FAOPGP CLS - Automating encryption & decryption for all your users

Using FAOPGP CLS

Automating encryption & decryption for all the users in your organization

CLS can be used to automate an organization’s entire secure communications with multiple companies. There is no limit to the number of users it can support, or the number of keys you can generate and use. Outlined below is an example of how you can configure CLS for this purpose.

Setting up Keys

You will need to have other peoples keys (other companies keys) in the keystore so that encrypted files can be sent to others. They can generate their own keys using any OpenPGP compliant software or the FileAssurity OpenPGP free Reader software that ArticSoft provide.

In addition, if you want CLS to decrypt files for your own users you will need to load their private keys into the CLS keystore. Alternatively, you may want to generate these key pairs for them, or just have a small number of private keys for your organization, perhaps organized by departments or functions, that external organizations communicate with rather than working on an individual user basis.

If you want users to be able to decrypt files they receive (which can not be decrypted centrally by CLS) then each user must generate their own keys using the FileAssurity OpenPGP free reader software. Other people can then email the encrypted files directly to each user, and only the user with the correct key can decrypt them. Group or function key pairs can also be created by FileAssurity Central Administrator and then placed in CLS for action automatically.

So, either users private keys must be present in CLS’s keystore (so that CLS can decrypt files on users behalf), or private keys retained on the users own computer (so that only they and not CLS can decrypt the files).

In our example system we will need to set up some folders for users and CLS to work with.

Setting up Folders

Set up a folder for each user on the network drive, say based on their user names – e.g. Thomas_Buller

Then create 2 sub-folders :

One called ‘To_Encrypt_CompanyX’

The other called ‘Decrypted_Files’

The tell the demonstration users to place any files they want to encrypt in their To_Encrypt folder.

Set up CLS to retrieve files from each users To_Encrypt folder, and then to encrypt them before sending them. CLS can be tasked to monitor these folders every hour, x minutes or x hours for new files via it’s scheduler.

So in the CLS GUI setting up the script you would check the ‘Protect’ checkbox and select the key of the organization you wanted to encrypt files for in the ‘Actions’ section. In the ‘Input Files/ Directories’ section you would select the retrieve input files from local computer checkbox and specify the ‘N:\Thomas_Buller_To_Encrypt_CompanyX’ as the folder to retrieve the files from.

CLS can be setup so that after encrypting the original file, it is deleted so that it is removed from the To_Encrypt folder and does not get processed again. As a result, only new files are therefore ever processed. To do this just check the ‘Secure Delete’ option in the ‘Actions’ section.

The encrypted files can then be automatically emailed by CLS or FTP’d to a web server by checking the appropriate options in the ‘Options’ section of the CLS GUI.

Scheduling this to occur on a daily basis

Once you have saved the script just select ‘Schedule Script’ from the Tools menu and then choose ‘Daily’ as the schedule task option in the schedule tab.

Via the Advanced options you can specify a start and end date, or just let the script run every day.

It does not matter if there are no files to process when a script is scheduled to run, the script will check for the files, and if none are present it will exit. If auditing is enabled then the audit log will record that no files were actioned on.

Receiving encrypted files

Via an FTP Server
If encrypted files are left on a web server, CLS can automatically retrieve them, decrypt them and place them in the users Decrypted_Files folder. If this is the case then on the web server you would need to setup folders for each user so you can tell CLS if it retrieves files from a remote folder X then it must decrypt them and place them in that users Decrypted_Files folder on the local network drive.

Via Email
If encrypted files are emailed to users individually then users can place them in their Decrypted_Files folder for processing by CLS. CLS can be told to monitor this folder every x minutes or hours for encrypted files and once they have been decrypted to delete the original encrypted files. These can then be retrieved by the user.

Alternatively the user can install FileAssurity OpenPGP free reader software and double-click on the encrypted file in their email application for FileAssurity to decrypt.

If you are running a mail server system and want CLS to process attachments you will need to write a program (perhaps a PERL script) that copies the encrypted attachments out to a folder for automatic processing. Provided CLS has a key to decrypt a file then it can be processed and forwarded.