Managing Client Encryption

Server and relay-bound communications from clients can be encrypted to prevent unauthorized access to sensitive information. To enable it, you must generate a key and provide a setting value. The value is set in the console and is described in Enabling encryption on Clients. The key is generated from the Encryption tab of the IBM Endpoint Manager Administration Tool:

1. Launch the IBM Endpoint Manager Administration Tool by selecting Start > Programs > IBM Endpoint Manager > IBM Endpoint Manager Administration Tool.
2. Select the Encryption tab.
   

At the top of the dialog is a statement of the current state (in this example: Report encryption is currently DISABLED). Client encryption has four states: Disabled, Pending, Enabled, and Pending Rotation:

Disabled

This state indicates that no encryption certificate is included in your deployment masthead, which means that Clients cannot encrypt their reports even if they are told to do so. Click Generate Key to create an encryption certificate (and the corresponding private key, which can be used to decrypt reports at the receiving end). The state is set to Pending state.

Pending

In this state, an encryption certificate has been generated and is ready for deployment, but the private key has not yet been distributed to all necessary decrypting relays and servers. When you have manually distributed the private key, click the Enable Encryption button to embed the certificate in the masthead and send it out to all clients. The state is set to Enabled. Click Cancel to return to the Disabled state.

Enabled

In this state, an encryption certificate has been found in your deployment masthead, which means that you are able to turn on encryption (using the setting discussed previously) for any of the clients in your deployment. At any time, you can click Generate new key to create a new encryption certificate. This is useful if you have a key rotation policy or if your encryption key is ever compromised (see next section). Generating a new key returns the state to Pending (unless you choose to deploy immediately as described in the next section). You can also click Disable to move back to the Disabled state.

Pending Rotation

In this state, an encryption certificate is included in your deployment masthead, and a new certificate has been generated and is ready to replace the existing certificate.