18 Novell iFolder 3.6 Security Administration Guidenovdocx (en) 11 July 20083.4 Creating an Encrypted iFolderNovell iFolder 3.6 supports encrypted iFolder storage. To store the files encrypted, users mustensure that the iFolder they are uploading to is created as encrypted. For that, they must ensure thatthe option for Encryption is selected. They also must specify a passphrase and select a Recoveryagent when creating an encrypted iFolder by using the iFolder thick client. However, this option isavailable only when you set the Encryption policy to On. In this case, users are free to choosebetween the two options: Regular and Encrypted. However, if you set the encryption policy toEnforced, users can create only encrypted iFolders and they cannot change this encryption settingsfor their iFolders.NOTE: Even if the encryption policy is set to Enforced, you can create a shared iFolder by using theCreate button on the iFolder page of the iFolder Web Admin console.An existing iFolder cannot be converted to be an encrypted iFolder, and an encrypted iFolder cannotbe converted to be a normal iFolder.During the creation of an encrypted iFolder, the user is prompted to enter a passphrase and select aRecovery agent. iFolder uses the passphrase to dynamically generate a unique encryption key forencrypting and decrypting the iFolder data. The encrypted iFolders are not processed without thepassphrase. If the user forgets the secret passphrase, he or she cannot access either the iFolder dataor the encrypted key used for recovering it. In this case, the Recovery agent that is selected when thepassphrase is set helps in recovering the encryption key. For more information on the Recoveryagent, see the Section 3.5, “Using the Recovery Agent,” on page 18.3.5 Using the Recovery AgentThe Novell iFolder 3.6 enterprise server uses a Recovery agent, which is an X.509 certificate-basedentity used to recover a lost or otherwise unavailable key.iFolder prompts a user to select a Recovery agent from a list when the user specifies specifies thepassphrase for an encrypted iFolder. However, this option is available only if you set encryptionpolicy to On by using the Web Admin console. When the user has lost or forgotten the passphrase,the Recovery agent helps the user to recover the data.The user exports the encrypted key and sends itto the Recovery agent by using the Key Recovery option available under the Security menu in theclient. After receiving the encrypted key, the Recovery agent decrypts it by using its private key, andsends it back to the iFolder user. The user then imports the decrypted key and then resets thepassphrase by using the Security menu in the client.3.6 Transferring the Encryption KeyThe Recovery agent can encrypt the decrypted keys using a one time passphrase (OTP), then itsends both the encrypted passphrase and the key to the user. For secure OTP transfer, make sure thatthe Recovery agent uses an out-of-band communication or a separate e-mail communication to sendthe passphrase and the key to the user.All the keys are Base 4 encoded for easier data exchange. The key is highly vulnerable duringtransfer if it is not encrypted with the OTP.