Audio file encryption

File encryption overview

MiaRec provides rock-solid audio encryption functionality, ensuring all call recordings are securely stored. MiaRec encryption functionality helps companies confidently adhere to the highest corporate security standards and comply with legal regulations such as PCI-DSS, HIPAA, Dodd-Frank, and Sarbanes-Oxley.

Some key features of MiaRec audio file encryption:

  • Asymmetric encryption, where a public key is used for encrypting and a private key is used for decrypting
  • Administrator has control over who can play back (decrypt) the recordings
  • In a multi-tenant mode, each tenant has it's own unique encryption key
  • Encryption is applied to backup data, as well

MiaRec Audio File Encryption

Audio file encryption vs role-based access control

MiaRec role-based access control system provides protection of data from unauthorized access to the MiaRec web-portal. Everyone accessing the system must be an authenticated user with associated set of permissions.

Audio file encryption provides an additional layer of security over the role-based access control system in MiaRec. If encryption is enabled, then audio files are stored on a hard disk in encrypted format. This insures that even if unauthorized user gains physical access to the storage system, he/she has no ability to play back recordings because he/she doesn't have the private encryption key.

Download of encrypted recordings

When a user downloads individual call recordings through MiaRec web-portal, the file is decrypted in flight. The file is saved on the user's computer in unencrypted form.

However, when a user uses the bulk download feature and downloads multiple call recordings in ZIP archive, then the downloaded files are retrieved in encrypted form. The user cannot play back such call recordings unless he/she imports them into the MiaRec system together with private encryption key.

Encryption for backups

Use of file encryption is beneficial for backup data, as well. All recordings in backup archive can be encrypted.

Encryption in multi-tenant environment

In multi-tenant mode, each tenant has it's own encryption key. Even if an audio file from one tenant becomes available to another tenant, the latter could not play back, because the file is encrypted with a different key.

Additionally, in a multi-tenant hosted environment, MiaRec supports the following usage scenario: Tenant may provide the service provider with the public encryption key only. The tenant doesn't is not required to disclose their own private key to the service provider. This means that nobody on the service provider side - even system administrators - would be able to play back tenants' call recordings. To play back such call recordings, they should be uploaded to tenant's private network and imported into a local instance of MiaRec software.

Encryption algorithms

MiaRec encrypts every call recording with asymmetric encryption. For every recording, MiaRec generates a random AES encryption key. This symmetric encryption key is then encrypted using asymmetric encryption (one key for encryption - often referred to as the "public" key - and a different key for decryption - often referred to as the "private" key).

MiaRec uses Advanced Encryption Standard (AES) for symmetric encryption (256-bit key) and the Rivest-Shamir-Adleman (RSA) public key algorithm for asymmetric encryption (2,048-bit keys).

The details and theory behind the asymmetric encryption method is beyond the scope of this article. However, a good primer is available at https://en.wikipedia.org/wiki/Public-key_cryptography. In short, a public key is used for encrypting data and private key is used for decrypting it. The public key doesn't need to be stored securely. Anyone can access the public key, but no one can use the public key to decrypt the data that the public key encrypted. The only way users can decrypt data is with the private key.

User access to encryption keys

Administrators need to grant particular users access to encryption key(s) before they can play back (decrypt) audio files. Note, the administrator may grant access only to those encryption keys which are granted to him/her. If administrator (even if he/she has role "Root administrator") has no access to the encryption key, then he/she cannot grant access to other users for the same key.

MiaRec software never stores encryption keys in the database in plain text for security reasons. Even if an unauthorized party gains access to database files, he/she could not retrieve the private keys because they are stored in encrypted format. There is no way to gain user's private key without knowing the user's password.

Configuration check-list

Configure MiaRec audio file encryption as follows:

  1. Create new encryption key or use existing one for System or Tenant (in multi-tenant mode)

  2. Export/backup new encryption key and save it in secure place for recovery purposes

  3. Grant access to encryption key to authorized users

  4. Enable audio file encryption on System or Tenant profile.

Create new encryption key

Navigate to Administration -> Storage -> File Encryption to create new encryption key.

Note, in multi-tenant version, you need to create key for "System" account first. Then you can create tenant encryption key. On System account, you do not need to enable "Audio file encryption" unless you record calls into System tenant (which is not recommended).

MiaRec License

MiaRec License

Import encryption key

Encryption key can be imported from the existing key rather than generated from scratch.

Navigate to Administration -> Storage -> File Encryption to import the existing encryption key.

MiaRec License

MiaRec License

Export encryption key

Navigate to Administration -> Storage -> File Encryption to export the existing encryption key.

It is highly recommended to export all existing keys and store them in secure place for backup purposes. You may need such backup copies when all authorized people forgot their passwords or database is destroyed and you need to recover the audio files from archive.

MiaRec License

MiaRec License

MiaRec License

MiaRec License

Grant access to encryption key

Navigate to Administration -> Storage -> File Encryption, select the appropriate key and authorize users to access the data encrypted with the same key.

Administrators need to grant particular users access to encryption key(s) before they can play back (decrypt) audio files. Note, the administrator may grant access only to those encryption keys which are granted to him/her. If administrator (even if he/she has role "Root administrator") has no access to the encryption key, then he/she cannot grant access to other users for the same key.

MiaRec software never stores encryption keys in the database in plain text for security reasons. Even if an unauthorized party gains access to database files, he/she could not retrieve the private keys because they are stored in encrypted format. There is no way to gain user's private key without knowing the user's password.

MiaRec License

MiaRec License

Enable file encryption

Non-multi-tenant configuration

In a non-multi-tenant configuration, navigate to Administration -> Storage -> File encryption and click "Edit configuration** to enable encryption for all data.

MiaRec License

MiaRec License

Non-multi-tenant configuration

In a multi-tenant configuration, navigate to Administration -> Storage -> File encryption, select the appropriate tenant profile, then click "Edit configuration** to enable encryption for this particular tenant.

Alternatively, you can enable encryption on tenant profile under Administration -> User Management -> Tenants.

MiaRec License

Export of the encrypted files

An important aspect of any file encryption facility's design is that file data is never available in unencrypted form except to users that access the file via the encryption facility. This restriction particularly affects backup process, when data is exported to external storage.

MiaRec addresses this problem by keeping files in encrypted form during backup process. The backup utility don't have to be able to decrypt file data before backup.

It is safe to export encrypted files to backup archive. The backup archive may be imported back to the same system or to new system during recovery process. When importing data to new system, it is necessary to import old encryption key as well.