In the world of the ID-card (Digi-ID), encryption means that a .cdoc format file is created from one or more data files if it is wished that their content be classified (e.g. for securely sending it via e-mail over public internet) by using the ID-card (Digi-ID) authentication certificate of one or more addressees. The addressee is the person for whom the encrypted file is meant, i.e. they must be able to decrypt the encrypted file in order to view the initial content. Upon decryption, it is required to use the secret key on the ID-card (Digi-ID) related to the certificate of the addressee that only the user of the ID-card (Digi-ID) can access.
NB! Warning! Encryption by means of using the ID-card (Digi-ID) certificates only serves a purpose for short-term use, not for long-term storage of encrypted files. This is due to the fact that the ID-card (Digi-ID) certificates will expire and when they are renewed, the secret keys on the ID-card (Digi-ID) are renewed along with them. This in turn means that after the certificates are renewed, the ID-card (Digi-ID) user cannot open encrypted files meant for them any more if they were encrypted with the 'old' certificate, i.e. the certificate that was used prior to renewing the certificates.
The DigiDoc3 Crypto application installed with the ID-card software can be used for encryption and decryption, and companies are able to use the TempelPlus software for mass encryption and decryption with their digital stamp.
There is also the possibility of creating your very own application with encryption functionality by using the DigiDoc libraries provided by Sertifitseerimiskeskus.
CDOC formatted files have total functional (encryption and decryption) support in CDigiDoc
(C-library) and JDigiDoc (Java) libraries. In case of the NDigiDoc library (.NET) encryption and decryption are supported only with software tokens. CDOC functionality is not supported by the DigiDoc COM librarys of version 3.6.
NB! Best Practice! As it's implemented in Digidoc3 Krüpto all new applications that support encryption should encrypt using adressee's all available certificates (ID-card authentication certificate, Digi-ID authentication certificate, but not Mobile-ID authentication certificate, because Mobile-ID cannot be used for decryption). In that case the adressee can decrypt the encrypted file using either using ID-card or Digi-ID. Person's certificates can be queried from LDAP service at ldap://ldap.sk.ee
As of April 2012 the padding methods used for CDOC files have been modified.
For more information please refer to CDOC file format documentation.