Encryption schemes

Blue Prism provides the facility to encrypt sensitive data held within the database, through user-definable encryption schemes maintained in the Security section of System Manager. The following industry standard encryption methods are supported:

  • AES-256 AesCryptoService (256 bit)
  • AES-256 RijndaelManaged (256 bit)
  • Triple DES (192 bit)

Triple DES (192 bit) is provided for backwards compatibility. It is strongly recommended that new encryption schemes are not configured to use this method.

The Security – View Encryption Scheme Configurationpermission is required in order to access this section. However, in order to create, edit or delete the schemes themselves the Security – Manage Encryption Schemes permission is required.

Manage schemes

A summary of the existing encryption schemes is displayed showing name, encryption method, location of the key and a status indicating whether or not the scheme is available for selecting as a data encrypter (e.g. as the default encryption scheme or for work queues).

Create a new scheme

Clicking the New link displays the Define Encryption Scheme form, where the scheme name and key location can be entered. By default new schemes are initialised as Unavailable, however checking the Available check box will make the scheme available for selecting as a data encrypter.

Where the key is to be held on the Server, the configuration utility should be used to assign a key to the scheme on each server in use. Where the key is to be held in the database, it should be entered here.

Edit an existing scheme

Clicking the Edit link displays the Define Encryption Scheme form with the existing scheme details populated. The key itself cannot be changed directly, however the location of the key can be changed and when doing this care must be taken to ensure that the key is transferred correctly otherwise previously encrypted data could be rendered unreadable.

Note that schemes that have already been selected as data encrypters cannot be set to Unavailable.

Delete an existing scheme

Clicking the Delete link will delete a scheme provided that it is not currently selected as a data encrypter and that there is no data on the database encrypted with it. Prior to deleting a scheme the following steps should be taken:

  • Ensure it is not selected as a data encrypter (e.g. as the default encryption scheme or for work queues)
  • Edit the scheme and set it to Unavailable to prevent it from being re-selected
  • Use the re-encrypt data command line option to ensure that there is no remaining data encrypted by the key
  • Delete the scheme
  • Remove the key from any Server Key Stores (if applicable)
  • If the key for a scheme cannot be found in the server then it will be appended with Unresolved Key and, as such, any attempted encryption/decryption operations using it are likely to fail.

Default encryption scheme

Certain data (such as credentials and resource screen captures) must always be encrypted, therefore one of the defined schemes must be selected in this drop down list. For new installations this will be set to the default Default Encryption Scheme scheme created by the installer. However it will not be possible to create credentials or capture resource screenshots until a key is assigned to this scheme.

This video shows you how to set up a default encryption scheme.