate (EkranMasterCertificate) and saves it to Certificates storage in Windows.

The Ekran System Master Certificate is a unique RSA-2048 certificate, without which Ekran System would not be able to receive other keys or read encrypted data.


If you need to move the database, you need to back up, and import or export the Ekran System Master Certificate.

On the server side, encryption is implemented using Microsoft .NET framework.

On the client side, encryption is implemented using Crypto++.

All encryption algorithms use FIPS 140-2 certified encryption implementations.


Encryption of Monitoring Data


Binary data (screen captures recorded during monitoring) is encrypted with AES-256.

An AES key is randomly generated for every binary file, and then encrypted with the public key of the Ekran System Master Certificate. The encrypted AES key is attached to the encrypted binary data. The public key for encryption is extracted from the certificate and stored in the Client registry. 

To decrypt the data, the AES key is first decrypted with the private key of the Ekran System Master Certificate, and then the original data is decrypted with the AES key. On the client side, the data is encrypted during creation and decrypted by the server when an authorized Ekran System user views it in the Management Tool.

Logged keystrokes are encrypted in the MS SQL database and the PostgreSQL database. The Symmetric key, which is stored in the database, is password-protected. The password is encrypted with the the Ekran System Master Certificate.


Encryption of Connections


Connections between Clients and the Ekran System Application Server are encrypted with AES-256. The key generation is based on the Deffie-Hellman key exchange algorithm. The encryption is implemented using Crypto++ 5.6.1.

Connections between the Ekran System Application Server and the Management Tool establish TCP connections encrypted with a self-signed certificate. The encryption is implemented using WCF .NET.

Access to the Management Tool is established over an encrypted HTTPS connection. The certificate is defined before installation of the Management Tool. For more information, see the Ekran System Deployment Guide.

The database connection string is stored in the registry. It is encrypted with the Ekran System Master Certificate.


Encryption of Other Data


The initial vectors for time-based one-time passwords (TOTP) are encrypted in the database using the Ekran System Master Certificate.

The passwords of Ekran System internal users are stored as SHA-256 hash values.

Secrets with credentials of privileged accounts are encrypted using AES-256.

The results of Forensic Export are encrypted using RSA-1024.