VSys One: Volunteer Management Software

How VSys Encrypts Data - Advanced Encryption

VSys Advanced Encryption uses the industry-standard PGP algorithms. This section is highly technical and is provided only as a reference for those trained in encryption and for the incurably curious.

Because PGP is an asymmetric encryption tool, the same encryption key (the public key) is used for every value encrypted with that key. And that encryption key is not a secret: it's stored in VSys right out in the open! The magic in PGP is that even knowing that key, you can't access the data: that can only be decrypted using the private key that's generated alongside the public key. The public key corresponds to the Advanced Encryption Key, and the private key is represented by the one master Advanced User Decryption Key, plus zero or more user-specific keys.

Internally, individual objects include the properties Encryption + EncryptionOpt. EncryptionOpt refers to the underlying unique identifier for the advanced encryption key in VSys, while Encryption is an internal link to the actual PGP key used.

User decryption keys

User keys are comprised of three elements:

The user's passphrase, which is never stored,
A random user code, which is generated for each user ID for each key and stored in the database, and
An passphrase-protected copy of the decryption key, which is stored on a USB key or other external medium.

VSys uses a passphrase to protect user keys. When a user tries to use his key, VSys asks for the passphrase and looks up the user's code. If the two are provided correctly, VSys is able to decrypt the encryption key and use it.

When a user's key is revoked, that database-stored code is removed. Without it, VSys cannot decrypt the user's key, making the key useless.

VSys One's encryption is intended to hide the data itself, not the fact that data is present or missing. Empty fields are not stored, and the size of each encrypted bundle is directly proportional to the size of the plaintext data. It may be possible to determine that detailed information about an individual is stored, and therefore that history exists. From a large record size someone may, correctly or otherwise, infer that negative data is present. The actual contents of the data, of course, remain secure.

User passphrases

The user's passphrases are never stored in VSys or in the keys themselves. User key passphrases can be changed on individual keys, but only by the user, or by someone who knows that user's passphrase. If the passphrase is lost, generate a new user key from scratch. No data is lost in this process, since the user key is derived from the master key.

Example encrypted data

If you dig into the underlying database (not recommended and most certainly not supported), you'll see that encrypted data is stored wrapped in an ASCII-encoded format.

-----BEGIN PGP MESSAGE-----
Version: VSys One/3.2.1.332
X-VSysKey: L7NK6RR0DCT8EKMO
X-VSysOpt: 3JEAS7N6S40U8MK0

wcBMA2mr3+qKQ/tQAQf/a9CfqHI1+slpHuuGKeXxqUgMJrax59R9JF4UKjvVVLUF
eKIsxT3DCSAc+Avc5ovt7OAsgvFwWLppRHs/pgN5QMdSXjlruvEJE6+Ay4ZL6RjJ
TYwyz1cZ7uCZP8pOfsfFCIouEToDhE5t5b32rgUz3wwWQbhKDm3QaIsIHHZqbXJU
yQa1D2heegp2Mch/mp6fmWn0AghRkV3bBJW33EGWakA7CzH+bMdRzQCsXKzwt1zC
mzYEIkH/qTUKaD2kvnP0RmhaX/BMtEcDm6asaGX+Z5E2PlhGuIgu6oRmaFjie+M/
4NMBYDI2oc6H+5HEqAXeYAJtpwfyl6/6JiQfkVVIBcHATAORPnBU+QdPEwEIAIq6
p5DVxXSdpma4GkclRyXXqmvc3P9lAALYx0yb5KrpsOJVuRCPKp+aYpT+Q+OOGExP
j8LuH8/HIhS75lKVwUvb/phUm2pzQrMS1uyz8Ymqd3UllFlX2YCXwScOQqLUhFqA
9k6f2cDfAViKBUaqxA+NiHSHiVxADwRmL4pAv392G0tgRkfVKI+e3Hza1jbeWwjM
zBUcU229T5sewUxDP2r6hkdjxwx1PYOrkswcoZHg1jJ9NSkDrGSGjOwFlI6Wp2Yn
roPC1ujXgPkn2wYjcaCd5MQ9JKAebPMMd8wLC9bd2/gDwRq3ShrDK6aLjiv+mvrK
sVyQYOk/HVLZy94NRDbS7QG7xXYj/TEer8eD5dV1o9QvBcbjTdi1ahO71FhbZBUe
81wbXchPXrT4YK8ti6zGqASrAJ+R2BN9PK14fQZJwHxYlFR8BGfkqfn1l2S5FZT0
(snip)
giYLW6nU806RyvGjTQ3fEZGMmaL+k3mPIOyZOLHYoZZ121qsmfSIBGnJ5sPN6ILJ
1lKCr+tJLo9EOQKbQtlRxWtK6VpZwT8GLnDpm70zLHvZ
=aPf1
-----END PGP MESSAGE-----

Example decryption key

This is what you'll find if you open up one of the decryption keys (they have a .asc extension).

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: VSys One/3.2.1.103
X-VSysKey: L7NK6RR0DCT8EKMO
X-VSysOpt: 3JEAS7N6S40U8MK0
X-KeyID: 69ABDFEA8A43FB50
X-Fingerprint: CC17D01C27E783BE5ABDA25969ABDFEA8A43FB50
X-UserID: ***
X-Anywhere: 0

lQOYBFqtRIMBCAC6i3IXS8A5FlJXum3u704g1QWtQLU3UqprCY9ttZSLJ/J2FklR
QmlDs82CWDmJ6aMVQyxhPK9KTFeBFdiqe9PCfkcDq51PFd3x2B5quUB5Eti2wcEz
+AeXa7ohPccgXDqmfevfaPIAgRzyKV3OjEvAr4DpRRGNhSR3ZO7uEddVPkxZtkbV
SDKD91A83VOzRWKY9JOAr3UfYEkfd3UQcwjsPrGSkiuDWpokdanJrWZ4zNo00oL+
SGLgVKp4V3yylCPFz5X2DHT8D1UWvtoA7Q9ETjhZgWwPyWHY7IlIWxOMRzhaTvPz
Qbgpg+4sAb4TlN1q+XeMumihq7aCaDAm+j0bABEBAAEAB/9sGzv3PDMd4k2+AZCM
E6sXY9xyVzmt4f5ZIaU5Uy3Op0vgG3JJ4U7XqW/DxhUyU2/rdo5Vm7GKQUvEx0BV
LIXABSZqfh4gIvAIo9KcztcKU128K/UnhOoBWrD3arHnkwt6SSdUxaDZofmAbXCr
rqqH9C2lAh32Ad7sQlYlKbm87+xJa2YZeo4+h8KwiLGYfBAKVvKbMcrl6nfeWeJe
F2POaU4LK8Ou5Z4B7XUR8dp/J1S4Zv/5O7o8ftWFB7bVyskuxpQWoGsD2FvNOAdD
(..snip...)
=HzpR
-----END PGP PRIVATE KEY BLOCK-----

Example user decryption key

A user decryption key can only be used by the specific user to which it's assigned. It has links to the user's internal ID code in VSys plus one to the second half of the decryption key kept on file in VSys until it's disabled.

lQOsBFqtRIMBCAC6i3IXS8A5FlJXum3u704g1QWtQLU3UqprCY9ttZSLJ/J2FklR
QmlDs82CWDmJ6aMVQyxhPK9KTFeBFdiqe9PCfkcDq51PFd3x2B5quUB5Eti2wcEz
+AeXa7ohPccgXDqmfevfaPIAgRzyKV3OjEvAr4DpRRGNhSR3ZO7uEddVPkxZtkbV
(...snip...)
=6bEI
-----END PGP PRIVATE KEY BLOCK-----

In This Section

Validating PGP Encryption