7.3.10. Encryption At Rest

License Required

This feature must be licensed to be used. Contact your Eventide Communications Dealer for assistance.

This page allows you to configure your recorder to encrypt the recordings stored on its internal RAID hard disk drives for increased security. By default, Encryption at Rest is disabled. Enabling this feature requires a license key activation by Eventide (Eventide P/N: 271148).

If Encryption at Rest is not configured, disabled, or unlicensed, all call audio will be recorded on the NexLog DX-Series’s internal RAID in a proprietary, but unencrypted, format. The proprietary nature of the audio format makes the data difficult, but not impossible, to play back with off the shelf utilities.

If Encryption at Rest is enabled, all call audio will be recorded and encrypted using a 256-bit AES key. This enhances security by making it impossible to play back audio without the original key. The AES keys are stored in the recorder on internal NAND flash memory, using a Key Encrypting Key (KEK). This allows the NexLog DX-Series to decrypt the calls for playback. Since the keys are stored on separate media, they remain safe in the event that someone gains physical access to your RAID hard disk drives. Physical access can typically be gained when a failed hard drive is replaced and disposed of. When this occurs, Encryption at Rest will securely protect your recordings even if they are able to be recovered from the failed drive.

Encryption at rest can be enabled for any audio channels on a licensed NexLog DX-Series recorder. When encryption is enabled on a channel, the unencrypted audio is stored in memory where your active AES key is used to encrypt the audio file before it ever touches the internal RAID.

Note

Screen Recording calls will not be encrypted, even if the channel has been configured for encryption.

Note

Virtual Machines do not have internal NAND flash memory and will save the AES key to the main storage.

Encryption At Rest Configuration

Fig. 7.63 Encryption At Rest Configuration

7.3.10.1. Active vs Inactive AES Keys

In the figure above, you can see an example of four AES Keys. The top key is in an Active state (True). This means that it is the AES key that is currently encrypting the configured channels. For better security, keys should be changed or rotated regularly. Changing the active key ensures encryption integrity by reducing the likelihood that someone with malicious intent can gain access to all of your recordings. If only one key were to become compromised, only the recordings captured while that key was in effect can be decrypted.

When you change or rotate keys, you will simply need to select the key from the list and click Activate Key. In doing so, the previously used key will become Inactive (False). Inactive keys are only used for decrypting recordings for playback or export (see Encrypted Playback and Exporting Encrypted Recordings). This means that if you intend to access recordings that were encrypted using a key that isn’t the currently Active key, it will need to remain on the system in an Inactive state.

Important

Deleting a key is irreversible and only advised if no recordings were encrypted using the key you intend to delete. If a key is mistakenly deleted and you have it stored in an alternate location, adding the key back into the system, as Inactive, will allow you to resume playback. Caution should be taken in verifying that the key was not used on recordings currently on the NexLog DX-Series recorder, or recordings stored in an Archive backup (see Archiving Encrypted Recordings).

Note

Eventide is not able to recover recordings encrypted with a missing or deleted AES key.

7.3.10.2. Adding an AES Key

The NexLog DX-Series Administrator should generate a secure encryption key using a high quality source of entropy. For enhanced security the NexLog DX-Series recorder does not generate or provide you with original AES keys. If you do not have your own key generation utility, you can perform a websearch for “Random Byte Generator”. The website www.random.org/bytes provides a generator that uses atmospheric noise for its source of entropy.

Note

Eventide is not affiliated with Random.org and cannot warrant use of, or the availability and reliability of their operations.

Important

Once you have generated a secure 32 byte AES key, it is recommended that you store it in a safe or another secure location. You should also maintain your own external record of key changes, rotations, and deletions with dates and timestamps. Configuration Backups will contain the KEK version of your encryption keys, but this should not be your only method of key backup. Eventide is not able to recover encrypted recordings if the AES key is not available.

Adding an Encryption Key

Fig. 7.64 Adding an Encryption Key

  1. click Add Key at the bottom of the Encryption at Rest page.

  2. Then paste your AES encryption key. Your encryption key should be a 256-bit AES key represented using 32 Hex Bytes, or 64 hexadecimal characters (A-F,0-9). It should not contain spaces or symbols. Keys are not case-sensitive.

  3. If this will be the key used to actively encrypt recordings, click the active checkbox. Otherwise, the key will be added in an Inactive state.

  4. Click Add at the bottom of the page.

Once you add an AES key, the recorder will encrypt your AES key using a Key Encryption Key and store then it on internal NAND flash memory. This will protect your keys in the event of a total hard drive failure. A backup copy should still be maintained.

7.3.10.3. Enabling Encryption at Rest

Once your AES key has been added to the recorder, click the Enable checkbox and enter the channels you would like to be encrypted. The channel field supports multiple channels using comma separation and ranges. The example in Figure 67 shows that channels 5,6,7,9, and 23 through 48 will be encrypted before written to the hard drive. After your channels have been entered, press Submit Global Settings.

Future recordings will now be stored on the internal RAID and archived in an encrypted format. Encryption at Rest will not encrypt recordings that have already been created and stored on the RAID or on pre-existing archives.

7.3.10.4. Encrypted Playback

Once your recordings are encrypted, there will be no noticeable changes in the way you playback recordings. The recorder will automatically decrypt them before streaming them to MediaWorks DX.

In order for the recorder to decrypt the recordings, the encryption key must remain on the system. Deleting a key that was previously used will render any recordings that were encrypted with it unplayable. As shown in the figure below, if the AES key used to encrypt a played recording is not available, the system will display a “!” indicating that the recording is inaccessible. Hover the mouse over the exclamation point to confirm the reason.

Encrypted Recording Unavailable

Fig. 7.65 Encrypted Recording Unavailable

Encrypted Recording Mouse Over Explanation

Fig. 7.66 Encrypted Recording Mouse Over Explanation

Adding the original key back into the NexLog DX-Series will allow playback to resume. (see Adding an AES Key)

Encrypted Call Playback in |MW|

Fig. 7.67 Encrypted Call Playback in MediaWorks DX

Once Encryption at Rest is enabled, a new metadata column will be created in MediaWorks DX. To view it, right click the column header in the callgrid and enable Encryption on Disk.

A value of Yes means that the recording is encrypted.

A value of Partial means that only a portion of the recording was encrypted. This can occur if a recording was in progress when Encryption at Rest was enabled/disabled, or while the active key was being changed.

A blank value means that the recording is not encrypted. The channel in question may not have been included in the Encryption at Rest channel field.

7.3.10.5. Encryption with NexLog DX-Series Access Bridge

If NexLog DX-Series Access Bridge is being used for playback, the AES key will only need to reside on the source recorder that originally captured and encrypted the recording. It is unnecessary to load the AES key on other recorders.

7.3.10.6. Archiving Encrypted Recordings

Once Encryption at Rest is enabled, any encrypted recordings set to archive will remain in their encrypted state. If the need arises to playback or restore archived encrypted recordings, the original AES key will need to be added to the playback recorder. If encrypted recordings are being Central Archived, the receiving recorder will need the AES keys originally used to encrypt them.

Note

Encrypted local archives cannot be played in MediaWorks DX Desktop since the archives do not contain any AES keys. The archive must be mounted to a NexLog DX-Series as a remote archive, and the NexLog DX-Series must original AES key loaded.

7.3.10.7. Exporting Encrypted Recordings

When exporting an encrypted recording, the NexLog DX-Series will automatically decrypt the file before downloading it to your computer. If you wish to maintain recording encryption, you will need to export the files as a password protected local incident. For enhanced security, this method will not use your original AES key, instead it will encrypt the recordings using the password entered on export.

7.3.10.8. Background Vocoding Encrypted Recordings

The IMBE/AMBE Vocoder section below discusses the use of background vocoding for IMBE and AMBE recordings. If encryption is enabled on channels recording P25 radio traffic, the recordings will be encrypted before writing them to the internal RAID. If background vocoding is enabled, the recording will be decrypted before being vocoded. Once the recording is vocoded, it will be encrypted again using the currently active AES key. If the original key is not available for the initial decryption, alert code 66 will be triggered to alert you that a key is missing.