File encryption

Clearance Developer Guide
Content type
Guides > Developer guides
Product line
Clearance
ft:locale
en-US
Applies to
Genetec Clearance

To ensure the security of your data and fulfill requirements for sending Evidence files to Genetec Clearance™, you must encrypt your data following the principles of edge device encryption.

The encryption standard for Clearance is the Azure Blob Storage client-side encryption. For guidance on encryption libraries, consult the reference design.

To encrypt an evidence item:

  1. Retrieve the user's public key from the Key Store Service API.

  2. Generate a new one time use symmetric AES256 key for the file (AES_CBC_256) locally.

  3. Encrypt the file using the generated AES256 key with a padding PKCS7 (and upload at the same time).

  4. Wrap the AES256 key using RSA-OAEP.

  5. Send the encrypted key to the Azure Blob storage metadata named x-ms-meta-encryptiondata. See azure SDK.

  6. Once the encryption metadata is sent, complete the resource/evidence.

Example metadata (JSON and C#)

json
csharp
{
   "ContentEncryptionIV":"3wpX+/BH7lI3GzNm9PAdng==",
   "EncryptionAgent":{
      "EncryptionAlgorithm":"AES_CBC_256",
      "Protocol":"1.0"
   },
   "EncryptionMode":"FullBlob",
   "WrappedContentKey":{
      "Algorithm":"RSA-OAEP",
      "EncryptedKey":"Bhm18f+hikcK5EMqMS28SgYRqIqCnuZMpEyJME6vsOo+2AUtvh3wWjYdNBP29PQ4MH2l5yHAJmKu0AIa/A3bmOm+tFIXfXkwQug9r7fCy8HOUK6Jhf2T/SqwGcjqOfbALkSQ74X6n1X+6C32cVhccfz7vFtVYKbGhKn81xTQqn2f15C417OKIsuZLdWIcTOqEE+OW4ouZT0900I4M6rYk28GmV3Bht59bVI3hIk5DuI3obFeYR0YpKZGkONxPyNsCnz5xmmth/SVl8/SRlmtFHf43H2zyeFmol3qdLYEngJaW1cmeCj6ArBIVYH6eEbFPg2Cu+bvmxL5qHtinjLVHA==",
      "KeyId":"https://dems-prod-eus-keyvault.vault.azure.net/keys/genetec-key/7b2cad59333347b989beccad2144d4ff"
   }
}
[ExcludeFromCodeCoverage]
internal class EncryptionDataModel
{
  public byte[] ContentEncryptionIV { get; set; }

  public EncryptionDataAgentModel EncryptionAgent { get; set; }

  public string EncryptionMode { get; set; } = "FullBlob";

  public object KeyWrappingMetadata { get; set; }

  public EncryptionDataContentKeyModel WrappedContentKey { get; set; }
}

[ExcludeFromCodeCoverage]
internal class EncryptionDataContentKeyModel
{
  public string Algorithm { get; set; } = "RSA-OAEP";

  public byte[] EncryptedKey { get; set; }

  public string KeyId { get; set; }
}

[ExcludeFromCodeCoverage]
internal class EncryptionDataAgentModel
{
  public string EncryptionAlgorithm { get; set; } = "AES_CBC_256";

  public string Protocol { get; set; } = "1.0";
}