Sign and encrypt engine

The sign and encrypt engine is the central component of Identity Manager for signing, verification, and encryption using keys and certificates. It handles several use cases, and most of them like encryption and decryption of fields in the Identity Manager database, signing, verification, and encryption of the object history and more.

Most use cases have to be configured for each deployment, so that the private keys are kept secret. The keys themselves can be stored in files or preferably on a Hardware Security Module (HSM) for increased security.

The use cases the engine handles include:

• Encryption and decryption of fields in the Identity Manager database (descriptor “encryptedFields“)

• Signing and verification of the object history (descriptor “objectHistorySigner“)

• Signing and validation of the configuration files (descriptor “configZipSigner“)

• Encryption of the configuration files (descriptor “configZipEncrypter“)

• Signing of emails (descriptor “signEmailDescriptor“)

• Creation of device encryption certificates that are used in Smart ID messaging (descriptor “hermodDeviceEnc“)

• Creation of JWS signatures used for Smart ID messaging content provider API (descriptor “ContentProviderJWSSigner“)

• Authentication of Smart ID Self-Service users to the Identity Manager backend (descriptor “SelfServiceJWTSigner“)

• Decryption of PIN blobs from pre-personalized smart-cards created with the Personal Desktop Client

• Attestation for provisioning to Smart ID Mobile / Desktop Apps (descriptors “att_*“)

The sign and encrypt engine provides a consistent configuration of keys and certificates for both signing and encryption. You can define algorithms and parameters and reference keys from an HSM (for most use - cases) or from PKCS#12 files (for all use cases).

Additional Information

...