Installing an Encryption Key

This is a mandatory operation for productive environments, which if not applied will make the solution vulnerable, and potentially expose sensitive user information.

Some signing methods available on eSign collect and store biometric information on the signed documents. This is very sensitive information that is essential for future confirmation of a document’s veracity. However, it cannot, in any way, be used by other parties.
To protect biometric and other types of sensitive information, eSign encrypts this information with a public (asymmetric) key that is installed on the eSign instance

Understanding Asymmetric Encryption

A public asymmetric key encrypts information in a way that can only be deciphered with the matching private key pair. Public asymmetric keys come with the advantage that once this information is encrypted, not even the server that encrypted the information will be do decipher it with that same key.

The goal is to ensure that not even the institution that is using eSign an collecting end-user biometric information will be able to replicate or use that same information for any other purposes other then what the end-user authorized.

To ensure full security and non-repudiation, the institution owning the public key that encrypts sensitive data should never have access to the matching private key, which traditionally kept by a trusted third-party. Thus ensuring that this key will only be used when strictly necessary (for instance, a legal dispute).

Generate a Key Pair

We strongly advise that the key pair is generated by a trusted third-party, which will provide you the public key.

  1. Generate an asymmetric key pair.

  2. Expected output contains a public key which we will refer to as <YOUR_PUBLIC_KEY>.key.

Install Encryption Key

  1. From esign-home directory, copy <YOUR_PUBLIC_KEY>.key to resources directory.

  2. From esign-home directory, open config/esign.config and add a new entry in the properties section:

    {
  ...

  "properties": {

    ...

    "signature.publickey": "${resources}/<YOUR_PUBLIC_KEY>.key"
  }
}

  3. Restart eSign instance.