Scribd
Upload
266 views20 pages

Encryption Wizzard Manual

Encryption Wizard 3. User Guide ATSPI Technology Office Air Force Research Laboratory Last Updated: 1 June 2011 For EW versions >= 3.2.

Uploaded by

joeduprix
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
266 views20 pages

Encryption Wizzard Manual

Encryption Wizard 3. User Guide ATSPI Technology Office Air Force Research Laboratory Last Updated: 1 June 2011 For EW versions >= 3.2.

Uploaded by

joeduprix
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Encryption Wizard 3.

2 User Guide

ATSPI Technology Office Air Force Research Laboratory

Last Updated: 1 June 2011


For EW versions >= 3.2.10

ATSPI Technology Office Encryption Wizard User Guide

Table of Contents
1. 2. 3. 4. 5. General Information .................................................................................................... 3 System Requirements.................................................................................................. 3 Recommended Use ..................................................................................................... 3 Installation and Setup .................................................................................................. 3 Using Encryption Wizard ........................................................................................... 4 5.1. Launching Encryption Wizard ............................................................................. 4 From a Windows Explorer window ............................................................................ 4 From a Windows or Linux command prompt............................................................. 4 5.2. Encrypting a File .................................................................................................. 4 Selecting a File to Encrypt .......................................................................................... 4 Selecting the Key Type ............................................................................................... 5 Encrypting with a Passphrase ..................................................................................... 5 Encrypting with PKI Certificate(s) ............................................................................. 6 Adding File Metadata ................................................................................................. 7 5.3. Decrypting a File .................................................................................................. 7 5.4. Encryption Wizard Archives ................................................................................ 8 Selecting Files for an Archive..................................................................................... 8 Creating an Archive .................................................................................................... 8 Selecting the Keying Material for an Archive ............................................................ 9 Expanding the Archive ............................................................................................... 9 6. Additional Features and Options .............................................................................. 10 6.1. Hotkeys............................................................................................................... 10 6.2. Command Line Options ..................................................................................... 11 6.3. Associating the .wzd and .wza file extensions ................................................... 11 6.4. Selectable Options .............................................................................................. 12 6.4.1. Selecting the default encryption/decryption behavior .................................... 12 6.4.2. Selecting the default file deletion behavior .................................................... 13 6.4.3. Disabling the metadata request dialog ............................................................ 13 6.5. Optional Key Escrow ......................................................................................... 13 7. Licensing ................................................................................................................... 13 8. Obtaining Support ..................................................................................................... 13

ATSPI Technology Office Encryption Wizard User Guide

1. General Information
Encryption Wizard is a Java-based file encryption program that can be used to quickly and easily encrypt sensitive files. It is an easy to use tool for protecting sensitive (but not classified) documents1, and for protecting files before transmission via email. It allows a user to encrypt files using a 128-bit implementation of the Advanced Encryption Standard (AES) with simple drag-and-drop efficiency. Encryption Wizard can significantly increase an organizations security posture at little to no cost to protect sensitive data in transit (E-mail, FTP, or shared web folders) or at rest on a removable storage device. The primary version for government users utilizes a FIPS 140-2 validated encryption engine licensed from RSA Security.

2. System Requirements
Any operating system capable of running the Oracle Java Runtime Environment (e.g.: Windows, Linux, MacOS). Oracle Java Runtime Environment (JRE) 1.5 or greater. Encryption Wizard is often distributed on a CD-ROM that contains a copy of the most current version of the JRE, which can also be downloaded from http://www.java.com. Oracle does not currently support smart cards via the PKCS#11 interface on 64-bit Microsoft Windows systems; this means that EW does not currently support CAC/PIV on PLEASE Windows x64 editions. See section 2.1 of the following for details: NOTE: http://download.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#Requi rements

3. Recommended Use
The AFRL/RY ATSPI Technology Office recommends the use of this tool for the protection of all sensitive data when in transit or at rest.

4. Installation and Setup


Encryption Wizard requires no installation or setup process. Assuming that a recent version of Java is installed on a users system, Encryption Wizard may be executed simply by double-clicking on the executable, wizard-3.2.10{-FIPS}.jar. On Microsoft Windows, there are user convenience features that associate the Encryption Wizard file types with the tool and a Send To context menu as well (see Section 6.3 for details).

Encryption Wizard is approved for use on some classified networks for enforcing need-to-know within the network. EW has not been certified to render classified materials as unclassified when encrypted. ATSPI Technology Office Encryption Wizard User Guide

5. Using Encryption Wizard


5.1. Launching Encryption Wizard
Encryption Wizard can be accessed either through the command line in Windows or Linux, or by double clicking on the Encryption Wizard .jar file.

From a File Explorer window


1. Browse to the directory that contains the Encryption Wizard file 2. Double click on wizard-3.2.10.jar

From a command prompt


Change directory (cd) to the directory holding the JAR file and type: java -jar wizard-3.2.10.jar

5.2.

Encrypting a File

Selecting a File to Encrypt


To encrypt files, open Encryption Wizard and add a file to the main file list in one of the following ways: Drag and drop file(s) to the file list window (middle of application - see Figure 1) Use the menu to select Add File, choose file(s) from the file selection dialog Press a to bring up the file selection dialog

ATSPI Technology Office Encryption Wizard User Guide

Figure 1: Encryption Wizard User Interface

Selecting the Key Type


1. Once the file is in the file list, select the file(s) to encrypt and click the Encrypt button in the bottom tool bar (lower left inside Figure 1) OR press e. If no files in the file list are selected, all files in the file list will be encrypted. 2. Select the key type by selecting: passphrase, Public Key Infrastructure (PKI) Certificate, or both (see Figure 2)

Figure 2: Choose a Key Type

Encrypting with a Passphrase


Enter and confirm the passphrase, then select Encrypt>> or press Enter. After the file is encrypted, the user will be asked if they wish to delete the original file (this behavior is user selectable, see Section 6.4). The file is now safe to send over the Internet or store on ones portable media/computer. Be sure to select a memorable passphrase or record it out-of-band (e.g. Write it down and put it in a safe place). Encryption Wizard does not have a key NOTE: escrow or master key feature if the passphrase is lost, forgotten, or misentered, the data cannot be decrypted. When encrypting a file to share with someone else, choose a passphrase that NOTE: can be shared do not use a personal computer or network login password or other sensitive personal passphrase. Encryption operations are irreversible without the original keying material (passphrase or PKI certificates) make sure to either keep a copy of the NOTE: passphrase or of the original data. If it is possible to encrypt with a PKI public key, consider using it as a backup to a lost password.
ATSPI Technology Office Encryption Wizard User Guide

Encrypting with PKI Certificate(s)


A user may select PKI Certificates two different ways. First, PKI Certificates can be read from a smartcard (e.g.: CAC or PIV). Insert the smartcard into the reader and enter the Personal Identification Number (PIN) when asked for it. Choose the Encryption Certificate. Second, multiple public key certificates can be read from public key certificate files (.cer). The files can be added by either dragging the files into the window or by selecting the Add from File button (see Figure 3). A user can encrypt a file with the public key certificates of every member of a team to create a file that can only be read by team members. Public key certificates for DoD team members can be located and downloaded from https://dod411.gds.disa.mil. A user may use public key certificates from both a smartcard and from public key certificate files.

When using the DoD CAC, always use the Encryption Certificate this is the only certificate that is kept in escrow by DISA for later retrieval. If you NOTE: encrypt your data with any other certificate, you may not be able to decrypt the file if you have been issued a new CAC. If the file is encrypted with only a third partys PKI certificate, then only the holder of that PKI certificate will be able to decrypt the file. For example: If NOTE: a file is encrypted with only the PKI certificate of the Secretary of Defense, then only the Secretary of Defense can decrypt the files. If you want to be able to decrypt the file, you will need to add your own public key.

Figure 3: Select PKI Certificates

ATSPI Technology Office Encryption Wizard User Guide

Adding File Metadata


After providing the PKI information and/or passphrase, Encryption Wizard now optionally requests searchable metadata on the encrypted file. The user supplied metadata (see Figure 4) is stored inside the encrypted file in cleartext so that it may be indexed by enterprise search tools. If you have installed Encryption Wizard and do not plan to use the metadata functionality, you may configure Encryption Wizard to suppress the display of the metadata dialog.

Figure 4: Metadata enables search of encrypted content

5.3. Decrypting a File


The process for decrypting a file with Encryption Wizard is similar to the process for encrypting it. Simply add an Encryption Wizard file (a file with the extension .wzd) to the file list by dragging and dropping it, pressing a, or selecting FileAdd File from the menu. (Once Encryption Wizard is installed [see section 6.3, Associating the .wza and .wza file extensions], the user may also double-click on the file in Windows.) Once the file is in the Encryption Wizard file window, select the file and press the Decrypt button. Encryption Wizard will ask for the keying material that was used to encrypt the file. If the file was encrypted with PKI, select a PKI source either a private key PKI file or a smartcard; if it was encrypted with a passphrase, select Passphrase (see Figure 5). If the file was encrypted with PKI, follow the prompts from the smartcard middleware or unlock the private key PKI file. If the file was encrypted with a passphrase, enter the passphrase, and press OK or hit Enter or Return. If the file was encrypted with both PKI and a passphrase, use the decryption method that is most convenient.
ATSPI Technology Office Encryption Wizard User Guide

Figure 5: Choose a Decryption Key Type

The original file will be decrypted and restored to the original filename and extension.

5.4. Encryption Wizard Archives


Encryption Wizard supports the ability to create encrypted and optionally compressed file archives. Encryption Wizard Archives are similar to WinZip or other file archive utilities, except that they are secured by strong encryption. Encryption Wizard Archives are good for retaining backups of sensitive information on media that cannot or does not have to be physically secured.

Selecting Files for an Archive


To select files to archive: Drag and drop file(s) to the file list window (middle of application - see Figure 1) Use the menu to select Add File, choose file(s) from the file selection dialog Press a to bring up the file selection dialog

Creating an Archive
Name the archive by entering a filename; a user may also optionally select a path for the archive using the Browse button. Compression is enabled by selecting the Compress checkbox (see Figure 6). The encrypted archive file is given a .wza file extension (e.g.: filename.wza).

ATSPI Technology Office Encryption Wizard User Guide

Figure 6: Creating an Encryption Wizard Archive

Selecting the Keying Material for an Archive


Keying material for Encryption Wizard Archives are selected in the same manner as other Encryption Wizard files, see Section 5.2 for more details.

Expanding the Archive


Once a user opens Encryption Wizard and selects the archive(s) to expand, select the Expand action (see Figure 7).

Figure 7: Choosing an Encryption Wizard Archive to Expand ATSPI Technology Office Encryption Wizard User Guide

Next, specify the directory in which to expand the archive (see Figure 8). Selecting Next >> expands the archive to the specified directory.

Figure 8: Expanding an Encryption Wizard Archive

Key material selection is the same as for an encrypted file, see Section 5.3.

6. Additional Features and Options


Encryption Wizard has additional features that make encrypting files and data easier to accomplish.

6.1.

Hotkeys

Hotkeys provide a quick way to access the main features of Encryption Wizard. To use a hotkey, simply type the hotkey while the Encryption Wizard window is the active window: a r e d c l Del F1 Ctrl-A Esc Add files to the file list Refresh files in the file list Encrypt selected unencrypted files in the file list Decrypt selected encrypted files in the file list Archive the selected files in the list Access the Encryption Wizard log Remove selected file(s) from the file list Access the help system Select all the files in the file list Deselect all files in the file list
ATSPI Technology Office Encryption Wizard User Guide

10

6.2.

Command Line Options

Encryption Wizard has command line counterparts for most GUI operations. The command line interface may be used to encrypt files, decrypt files, and to create archives. The general command line format is as follows. All operations and options must start with a '-' (hyphen).

java -jar wizard3.jar [operation] [options] FILE1 FILE2 ...


Only a single operation may be specified. If no operation is supplied, an Encryption Wizard window will be opened and its file list will be populated with any files specified on the command line. Possible operations are:

h e d a ARCHIVE_NAME x DEST_PATH s

Print a help message that lists available options and operations Encrypt files Decrypt files Create an archive named ARCHIVE_NAME Expand an archive to the path DEST_PATH Let Encryption Wizard guess what to do based on the input file types

Multiple options may be specified. Possible options are:

c p PASSPHRASE v

Enable compression En/decrypt with passphrase PASSPHRASE Enable verbose logging

The user may select one of the following operations to perform: encryption, decryption, archive creation, or archive expansion. The archive functions require a path argument to tell Encryption Wizard either what the name of the archive file should be, or where to store files that are expanded from an archive.

6.3.

Associating the .wzd and .wza file extensions

(The following features are limited to Microsoft Windows.) A user can associate the .wzd and .wza extensions with Encryption Wizard. This will allow Windows Explorer to display a special icon for Encryption Wizard files, and allow Encryption Wizard to be executed when a .wzd or .wza file is double-clicked. This feature also adds Encryption Wizard as a Send To destination (access Send To by right-clicking on a file in Explorer).

ATSPI Technology Office Encryption Wizard User Guide

11

To associate Encryption Wizard to its file types and add it to the list of Send To destinations: From the toolbar, select Tools Select Install This feature does not currently work with the FDCC/SDC unless the user is an administrator. However, the registry changes needed to achieve these effects could easily be pushed out across an enterprise. Please contact the ATSPI Technology Office for details.

NOTE:

6.4.

Selectable Options

Encryption Wizard includes a number of configuration options that will be stored in the users application preferences directory. Figure 9 illustrates these options.

Figure 9: Selecting configuration options

6.4.1. Selecting the default encryption/decryption behavior


Versions of Encryption Wizard prior to 3.1.100 would encrypt and decrypt files in place if a file was encrypted, the original unencrypted file was deleted; conversely, if a file was decrypted, the originally encrypted file was deleted. This option was added to permit the user to select one of three options: Always delete the original form of the file (default behavior for versions < 3.1.100) Always keep files Always ask about removing the original form of the file (default behavior for versions > 3.1.100) Figure 9 illustrates the implementation of this option.

ATSPI Technology Office Encryption Wizard User Guide

12

6.4.2. Selecting the default file deletion behavior


Versions of Encryption Wizard >=3.2.4 include the option for performing a more secure delete. The method used is specified in DoD 5220.22-M National Industrial Security Program Operating Manual, February 1995, Section 8-501.d.1, and consists of overwriting all file locations three (3) times: first time with a character, second time with its complement, and the third time with a random character. Figure 9 illustrates the selection and implementation of this option.

6.4.3. Disabling the metadata request dialog


Version 3.2.9 adds the ability to disable the metadata request dialog (see Adding File Metadata on page 7 and associated Figure 4).

6.5.

Optional Key Escrow

Encryption Wizard also supports optional key escrow. The key escrow feature permits enterprises to embed a PKI key of their choosing into every file created by Encryption Wizard in their organization. This would permit the organization to recover encrypted data in the event that the original passphrase and/or PKI keys were lost or otherwise unavailable. This capability is referred to as Encryption Wizard Enterprise Edition. As of this writing, this feature must be enabled by the ATSPI Technology Office, see contact info in Section 8.

7. Licensing
Encryption Wizard is available in two forms: one that includes a FIPS 140-2 validated encryption engine (EW-Govt) and another that relies on the encryption capabilities native to a users Java Runtime Environment (EW-Public). The FIPS 140-2 validated version of Encryption Wizard contains a cryptographic module licensed from RSA. The FIPS version may only be executed by US Government employees or contractors under contract with the US Government and is for use on data for official government use. It may only be distributed by ATSPI and by designated ATSPI distribution authorities. Users may NOT examine code contained in the RSA licensed cryptographic module contained in the FIPS version. Information regarding RSAs FIPS 140-2 validation may be found here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#820

8. Obtaining Support
Encryption Wizard support is available by contacting the ATSPI Outreach office. AFRL/RY ATSPI Technology Office [email protected] http://spi.dod.mil

ATSPI Technology Office Encryption Wizard User Guide

13

Appendix A Obtaining copies of your old (escrowed) CAC certificates to decrypt old files
NOTE: This documentation is supplementary and is not fully tested across the DoD This document describes how to obtain expired or retired personal DoD PKI certificates from the escrow facilities at DISA, and use them to open files encrypted with the older PKI certificates with Encryption Wizard.
Summary of steps: 1. Obtain older PKI key from escrow 2. Prepare key for use with Encryption Wizard 3. Use with Encryption Wizard 1. Obtaining personal DoD PKI certificates There is both an automated and manual process. Full instructions and assistance can be received from your agency/service PKI helpdesk. Follow directions here2: https://afpki.lackland.af.mil/html/keyrecovery.cfm 2. Preparing an escrow certificate for use with Encryption Wizard Due to a bug either in Encryption Wizard or with the escrow certificates, you must first import the escrow key into Internet Explorer, and then export it into PKFX format to use it with Encryption Wizard. 2.1. Follow these instructions provided by the Air Force PKI Office to import the certificate into Internet Explorer (steps 12-22 of https://afpki.lackland.af.mil/assets/files/CI-07-02-002_Automated_Email_Encryption_Key_Recovery_QRG_V1100.doc) 2.2. Export the Certificate from Internet Explorer to PFX format 2.2.1. Open IE; Select Tools->Internet Options; click Content tab; click Certificates; Select escrowed certificate; Select export

Since AFRL is an Air Force unit, the following instructions reference instructions from the Air Force PKI office. They are provided in the hope that they will be of assistance to you.
ATSPI Technology Office Encryption Wizard User Guide

2.2.2. Export Private Key? YES

2.2.3. Save as PFX file use options as shown

ATSPI Technology Office Encryption Wizard User Guide

15

2.2.4. Choose a password it can be the same as the 16-character one from DISA or a unique one

2.2.5. Choose a filename that makes sense

ATSPI Technology Office Encryption Wizard User Guide

16

2.2.6. Click finish

2.2.7. Next, use the passphrase you used back in Step 19 of the AF PKI guide to import the DISA certificate into Internet Explorer

ATSPI Technology Office Encryption Wizard User Guide

17

2.2.8. All Done

3. Use exported PFX key with Encryption Wizard 3.1. Open the file encrypted with the old PKI key in Encryption Wizard

ATSPI Technology Office Encryption Wizard User Guide

18

3.2. Select Decrypt; select Private key file

3.3. Select the PFX file exported in step 2.2.5 (NOTE: you will need to expand the file selection filter to all files not just .p12 files)

ATSPI Technology Office Encryption Wizard User Guide

19

3.4. Enter password you selected in step 2.2.4.

3.5. Select the key and press OK

3.6. Enter password from step 2.2.4 again

3.7. Continue using Encryption Wizard


ATSPI Technology Office Encryption Wizard User Guide

20

You might also like