Overview
To enhance the data security of the M-Files system, M-Files can be configured to encrypt the file data of a vault. This is done in M-Files Admin via the Advanced tab of the Document Vault Properties window by selecting "Enabling encrypting file data at rest" option. File data is encrypted with the AES-256 algorithm, which is compliant with the FIPS 140-2 standard. It is important to note that if you enable the encryption, the existing files will NOT be encrypted unless you update the encryption status via the right click context menu of the vault, under the Maintenance submenu. Furthermore, you must run thorough optimization, choosing the delete files checkbox if prompted, after the update encryption status has finished. If you have MS SQL and file data on disk, this operation must not be done between metadata and file data backups as this will invalidate the backup cycle.
This article answers the most asked questions about file data encryption in on-premises vaults. For general information about encrypting file data at rest see the document "Protecting File Data at Rest with Encryption in M-Files" in our Knowledge Base:
https://kb.cloudvault.m-files.com/Default.aspx?#3ECA226F-7B54-428B-B539-DE443E6134EC/object/CAB2C1CC-9DF8-4F89-841F-20857383E0B6/latest
Questions and Answers
Q: Where are the keys for encryption kept / who has access to them?
A: The encryption keys are stored in the vault's SQL database but they are not easily recoverable from there as some additional logic is required to rebuild them.
Q: Can I change the encryption keys?
A: The encryption keys are managed automatically. Administrators can change the encryption keys by disabling and re-enabling the file data encryption in M-Files Admin via the Advanced tab of the Document Vault Properties. Note that the new encryption key is used to encrypt the file versions that are uploaded to M-Files Server after changing the key. If you want to encrypt all the existing files using the new encryption key, you must run the Update Encryption Status of Existing Files feature in M-Files Admin. Please note the need to run the thorough optimization also in this case, see the overview section of this article.
Q: Does the encryption slow down M-Files operations?
A: Enabling the file data encryption does not have a noticeable impact on system performance. The files are encrypted and decrypted on the fly using a fast symmetric algorithm. Enabling encryption has a slight but overall insignificant impact on the size of the file data.
Q: If the encryption is enabled, does this affect backup and restore of the vault data?
A: Backup and restore work as usual.
Q: Can I move the encrypted files to another M-Files server? Do I have to transfer the encryption keys to another server?
A: If you have an encrypted M-Files vault, you can transfer the vault to another server as any other vault.
Q: Are the files encrypted also in the M-Files Desktop when they are cached there?
A: M-Files client software may cache data in not encrypted format, therefore it is recommended to encrypt the hard drives of the devices using Windows BitLocker or a similar tool.
Data files in the M-Files Desktop cache can also be protected from viewing. For instructions on how to enable Desktop cache data protection, see chapter "Protecting File Data at Rest on M-Files Clients" in the document "Protecting File Data at Rest with Encryption in M-Files" referred earlier in this article.
