SSProtect manages host-based information using a combination of encryption and strong access controls. With the optional use of :Recover, information is securely stored in an isolated Archive (often in the cloud) for restoration at a later time. The process was designed to be minimally intrusive with respect to end-user worfklows, with results that are truly seamless except for a change in the way data is sent to and received from KODiAC (Cloud) Services.
Data transfers and storage are governed by a combination of proprietary secure networking primitives and patented cryptographic offloading and isolation. This tight coupling manifests in one of two patented Operating Modes with numerous features, detailed in the article, Operating Modes.
:Confidential Files displays the set of host-managed content, as described in the article, Managing Host Data. From the Host List display, choose a managed item (with a Protected State) then choose Versions... to display the progression of individual edits to the file:
This progression shows a 0 file length for Versions 2 and 3, indicating that :Recover was disabled between Version 1 and Version 2. As such, any request to Restore/ Rebuild this file results in processing with the stored Version 1 instance.
The above listing does not show Third Party or Peer Trust access, which is only available for viewing when you are utilizing a Privileged Account (Organization Administrator, assigned Organization Delegate, or an Individual Account). When present and utilizing an Unprivileged Account, the Version progression will skip individual Versions, masking details.
In any case, you cannot Restore content that you did not create/ modify (though this information is available to the Organization using other methods - talk to your DefiniSec Representative for details).
For related details, refer to the article, Restoring and Rebuilding.
The set of Archived files appears in the :Confidential Files display after choosing the Archive... button, presenting the following:
This data shows the latest version of each file stored in the Archive, and reflects the latest Version available for :Recover Restore/ Rebuild operation. Notice, however, the file, 18.03.03 - Weekly Summary.docx lists Version 1 instead of the latest Version 3 shown in the previous Versions List. From that listing, it's apparent Versions 2 and 3 were not retained in the Archive (as evidenced by the resulting 0 Size), and as such those instances are masked from participation/ consideration by Restore/ Rebuild logic.
Restore/ Rebuild operation is in the aforementioned article, Restoring and Rebuilding.
File Size Details
When using Double Encryption with :Recover, the Versions Panel reflects the encrypted (ciphertext) file Size at rest. The Archive Panel instead refers to the plaintext Size (for the last Version candidate for Restore/ Rebuild). Plaintext sizes are always less than ciphertext values, due to cryptographic padding. Both values can be found in associated :Assess File Reports, but may not match Windows Explorer details due to local filesystem specifics.
When using Optimized Offloading, associated Sizes will be shown as zero (0), indicating that content is not available in the Archive for use with :Recover.
File Date/ Time Values
Date/Time information should match Windows Explorer figures - specifically the Last Modified value in a file's Explorer Properties display - of course with the caveat that :Confidential Files items use UTC values to align with :Assess Report data.
Host List Date/Time values may in certain cases be missing, replaced with, "N/A". This indicates that a host-local version could not be found and/ or read, and also that an associated instance could not be identified in the Archive or data history. This is often seen when a conversion operation is catastrophically interrupted, for example by removing power (without battery).
Finally, if a file's Host List State does not match what's found in local storage, the Date/Time value will include an asterisk. This is a rare error condition that should seldom (if ever) be observed, and as a result warrants further investigation if/ when present.
The Versions Panel Hash value reflects plaintext computation, though both plaintext and ciphertext hashes can be found in associated :Assess File Report entries.
The Archive Panel only displays Hash data when the associated Filename cannot be decrypted, often the result of a critical failure while accessing managed content. This is seen when the Filename is replaced by the unique File ID, and the Path replaced by the (plaintext) Hash. A future release will include the ability to toggle between Filenames and Paths to File IDs and Hash values in support of detailed investigation with File Report entries.
Archive List Functions
Controls are nearly the same as those described in the article, Managing Host Data, except as noted in the next section. This holds true for column-based sorting, and as you may notice, the List is first displayed with most recent items first, descending in order by GMT date/ time associated with the item's last secured write/ close operation.
As expected, you can Filter/ Clear using the controls described for the Host List (don't forget the Filter retains its' entry when navigating to other List displays), and you can also choose an item then Open Folder to open Explorer in the target's native folder, if it exists, else the Overflow Folder.
Note that state information is acquired when the Host List is first displayed. Switching views does not update scope or content. Use each Panel's Refresh capabilities, described below, to acquire updated file listings and associated state.
Archive and Host List Divergence
Host List functionality differs from the Archive List for Clean and Refresh operations, which are described below. Opt Filter is also not available from the Archive List, while Restore and Rebuild operate a bit differently for each of the three displays. These latter details will be more fully described in upcoming articles in this :Recover Topic.
The Archive List can be quite long, and thus can take more than a few seconds to load if starting from scratch. Filenames are not stored in plaintext, and as such must be downloaded then decrypted using both asymmetric (i.e. slow) and symmetric (not as slow) decryption.
For this reason, SSProtect keeps and refers to a local list that holds all known entries for quicker secured access (technically not a true cache). This list is updated each time application logic, or your actions, refer to the Archive List, keeping the latest entries available for your perusal.This implements a continuous Refresh cycle that is in fact the very same operation executed when you choose the Refresh button from this display.
Cleaning the Archive List
Clean in this case removes the local list file and re-acquires all content going back to the very first day your Account was used. This can take some time after a couple years of use, as each entry can take 4-5s, depending on your host computer. Work is already underway to further optimize these operations to remove any driving factor that motivates a Clean operation.
Storage Archive and Minimum Retained Versions
When :Recover is enabled/ active for your Account, each time you access a managed file, a new Version is created and stored in the Archive (with a new set of corresponding keys). When you reach your Quota limit, the software searches for removal candidates to determine if enough space can be made for the request, then proceeds when results align with the need.
This process is governed by requiring each stored item to maintain a minimum number of recent Versions under all circumstances, making certain multiple instances of a large file, or a set of large files, doesn't fill the Archive and preclude storage of less frequently accessed items that are smaller in size. By default, this count is three (3), though it can sometimes be changed.
Modifying the Minimum Retained Version
Once an Organization (or Individual Account) is provisioned, the minimum number of required Versions can be decreased, but never increased. If functionality was disabled when the Organization was provisioned, it cannot be enabled at a later time. As such, it's best to request a figure higher than the default for extra flexibility.
For more details, refer to the article, Archives and Quotas.
For More Information
For information regarding product features and content, consult the Document Index, or send email with specific questions to firstname.lastname@example.org.
This article was updated w/ v7.1.0 of the :Foundation Client