Wednesday, May 23, 2012 11:10 AM
we have an infrastructure here where users already have an Aladin Etoken for personal authentication, e-mail-encryption, file system encryption...
As I understand, the user's public key is stored on the token and the public key published in AD.
The respective certificates are signed by a trusted "official" CA and published within AD.
As I understand, RMS uses its own encryption/decryption method independent of existing CA and certificate infrastructure.
Is it possible to enforce using the the users token key pair for encryption/decryption with RMS?
- i.e. a document would only be encypted by RMS if the author's token is accessable and only be available to the selected users when their token is available.
(From what I read so far, my educated guess is that this is not implemented)
Thanks for your help in advance - Stefan
Wednesday, May 23, 2012 11:50 AM
No this is not possible. RMS infrastructutre is based on a premise where keys are server generated and distributed to the clients using secured channel. Also the keys for encrypting/decypting the content cannot be stored on smart-card / cryptographic tokens.
However you can:
- require smart-cards / tokens for authentication of users when accessing the RMS servers
- make use of HSMs in order to protect RMS related keys. (see for example this guide for more information http://www.thales-esecurity.com/Resources/~/media/Files/Integration%20Guides/Microsoft_RMS_Windows_2008.ashx)
- Marked As Answer by IprefUnix Wednesday, May 23, 2012 1:14 PM