What is encryption?
The purpose of file encryption is to make the data contained in a file undecipherable for unauthorised persons, or in other words, to classify the information.
A symmetric cryptographic algorithm or an asymmetric cryptographic algorithm can be used for encryption. The cryptographic algorithm is a mathematical formula that ciphers the data file. It can only be deciphered with a crypto key.
Upon symmetric encryption, the file is ciphered and deciphered with the same secret key. Upon asymmetric encryption, one key is used for ciphering and another is used for deciphering; one of the keys is public while the other is secret and in sole possession of the user.
The above image depicts the process of sending documents in an encrypted form. In the event that someone wishes to send a document to Mari over an unsecure channel (the internet), they have to seal (encrypt) the document with Mari's public key. This way the sender can be confident that the respective document can only be opened by the owner of the secret key – in the given case, this would be Mari.
If there are several addressees, the document must be encrypted with the public key of every addressee as indicated in the lower half of the image. The document can only be opened by the people for whom it is encrypted.
The same technology can be used vice versa – if we encrypt a document with our secret key, the addressees are only able to open it by using our public key. This way, the addressees can be sure that the respective document has been sent by no one else but us.
How does encryption work in DigiDoc?
In DigiDoc, the encryption of a file consists of two stages. Firstly, the file is encrypted with a symmetric algorithm for which a random key (hereinafter the transport key) is generated. The transport key is thereafter encrypted with the public key by using an asymmetric algorithm. If there are several addressees, the transport key will be separately encrypted with the public key of every addressee.
The easiest method for encrypting files is to use the DigiDoc Krüpto program that is installed into your computer along with the ID-card software. You can download the ID-card software at the address installer.id.ee.
It is important to remember the following:
Encryption with an ID-card is above all meant for secure transportation of files, not long-term preservation. This is due to the fact that using the secret key corresponding with the public key in the authentication certificate is necessary in order to decrypt with an ID-card. The secret key is ONLY located on the ID-card of the user. In the event that the user loses their ID-card, decryption of files is no longer possible. Decryption of files encrypted with an earlier certificate is also no longer possible after the user has renewed their ID-card certificates as new secret and public keys are generated upon the issuance of new certificates.
Upon encryption of files, it must be considered that only the users of certificates added in the list of addressees are able to decrypt the files. This means that you must not forget to add yourself among the addresses if you may need to open the file later