If you suspect that a fusion stream encryption certificate has been compromised, you
can prevent that certificate from being used to access your encrypted video by removing it from
the Archiver and deleting all key streams that were generated with that certificate.
Before you begin
IMPORTANT: Ensure that all archiving roles are online. These include Archiver,
Auxiliary Archiver, and Cloud Playback roles. Key streams cannot be deleted if any archiving
role associated with an encrypted camera is offline.
What you should know
The encryption certificate contains a
private key that allows
the client machine to query the Archiver for encrypted data, and to decrypt the key stream and
data when they are received. For more information, see
How does fusion stream encryption work?
CAUTION:
If you remove the
last certificate used to encrypt a camera from the Archiver, the camera ceases to be
encrypted and all future data from that camera becomes accessible to all machines in your
system. However, data that was previously encrypted remains encrypted.
Procedure
-
From the Config Tool homepage, open the Video task and click the
Roles and units view.
-
Do one of the following:
- If encryption is configured at the Archiver level, select the Archiver and click
the Camera default settings tab.
- If encryption is configured at the camera level, select the camera and click the
Recording tab.
-
From the Certificates list, select the compromised certificate,
and click Remove the item ().
NOTE: You cannot enable In transit and at rest encryption if there
are no configured certificates.
-
Click Apply.
-
In the message box that appears, do one of the following:
- Click Yes to delete the selected certificate and the
associated key streams (client-specific key streams).
This option is highly recommended if your certificate has been
compromised. It prevents client machines from accessing any encrypted data with the
associated certificate.
CAUTION:
If you remove the only certificate
used to generate key streams, you will permanently loose access to the encrypted
data.
- Click No to only delete the selected certificate from the
Archiver, not the associated key streams.
This option stops video encryption with the
selected certificate. New video cannot be decrypted with the compromised certificate.
However, all data that was encrypted before removing this certificate remains
available to client machines that have the certificate installed.
-
Click Apply.