SSProtect manages host-based information using encryption, integrity protection, strong access control, and a variety of additional protective facilities such as native workflow integration and continuous protection while data is used in application software.
With the optional use of :Recover, information is securely stored in an isolated Archive (often in the cloud) for restoration at a later time. The process was designed to be minimally intrusive with respect to end-user workflows, with results that are truly seamless except for a change in the way data is sent to and received from KODiAC (Cloud) Services.
Data transfers and storage are governed by a combination of proprietary secure networking primitives, patented cryptographic offloading, and isolation. This tight coupling manifests in several different Operating Modes, each with different features, as detailed in the article, Operating Modes.
The Managed Files/ Restore context menu selection (from the SSProtect notification icon) displays the set of managed data files associated with your SSProtect Login Profile, described in the article, Managing Host Data.
From this Hostlist display, choose a managed item (with a Protected State) then choose Versions... to display the Versionlist:
The Versionlist shows each individual managed instance of the chosen file, with each instance representing a secure access operation carried out by the noted SSProtect User(name).
Notice in this progression Versions 1, 2, and 5 have Size=0. This isn't the size of the file in local host storage, it instead represents the size of the file in the :Recover Archive. As expected, this indicates that those instances aren't stored. In fact, if you navigate back to the Hostlist, choose the same file then Restore, KODiAC Cloud Services will see that the latest Version, 5, doesn't exist in the Archive, and will subsequently search back to Version 4 and Restore its' content.
This reality is reflected in the right-most column, "R" for Restore; "Y" indicates the associated instance can be Restored, while, "-" indicates the instance is not in the Archive and thus cannot be Restored. We use, "-" rather than the more, "N" to facilitate quick review.
NOTE: Though not shown here, there are times when a non-zero file instance cannot be Restored. This happens when working with Double Conversion Mode at or near your Quota Limit, using the default Archive Retention Policy. This is further detailed below.
Versionlist Plaintext Hash
Notice the Plaintext Hash doesn't change between Versions 4 and 5 - this indicates the file's content wasn't changed, though the encrypted v5 is different than v4 since new keys are generated for each version.
This Hash value can be computed with either MD5 or SHA1 as determined by settings in the License and Components Interface. The is Global for an Organization's Users, and uses the default of MD5.
The above listing does not show Third Party or Peer Trust access, which is only available for viewing when you are utilizing a Privileged Account (Organization Administrator, assigned Organization Delegate, or an Individual Account). When present and utilizing an Unprivileged Account, the Version progression will skip peer-instantiated Versions, masking details.
In any case, using the default Hybrid Conversion Mode, you cannot Restore content that you did not create/ modify. Talk to your DefiniSec about the realities of Double Conversion if this is a critical capability you need to utilize.
For further details, refer to the article, Restoring and Rebuilding.
The set of Archived files - the Archivelist - appears in the Managed Files/ Restore display after choosing the Archive... button, as follows:
The Archivelist enumerates the latest version of each stored file. Notice, in this case, 19.03.25 - WeeklySummary.docs lists Version 4 instead of the latest Version 5 shown in the Versionlist above. As previously noted, items with Size=0 are not in the Archive, and as a result this list does not reflect the presence of Version 5.
Restore/ Rebuild operation is in the aforementioned article, Restoring and Rebuilding.
File Size Details
When using Double Encryption with :Recover, the Versionlist reflects the encrypted (ciphertext) file Size at rest. The Archivelist, by comparison, instead refers to the plaintext Size (for the last Version candidate for Restore/ Replicate).
Note that plaintext file sizes are always less than ciphertext sizes, due to AES padding.
Both values can be found in associated :Assess File Reports will reflect both values in their respective portions of a progression (line items), though it's important to note that they also may not match Windows Explorer details due to local filesystem specifics.
Finally, when using Optimized Offloading, associated Sizes will be shown as zero (0), indicating that content is not available in the Archive for use with :Recover.
File Date/ Time Values
Date/Time information should match Windows Explorer figures - specifically the Last Modified value in a file's Explorer Properties display - of course with the caveat that Managed Files/ Restore displays enumerate content using UTC/ GMT values to align with :Assess Report data.
Host List Date/Time values may in certain cases be missing, replaced with, "N/A". This indicates that a host-local version could not be found and/ or read, and also that an associated instance could not be identified in the Archive or data history. This can be encountered when a conversion operation is destructively interrupted, for example by removing power (from a desktop or workstation that doesn't have or use a battery).
Finally, if a file's Host List State does not match what's found in local storage, the Date/Time value will include an asterisk. This is a rare error condition that should seldom (if ever) be observed, and as a result warrants further investigation if/ when present.
Archivelist File Hashes
The Versionlist Hash value reflects plaintext computation, as noted above. Note that both plaintext and ciphertext hashes can be found in associated :Assess File Report entries.
The Archivelist only displays Hash data when the associated Filename cannot be decrypted, often the result of a critical failure while accessing managed content. This is seen when the Filename is replaced by the unique File ID, and the Path replaced by the (plaintext) Hash.
Archive List Functions
Controls are nearly the same as those described in the article, Managing Host Data, except as noted in the next section. This holds true for column-based sorting, and as you may notice, Lists are first displayed with most recent items at the top, descending by GMT date/ time associated with the item's last secured write/ close operation.
As expected, you can Filter/ Clear using the controls described for the Hostlist (don't forget the Filter retains its' entry when navigating to other List displays), and you can also choose an item then Open Folder to open File Explorer in the target's native folder. If for some reason the native location has been removed, File Explorer will display the Overflow Folder.
Static Load, Refresh for Changes
The Managed Files/ Restore Lists are loaded and enumerated when you navigate to the context menu and choose to display content. As you perform operations and move from one List to another, you will find a need to see updated value. Use the Refresh button from any of the three displays to render updated content.
IMPORTANT: Remember that switching from one List view to another does NOT refresh content.
Archive and Hostlist Divergence
Hostlist functionality differs from the Archivelist for Clean and Refresh operations, which are described below. Opt Filter is not available from the Archivelist, though Replicate is unique to the Archivelist and not enabled elsewhere. Additional Replicate details will be provided in the near future.
The Archivelist can be quite long, and Archive Filenames are not stored in plaintext. For this reason, creating the plaintext enumeration is quite time-consuming, and for long lists takes more than a few seconds to complete.
For this reason, SSProtect keeps and refers to interim data that maintains state for all known entries, providing quicker secured access to changes (though this is not a true cache). Interim data is updated on the fly, each time application logic or end-user actions refer to Archivelist resources. This allows you to perform Archivelist Refresh operations that return updated information very quickly.
Cleaning the Archive List
Archivelist Clean removes the above-noted interim data then re-acquires all content going back to the very first day your Account was used. This can take some time after a couple years of use, as each entry can take upwards of 4-5s to process, depending on your host computer and dependency details.
Note that you shouldn't have to Clean your Archivelist except when working with Support to troubleshoot very specific issues.
Archive Retention Policy
When :Recover is enabled/ active for your Account, each time you access a managed file with Hybrid or Double Conversion Mode, a new Version is created and stored in the Archive (with a new set of corresponding keys). As items are added to the Archive, you use Quota space until you reach the given limit for your Account.
When using Hybrid Conversion Mode and you reach your Quota Limit, the target file is converted with Optimized Offloading and you are presented with notification (both visual and with details in the Host Debug Log).
If however you are using Double Conversion Mode and you reach your Quota Limit, the software searches for removal candidates based on age and a minimum, pre-configured constant - the Retention Constant.
This Retention Constant governs the minimum number of Archive-stored instances, or Versions, that must be retained for any managed item. Beyond that, as additional instances or Versions are added, older ones become candidates to be removed when space is needed for a new item.
This, "expiration" procedure ensures that operations with multiple instances of a large file, or a set of large files, don't fill the Archive and preclude storage of less frequently accessed items that are smaller in size.
The Retention Constant is, by default, three (3), and it is set for an Organization (or Individual Account) when it is provisioned. Note that this cannot, at present, be changed after provisioning.
IMPORTANT: Retention Policy does NOT apply to the default Hybrid Conversion mode. There are tradeoffs to using Double Conversion, and as such it is limited to use by those authorized by Support once considerations are all communicated and well-understood by end-users.
For more details, refer to the article, Archives and Quotas.
For More Information
For information regarding product features and content, consult the Document Index, or send email with specific questions to email@example.com.
This article was updated w/ v9.1.5 of the :Foundation Client