Creating smart card or USB token accounts

To create a smart card or USB token account, enable automatic account creation in SDMC so that the account creation process is transparent for the user when they insert their USB token or smart card for the first time. You can also manually create an account from the agent on the workstation.

In either case, the Stormshield Data Card Extension feature must be installed on users' workstations, with the other features from the SDS Enterprise agent. For more information, refer to the sections Deploy the SDS Enterprise agent installation package and a custom security policy to user workstations and Configuring the middleware required for Card or USB token accounts.

With a smart card or a USB token:

  • Your private keys and certificates are stored on the smart card,
  • The smart card will perform the calculations (signature and decryption) that generate your private keys.

When an account associated with a smart card is created, the smart card must already contain the associated private keys and certificates.

To make it easier to deploy smart card or USB token accounts and to minimize user intervention, SDS Enterprise can automatically create the user’s account when the card or token is inserted for the first time. To do so, you must first install and configure the required middleware and enable the feature in SDMC. To select the appropriate middleware and enable automatic account creation, refer to the sections Configuring generic account settings and Setting account creation parameters.

The user then simply inserts their smart card or USB token. SDS Enterprise automatically detects that there is no existing account associated and proposes to create one. To continue, the user only needs to enter the PIN for the smart card or USB token, and the SDS Enterprise account is then created.

  1. On the user workstation, insert the USB card or token.
  2. Right-click the SDS Enterprise iconaccount disconnected icon in the system tray.
  3. Select New user.
    New user
  4. Select Account with physical or virtual smart card.
  5. Click on Create your account.
  6. Select the smart card or USB token you wish to use.
  7. Enter the PIN code of the USB card or token. SDS Enterprise connects to the USB card or token and displays its contents (keys and certificates).
  8. Validate the following screens. If the card or the USB token contains several usable keys, choose the desired key.
  9. Check the account summary.
  10. Click on Finish.

The SDS Enterprise account created using a smart card or USB token has the serial number of the card or token as an identifier.

In addition to the user’s current keys, other encryption keys may be saved on the smart card or USB token.

SDS Enterprise automatically uses these encryption keys to decrypt documents (messages/files) when the current key cannot do it.

These keys can come from several sources:

  • The user’s old encryption keys. Obsolete keys may be saved on the card (with their associated certificates) to allow the user to decrypt files that were encrypted with old keys. This is particularly useful for archived files,
  • External keys. For example, keys for former employees that can be used to retrieve information (files/messages).

Depending on the SDS Enterprise features, the keys on the card are not identified in the same way. For some features, the keys are identified by their CKA_ID PKCS#11 attribute (so they must always keep the same CKA_ID value), but for other features, identification is done using information from the certificate (issuer and serial number).

We recommend that keys stored on the cards always have the same CKA_ID PKCS#11 attribute and that all of the associated certificates are also present.