Managing job encryption for InfoPrint Manager for Linux

To prevent data from being accessed, modified, or stolen, InfoPrint Manager can encrypt the files that enter the system.

InfoPrint Manager uses OpenSSL (https://www.openssl.org) to enable job encryption. To encrypt and decrypt large amounts of data, InfoPrint Manager uses symmetric encryption. Only printable job files are encrypted.

    Note:
  • On AIX and Linux, when encryption is enabled, pdpr -l copies the file instead of creating a symbolic link.

To ensure that all InfoPrint Manager files are encrypted, instead of using job encryption, encrypt all the partitions where InfoPrint Manager stores files: /var/pd, /var/psf, /var/psf/segments, /tmp, and swap.

Partition encryption is an additional layer of security, not a replacement for InfoPrint Manager file encryption. Encrypted partitions ensure that if the hard drive (HDD) is stolen or disposed of, the data on it cannot be recovered. However, if the HDD remains in the computer where it was encrypted, access to the data (files or jobs) is transparent. On the other hand, InfoPrint Manager file encryption protects data by preventing access if the HDD is stolen or discarded, and does not allow transparent access to file contents.

To achieve complete encryption that covers the OS-specific print systems, encrypt the /var, /tmp, and swap partitions.

    Note:
  • If encrypting swap is not possible or practical, ensure that InfoPrint Manager has ample memory available to prevent decrypted data from being written to disk by the operating system.

Any printable file is encrypted as soon as it enters InfoPrint Manager. The job is processed (sniffed, RIPped, etc) in encrypted form, including all intermediary and temporary files created during processing. In a few cases, the job might be decrypted to disk due to functionality or system service constraints, or similar limitations.

Decryption to disk takes place during processing when:

  • A custom step (transform) is required for the job
  • A run script action needs to be executed as part of a Print Rule for the job.
The job will be re-encrypted once the processing is done.

The decryption to disk occurs before the job is sent to a specific print system or to a printer when:

  • using a custom command specified by the customers
  • using one of the following DSSs: CUPS DSS, BSD DSS, DFE DSS, PSF-Other DSS, or PSF Command DSS.

For Anyplace Print across namespaces, a move job is made. The job files are decrypted and a job is submitted. Files are encrypted again on the destination server.

To identify if job encryption is enabled on your InfoPrint Manager server, check the error log file for the following message: "5010-909 InfoPrint Manager started with Job Encryption enabled.", after the InfoPrint Manager server has started.