Encryption schemes

Encryption schemes are used to define the settings (algorithm and key location) when writing the data for credentials and encrypted work queues into the database. Blue Prism provides the facility to encrypt sensitive data held in the database, using user-definable encryption schemes maintained in the Security section of System Manager.

Encryption schemes enhance the capabilities for securing sensitive data in the database by:

  • Providing a standardized approach for defining the encryption schemes that are available to be used in an environment.
  • Allowing use of the AES-256 AesCryptoService (256-bit) and AES-256 RijndaelManaged (256-bit) algorithms as an alternative to Triple DES (192-bit).
  • Allowing multiple encryption schemes to be defined in a single environment.
  • Enabling system administrators to select which encryption scheme will be used for processing credentials and for each optionally encrypted work queue.
  • Providing the option, when using application server-based encryption keys, to have the keys stored in independent files.

The encryption scheme used for credentials and optionally for each work queue is configured in the user interface and is used when writing the relevant data into the database. Subsequently, data is read using the same scheme used to perform the write. This means that credential manager or encrypted work queues can be updated to use a different scheme at any time as this change will only come into effect as information is written to the database.

Encryption methods

The following industry standard encryption methods are supported:

  • AES-256 AesCryptoService (256-bit)
  • AES-256 RijndaelManaged (256-bit)
  • Triple DES (192-bit)

Triple DES (192-bit) has been retired and is provided for backwards compatibility only. It is strongly recommended that new encryption schemes are not configured to use this method.

Permissions

There are two permissions that control whether users have read-only or full access to encryption scheme functionality.

Permission

Description

Security – View Encryption Scheme Configuration

Users can access the System > Security – Encryption Schemes screen in a read-only view.

Security – Manage Encryption Schemes

Users have full access to add, edit, and delete encryption schemes.

Manage encryption schemes

Encryption schemes are created and maintained in the Blue Prism interactive client – navigate to System > Security > Encryption Schemes.

A summary of the existing encryption schemes is displayed showing the name, encryption method, location of the key, and a status indicating whether or not the scheme is available for selection as the default encryption scheme or for work queues.

If a scheme does not have a key configured, or if a key cannot be found on the server, the selected method will be appended with Unresolved Key and any attempted encryption/decryption operations using it are likely to fail.

Create a new encryption scheme

  1. On the Encryption Schemes screen, click New.
  2. Enter a unique name for the scheme.
  3. Select the Available check box to allow the scheme to be used as a data encrypter.
  4. Select the location where the encryption key will be stored:
    •  Application Servers (recommended) – The secret key for the scheme must be added to the server key store on each application server using the Server Configuration utility.
    •  Database – Once selected, configure as follows:
      1.  Select the required encryption method: AES-256 AesCryptoService (256-bit),  AES-256 RijndaelManaged (256-bit), or  Triple DES (192-bit).
      2. Add the secret key in the Key field or click Generate key to create a new one in Blue Prism. Keys created in Blue Prism use the RNGCryptoServiceProvider which provides a cryptographically strong sequence of random values.
  5. Click OK to save the encryption scheme.

The scheme is listed on the Encryption Scheme screen and can now be assigned as a data encrypter for credentials and work queues.

The following examples show encryption schemes for database and application server locations.

Configure the default encryption scheme

Certain data, such as credentials and resource screen captures, must always be encrypted and this is applied by setting a default encryption scheme.

For new installations, an encryption scheme called Default Encryption Scheme is automatically created by the Blue Prism installer. You can use this scheme as the default or one that you have configured. The scheme set as the default must have a key assigned before you can create credentials or capture resource screenshots.

This example uses the Default Encryption Scheme but the approach is the same if configuring a different scheme to use as the default:

  1. Open the required scheme, select an encryption method, and enter or generate a key. If the scheme already has a key assigned, this step can be skipped.
  2. On the Encryption Schemes screen, select the scheme from the Default encryption scheme drop-down list.

It is now possible to create credentials and capture resource screenshots using the selected scheme for encryption and decryption.

This video shows you how to set up a default encryption scheme.

Select an encryption scheme for a work queue

  1. In the Blue Prism interactive client, navigate to System > Workflow > Work Queues.
  2. Select the required work queue.
  3. Select the Encrypted check box and select the required encryption scheme from the using key drop‑down list.
  4. Click Apply to save the queue properties.

Data saved/retrieved from the queue will be encrypted/decrypted using the selected encryption scheme.

This video shows you how to encrypt work queues.

Edit an encryption scheme

To edit an encryption scheme, select the required scheme and click Edit. You can change the following elements:

  • Name – Rename the encryption scheme. This will be reflected anywhere the scheme is used.
  • Location – Although the key itself cannot be changed directly, you can change the location. Care must be taken to ensure that the key is transferred correctly, otherwise previously encrypted data could be rendered unreadable.
  • Available – Change the status of a scheme, making it either available or unavailable as an encryptor. You cannot make a scheme unavailable if it is currently in use, so the Available check box will not be editable where this is the case. Before making a scheme unavailable, you must remove all references to it either as the default scheme or when assigned to a work queue.

    Examples

    This scheme cannot be made unavailable as it is used as the default.

    This scheme is unavailable as it is not currently used anywhere in Blue Prism.

Delete an encryption scheme

Encryption schemes can be deleted if they are not currently selected as a data encrypter and there is no data in the database that is encrypted by it.

When deleting a scheme, follow the steps below:

  1. Check that the scheme is not selected as the default encryption scheme or assigned to a work queue.
  2. Edit the scheme and deselect Available to make the scheme unavailable and prevent it from being used whilst you complete this process.
  3. Use the re-encrypt data command line option to ensure that there is no remaining data encrypted by the key.
  4. On the Encryption Schemes screen, select the scheme and click Delete.
  5. If stored on the application server, remove the associated key from the server key stores.