Hilfe Center

Encryption and Key Exchange: Technical Overview

netfiles Data Vault protects data with end-to-end encryption (E2EE). The entire process is optimized for maximum user-friendliness. This article gives you a technical overview of the underlying processes and procedures.

For help with setting up your netfiles Data Vault, we provide you with this article.

For further technical information, please see our netfiles Data Vault whitepaper.

To offer E2EE in netfiles Data Vault, netfiles performs the following tasks:

  • Encrypt/decrypt content in the browser with an AES-256 key to ensure the confidentiality and integrity of the content
  • Store the key used for encryption/decryption in a secure location to which netfiles does not have access
  • Pass on the key used for encryption/decryption to new members of the data room in a secure manner

To be able to use netfiles Data Vault, administrators and users need the following information:

  • netfiles user name/e-mail address
  • netfiles user password
  • Data key

netfiles uses the following methods and technologies for this purpose:

  • RSA-4096: Key exchange (private & public key)
  • AES-256: Data encryption
  • Argon2id: key derivation
  • WebCrypto: key management, encryption and decryption

RSA key pair: Public and private keys

In order to share E2EE data with users and groups, an RSA-4098 key pair, consisting of a private key and a public key, is required. While the private key may only be known to the user and is required for decryption, the public key is freely accessible and is only used for encryption. Both the administrator and future users of a netfiles Data Vault require an RSA key pair. This is created when the data room is created (administrator) or as a result of an invitation to a data room (user).

For this purpose, the administrator or user is requested to create a personal “data key”. The data key is a password used exclusively for E2EE.

Important: The data key is independent of the netfiles user password, which is required to log in to netfiles. For security reasons, please never use the same password as your user password and data key.

The personal data key is (in addition to the netfiles access credentials) the only password that administrators and users need to memorize or store. All other processes required for working with E2EE data are handled by netfiles in the background. The data key can be used across multiple data rooms in the future and only needs to be created when accessing or creating a data room for the first time.

Procedure for administrators: When the administrator creates a netfiles Data Vault for the first time, netfiles generates an RSA key pair with a length of 4096 bits. The original private RSA key of this pair is encrypted with the administrator’s data key, which must be set by the administrator for this purpose.

Procedure for users: When a user is invited to a netfiles Data Vault for the first time, netfiles generates an RSA key pair with a length of 4096 bits. The original private RSA key of this pair is encrypted with the user’s data key, which must be set by the user for this purpose.

Recovery code

As netfiles never has access to the personal data key of the administrator or user, the loss of this data key would also irrevocably lock the data. As a safety measure, a recovery key is therefore generated for the user when the encryption is created.
For this purpose, a random sequence of 64 hex characters (“recovery code”) is generated during key derivation. This is used to generate an AES-256 key (“recovery key”) and an initialization vector (IV). The administrator’s or user’s private key is encrypted with this recovery key and stored. The recovery code must be stored securely.

AES data room key

To encrypt the data in a data room, netfiles generates a random, seed (“data room key seed”) and derives the AES-256 key used for encrypting and decrypting data room content (“data room key”).

netfiles encrypts the data room key seed with the public key of the administrator or an invited user and stores it in their user account for this data room. netfiles then deletes the original, unencrypted data room key seed. For each session, a session-specific data room key is generated locally in the browser. From then on, all content, comments and annotations are automatically encrypted with AES in the browser of the administrator or invited user before they are sent to the server. To open or download content, comments or annotations, they are also decrypted in the browser after being retrieved from the server.

Encryption and decryption is seamless for the user and takes place completely in the background, once the personal data key has been entered.

Key Exchange: Invitation and confirmation of users in a netfiles Data Vault

Every user who is invited to an encrypted data room requires an RSA key pair (data key) in their user account. Accordingly, there are two possible invitation scenarios:

User has an RSA key pair (data key)

The administrator invites a user to the data room. The data room key seed is available locally in their browser. netfiles retrieves the public key of the invited person and uses it to encrypt the data room key seed. This encrypted data room key seed is then stored in the invited user’s account for this data room.

After the user has accepted the invitation, they must enter their data key. This decrypts the data room key seed locally in the browser, generates a data room key from the seed, and the user can then directly join the data room.

User does not yet have an RSA key pair (data key)

If an invited user does not yet have a data key, an additional release step by the administrator is required during the invitation process:

  1. The administrator invites the user to a data room.

  2. netfiles prompts the invited user to set a data key and generates an RSA key pair (as described above).

  3. Once the user’s keys have been generated, the administrator must approve the user. netfiles then continues the process as described above for users who already have a data key.