What is fusion stream encryption? - Security Center 5.8

Security Center Administrator Guide 5.8

series
Security Center 5.8
revised_modified
2020-08-17

Fusion stream encryption is a proprietary technology of Genetec Inc. used to protect the privacy of your video archives. The Archiver uses a two-level encryption strategy to ensure that only authorized client machines or users with the proper certificates on smart cards can access your private data.

What is a fusion stream?

Fusion stream is a proprietary data structure of Genetec Inc. for streaming multimedia. Each fusion stream is a bundle of data (video, audio, and metadata) streams and key streams related to a single camera. Fusion streams are generated on specific client requests. The key streams are included only if the data streams are encrypted.

Benefits of fusion stream encryption

The benefits of fusion stream encryption are as follows:

  • No data captured by Security Center is stored or transmitted as plaintext. This means that the privacy of your data is protected even if you outsource the management of your data center.
  • Data streams are encrypted using the US government approved AES 128-bit encryption standard.
  • The keys used to encrypt the data streams change every minute, discouraging any kind of brute-force attack.
  • Each data stream is encrypted with a different key stream, reducing the attack surface.
  • The key streams are encrypted using public key encryption, ensuring that only authorized client machines (with a valid private key) can view the protected data. The private key can be installed on the machine or accessed from a smart card reader.
  • If a private key is compromised (leaked out), you can prevent it from ever being used again on your system.
  • Encryption overhead is kept to a minimum by encrypting the data stream only once. Redirectors and Auxiliary Archivers do not have to re-encrypt the data.

Limitations

The limitations of fusion stream encryption are as follows:

  • Multicast from the video unit is supported only if the unit supports encryption and is connected through HTTPS.
  • Recordings on the edge cannot be encrypted. Turn edge recording off if you want encryption.
  • Video encrypted in version 5.8 and later cannot be decrypted in version 5.7 and earlier.
  • Encrypted video cannot be viewed on Security Center Mobile devices.
  • Motion detection by the Archiver is not supported when encryption is on.
  • Thumbnails cannot be generated for encrypted video.
  • Encryption cannot be added after the video has been archived.

    However, you can still encrypt your exported video files.

  • New encryption keys cannot be added to archived data, which means that authorization to view archived data cannot be granted to new machines.
  • Encryption certificates are only validated for expiration dates. This means that any certificate you enroll takes effect immediately, regardless of its activation date.
    CAUTION:
    If a certificate expires it is no longer used for encryption. When there are no valid certificates left, video recording is stopped.
  • Encryption cannot be removed from the video archives.

    The workaround is to export your video in ASF format.

  • Encrypted video cannot be exported in legacy G64 format.

    When you export encrypted video in G64x format, the video is exported with encryption. All information necessary for the decryption of the video are found in the G64x file.

  • Encrypted video cannot be recovered if you lose all your private keys.

    See Best practices for managing private keys.