In the world of ID-card, encryption means that one or more files requiring encryption are merged into one file with .cdoc extension, which can only be accessed by using a secret key associated with your ID-card (or other digital document’s) authentication certificate for specific recipients.
The encryption process is very simple for users:
In the DigiDoc4 CRYPTO selection, the owner adds the files for confidential transmission to the document envelope, indicates the recipients (knowledge of the personal identification numbers of the recipients, or the registration number for legal persons is required) and encrypts the document envelope. The encrypted envelope must then be sent to the recipients, for example, by e-mail. After encryption, only the designated recipients can open the document envelope, using the specified encrypted document certificates (for example, ID-card, digital ID, etc.).
ID-software can be used for document encryption and decryption.
Encryption is not appropriate for long term file storage!
Taking into account that the contents of an encrypted document envelope can only be opened with valid recipient certificates, the encrypted file should be opened as soon as possible and stored in a secure location in decrypted form.
It is worth knowing that:
- To decrypt documents, you need exactly the same document (with the same certificates) as the one that the file was encrypted with. For example, you can also decrypt files with expired certificates, even if you have already been issued a new document.
- Files that have been encrypted to your earlier/expired document cannot be opened with updated certificates and/or a new document.
Moreover, it is important to remember that if you encrypt documents yourself and want to open them later, you should also add yourself as a recipient!
Creating encryption applications:
We recommend using DigiDoc libraries to create applications with encryption functionality:
- Full support for CDOC file functionality (encryption and decryption) is available in Cdoc4j library, as well as in CDigiDoc and JDigiDoc (Java) library.
Users of DigiDoc libraries have been advised to give preference to using the “direct” encryption solution where files under encryption are not put into an intermediate container. All DigiDoc software libraries that support CDOC format also supports the "direct" encryption and decryption.
To ensure compatibility with other software applications, attention should be paid to setting correct encryption configuration of XML parameters for the CDOC document, so that different encryption methods can be distinguished later.
For a so-called “direct” encryption, the following parameters must be specified in the CDOC container:
- Set the value of the <EncryptedData> element’s “Mimetype“ attribute to the MIME type of the encrypted input file. You can also use "application/octet-stream" as default value.
Additional information in English: Encrypted DigiDoc Format Specification:
NB! Best practice!
Just like for the DigiDoc4 Client application, when creating new encryption applications, it should be taken into account that many people nowadays are using both ID-card and digital ID solutions. Therefore, it would be wise to create a solution that allows file encryption for all valid certificates of the recipient (for digital ID authentication certificate and ID-card authentication certificate). This reduces the risk that the contents of the encrypted document envelope become unavailable due to the expiration, suspension or renewal of user certificates!
More information can be found in the CDOC file format documentation: Encrypted DigiDoc Format Specification – https://www.ria.ee/sites/default/files/content-editors/EID/cdoc.pdf
Information on encryption certificate on SK website: https://www.skidsolutions.eu/en/services/crypto-certificate/