From BioStar v2.8, the enhanced Personal Data Encryption is supported to protect the stored data in the server.
Data Encryption translates data into another form such as unreadable characters so that only people or a system with access to a correct encryption key can read it. It's a security method where information is encoded.
To protect the data stored in the database, we highly recommend activating the option Encrypt Personal Data On Database.
There are several things to know about the change of BioStar 2.8 or higher version.
Please read carefully since it might affect the system operation of the 3rd party DB link.
[Notice] If you would like to disable or enable [Personal Data Encryption], please make a backup of the exsiting DB and the file(system.conf, setting.conf, enckey). There would be DB migration progress while you disable or enable the DB encryption option. <Maria DB> [BioStar 2] Database Backup and Restore Instructions (Maria DB) [BioStar2] Alternate BioStar 2 Backup Tool <MSSQL DB> [BioStar 2] MSSQL Database Backup and Restore Instructions
Common Case 1. Select a folder to store the encryption key of Personal Data
BioStar 2 v2.8 or higher version allows selecting the folder which stores the encryption key during BioStar 2 installation.
The path can be not updated later.
Common Case 2. Please be aware the page
The system administrator has the responsibility to comply with the applicable laws of each country when using personal information, Biometrics data, or any other stored material.
Case 1. Start fresh with a clean installation
Note: The default encryption option of Personal Data on BioStar 2 Database is [USE].
If you are considering DB link for ERP system, please consider this part with your system engineer and you can't integrate BioStar 2 DB directly due to the personal data encryption.
The related menu list | What information encrypted is |
USER | User Photo (Profile Image), User Name, User Email, User ID, Telephone, Login ID, Password (Login Password), User IP, User Custom Field(For the description, click here), Card ID, Credential Info - PIN, Credential Info - Fingerprint Template, Face Template, Visual Face, Preview Image (12 items) |
MONITORING | User Name, User ID, Image Log |
TIME ATTENDANCE | Same as USER menu |
Settings>CARD FORMAT>Smart Card | The primary key/secondary key in the Smart card layout |
Settings>AUDIT TRAIL | Related personal data same as USER menu |
Settings>TRIGGER & ACTION>BioStar>Action>Send Email | SMTP information, Password, User Name |
VISITOR | Related personal data same as USER menu |
Encryption Methods
Login Password, PIN: SHA-256 Encryption
Others except for Login Password and PIN: AES-256 Encryption
You can also check the enabled option to the below part and change the data encryption key.
(Direction: BioStar 2>Settings>Security>Advanced Security Settings>Encrypt Personal Data On Database)
"Advanced Security Settings" would only show up when the user ID 1(Administrator) logs in BioStar 2.
Note: The below information is excepted for Personal Data Encryption.
BioStar 2 AC DB: The User ID 1
BioStar 2 TA DB: The User IDs for administrator, user operator, monitoring operator, video operator, TA operator, and user operator in Operator Level.
For DB backup and restore instructions, please consider the file of the encryption key.
The encryption key file is located in C:\Program Files\BioStar 2(x64)\util and makes a backup DB.
For more details about DB backup and restore, click the below links.
- [BioStar 2] Database Backup and Restore Instructions (Maria DB)
- [BioStar 2] MSSQL Database Backup and Restore Instructions
Case 2. Upgrade from the formal version of BioStar 2
Note: BioStar 2 v2.8 or higher version will keep the previous configuration of Personal Data Encryption. It means the option should be manually enabled by BioStar 2 administrator if you were not using the option Encrypt Personal Data on Database during using the formal version BioStar 2. If you want to know the default encrypted data information, please click here.
Note: The name of the option Data Encryption was Server & Device Encryption Key manual management in Settings>Server>Advanced security settings on the formal BioStar 2. (v2.6 ~ v2.7.14)
From BioStar 2 v2.8, the option name is replaced with Encrypt Personal Data on Database and it is re-located in Settings>Security>Advanced security settings
Note: Please read carefully since the migration progress will take time if you enable the option of Encrypt Personal Data on Database. The completion time of data encryption from non-encrypted data to encrypted data depends on the number of user data, log data, image log data, and etc. This progress is not just chaining a simple configuration because BioStar 2 server will encrypt all personal data in the stored BioStar 2 database server.
How to enable the option [Personal Data Encryption]
1) Go to BioStar 2>Settings>Security>Advanced Security Settings.
2) Confirm the option Encrypt Personal Data on Database.
3) Enable the button from [Not use] to [Use] and set the personal data encryption key if you want to have unique key information. You can enter the personal data encryption key with 32 characters using letters, numbers, and symbols.
4) Confirm the page of data migration as follows. Click [Start] to start Data Encryption.
5) Confirm the popup 'Data migration complete'.
Note: The below information is excepted for Personal Data Encryption.
BioStar 2 AC DB: The User ID 1
BioStar 2 TA DB: The User IDs for administrator, user operator, monitoring operator, video operator, TA operator, and user operator in Operator Level.
For DB backup and restore instructions, please consider the file of the encryption key.
The encryption key file located in C:\Program Files\BioStar 2(x64)\util and make a backup DB.
For more details about DB backup and restore, click the below links.
- [BioStar 2] Database Backup and Restore Instructions (Maria DB)
- [BioStar 2] MSSQL Database Backup and Restore Instructions
Reference
[BioStar 2] Overview of BioStar 2 v2.8 and Cyber Security
[BioStar 2] BioStar 2.8.0 New Features and Configuration Guide
FAQ
Q.1) In the case of encryption of the personal data like user name, ID’s, and other fields in the database, how the database level integration is possible for third-party integration?
DB-Level Integration is not possible because of the encrypted data. We recommend BioStar 2 API integration to keep the encrypted data.
Q.2) Will the new encryption method be applied to all fields of user information? Including CUSTOM FIELD? Also, can we control which specific field to be encrypted?
The custom field will be encrypted. But, we do not have the option for the specific field to be encrypted.
Q.3) Can I encrypt the personal data and then, decrypt it without losing the data?
Yes, with the option(Encrypt Personal Data On Database) of BioStar 2, you can encrypt and decrypt the data without losing the personal data and log. For the items, please refer to the above.