Encrypting your databases and files
ABBYY FlexiCapture 12 does not include any encryption mechanisms of its own, but allows you to use standard and recommended encryption technologies from well-known suppliers of operating systems and database management software.
ABBYY FlexiCapture 12 supports Transparent Data Encryption (TDE), a technology for encrypting databases and protection of keys. Data are encrypted at the server level, and backups cannot be decrypted without a valid key.
File and temporary folder encryption
ABBYY FlexiCapture 12 supports Windows Encryption File System (EFS), a file encryption technology offered by Microsoft. EFS is used for encrypting files and folders on servers and client computers. It protects confidential information contained in files and folders by generating a unique key that uses a combination of server and user credentials.
Please refer to this section of the Microsoft website for detailed instructions on enabling EFS.
When EFS is used in ABBYY FlexiCapture 12, the following are encrypted:
- Storage folders
In ABBYY FlexiCapture 12, the storage facility is controlled by the Application Server. For this reason, storage folders must be encrypted using the account under which the FlexiCapture 12 Web services application pool is running in IIS.
- Processing Station temp folders
Depending on which account is used to run the station, you must encrypt either the domain user's temp folder or the NetworkService temp folder (C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp).
- Scanning Station (C:\Users\<username>\AppData\Local\ABBYY\ScanStationFC\4.0) or scanning plug-in (C:\Users<username>\AppData\Local\ABBYY\ScanningPlugin\) temp folders and project folders.
These folders must be encrypted using the account of the user that is using the Scanning Station.
- Export and import folders
The Processing Station must have access to the files stored in the import folder, as well as write permissions for the export folder in order to be able to create files in that folder. To encrypt the import folder, the user that is running the Processing Station must have access permissions to these files.
To encrypt files prior to sending them to the export folder, the Processing Station must use the key of the user that is running that Processing Station. This will allow the user to decrypt the files later.
Note: Each new file added to an encrypted folder must be encrypted for each user of the Processing Station separately. For this reason, we recommend that files be placed into an import folder by the user that is running the Processing Station. If encrypted files are to be accessed by other users, one option is to use the Cipher.exe command-line tool. Please refer to the Microsoft website for detailed instructions on using the utility.