TODO: Write some high level description of the engine here

This article describes the sign and encrypt engine in Smart ID Identity Manager. There are a number of use cases in Identity Manager that are based on encryption or signing, for example:

• Encrypt and decrypt fields in the Identity Manager database

• Sign and verify object history

• Sign and validate config zip files

• Encrypt config zip files

• Sign and encrypt emails

• Create device encryption certificates used in certain Hermod scenarios

• Authenticate Smart ID Self-Service users to the Identity Manager backend

• Creating JWS signatures used for Hermod's content provider API

• Decrypting PIN blobs from pre-personalized smart-cards created with Personal Desktop Client

• Attestation for provisioning to Smart ID Mobile / Desktop Apps

Sign and encrypt engine

The sign and encrypt engine is the central component of Identity Manager for signing, verification, and encryption using keys and certificates. It handles several use cases, like encryption and decryption of fields in the Identity Manager database, signing, verification, and encryption of the object history and more.

Most use cases have to be configured for each deployment, so that the private keys are kept secret. The sign and encrypt engine provides a consistent configuration of keys and certificates for both signing and encryption. You can define algorithms and parameters and reference keys from an HSM (for most use - cases) or from PKCS#12 files (always supportedfor all use cases).

Additional Information

...