This article explains :Recover Archive content using the Versionlist and Archivelist displays.
Introduction
SSProtect manages host-based information using encryption, integrity protection, strong access control, and a variety of additional protective facilities such as native workflow integration and continuous protection while data is used in application software.
With the optional use of :Recover, information is securely stored in an isolated Archive (often in the cloud) for restoration at a later time. The process was designed to be minimally intrusive with respect to end-user workflows, with results that are truly seamless except for a change in the way data is sent to and received from KODiAC (Cloud) Services.
Data transfers and storage are governed by a combination of proprietary secure networking primitives, patented cryptographic offloading, and isolation. This tight coupling manifests in several different Conversion facilities, each with different features, as detailed in the article, Operating Modes.
Managed Versionlist
The Managed Files/ Restore context menu selection (from the SSProtect notification icon) displays the set of managed data files associated with your SSProtect Profile, described in the article, Managing Host Data.
From the Hostlist display, choose a managed item then choose Versions... to display the Versionlist:
The Versionlist shows each individual managed instance of the chosen file, with each entry representing a secure access operation carried out by the noted SSProtect User(name). The, "A" column, "Y" indicates that a specific Version can be Restored.
Versionlist - :Recover and Size
In the example above, Version 5 shows a Size=0. This does not reflect the size of the file in host-local storage, rather the size of Plaintext associated with the Ciphertext stored in the :Recover KODiAC Archive. As a result, Version 5 is not available for Restore - as further evidenced by the, "-" in the right-most Archive column. This results from use of the Optimized Offloading Operating Mode.
Details for operations associated with enumerated Versions are available in :Assess File Detail Reports for authorized Users. In general, a User can see details specific to any operation he/ she carried out with his/ her Account, and Privileged Organization Users managing his/ her Account can see the same (and more).
Verisonlist - :Recover Availability
There are cases when Version-specific content is not available for Restore operation.
Owners
First, the, "Owner" of a protected item is the Account that created Version 1 in a Version Chain. The Owner Account policy dictates the resulting Operating Mode of a Versioned instance. If/ when an Account's configuration changes, subsequent Versions, created by the owner, reflect those changes.
Access by Organization Peers and Third Party Trusts do not, under normal circumstances, modify the Operating Mode of an instance. This maintains Owner-consistency for the resulting instance that's protected when the Organization Peer or Third Party Trusts saves changes to a shared file. As such, if a sharing User isn't using :Recover but the shared item he/ she is accessing was created using :Recover, the shared instance will be stored in the Owner's KODiAC Archive while at the same time impacting the Owner's :Recover Quota.
Archive Availability
But there are exceptions. In the above example, Version 7 has a non-zero Size, indicating that secured content is stored in the KODiAC Archive. However, the, "A" column does not contain the, "Y" indicator, which means the active User, in this case the Owner (support@definsiec.com). cannot Restore that instance.
Why?
Hybrid vs. Double Conversion with Third Party Trusts
Reports will show that this case is driven by the use of Hybrid Conversion and the fact that Version 7 was created by a Third Party Trust. This is one of the major differences between Hybrid and Double Conversion: Had the managed file been created with Double Conversion instead of Hybrid Conversion, Version 7 would have been made available for Owner Restore.
Ability to Restore Organization Peer Instances
The above-noted difference in Archive availability when using Hybrid and Double Conversion only applies to Third Party Trust access: Organization Peer access (of course when using :Recover) creates KODiAC Archive instances that can always be Restored by the Owner. This would be reflected in the, "A" column - and that is in fact its' very purpose since this display does not show an Instance's Operating Mode.
Exceptions With Shared Instances
In certain cases, shared User execution does not allow re-encryption of modified content using the required Hybrid or Double Operating Modes. This can happen when the Owner's Quota has been reached or if the file size triggers host-local Policy that requires Optimized Offloading (for performance). There are other (uncommon) cases, and in each of them, SSProtect will, "fallback" to Optimized Offloading to ensure content is re-protected. This results in a Versionlist entry with Size=0, indicating that the KODiAC Archive does not contain Version-specific data to Restore.
For more information, refer to the article, Restoring and Replicating.
Versionlist Hash
Notice the example Versionlist shows a different Hash for some of the Versions. This indicates that the file's plaintext content was changed. If however the file was opened and subsequently closed without modification, you see two Versions with the same Hash value - as with Versions 7 and 8.
The Hash can be derived using MD5 or SHA1, which is determined for an Organization in the License and Components Interface. Though all Users can view those settings, only Privileged Accounts can make changes (due to the impact across Organization Accounts).
Managed Archivelist
The set of :Recover KODiAC Archive files (for the calling Account) - the Archivelist - appears in the Managed Files/ Restore display after choosing the Archive... button. For our previous example, content is as follows:
The Archivelist enumerates the latest version of each :Recover-stored file.
Notice, in our example, the familiar Open Calls.xlsx file shows Version 9 as the latest, consistent with the Versionlist at the beginning of this article. As previously noted, Version 9 is not available for Owner Restore. As such, Restore will acquire the latest Version available, which in this case is Version 8.
Restore/ Replicate operation is detailed in the article, Restoring and Replicating.
File Size Details
In :Foundation Client releases prior to v10.6.3, the Versionlist Size differed from the Archivelist Size, which is no longer the case. In both situations, the Size now represents the Size of the managed item's Plaintext. This does not mean to imply that KODiAC refers to, accesses, or stores plaintext data - it does not and cannot - but instead intends to provide insight regarding the source data's actual Size.
In rare instances, these Size value may be negative (not shown here). This occurs only when KODiAC encounters an error during processing. The absolute value of this negative number represents the Size of interim or final Ciphertext used in the last related transaction. Should you encounter this scenario, contact Support so we can work with you to restore proper behavior.
File Date/ Time Values
Date/Time information should match Windows Explorer figures - specifically the Last Modified value in a file's Explorer Properties display - of course with the caveat that Managed Files/ Restore displays enumerate content using UTC values to align with :Assess Report data.
Hostlist Date/Time values may in certain cases be missing, replaced with, "N/A". This indicates that a host-local version could not be found and/ or read, and also that an associated instance could not be identified in the Archive or data history. This can be encountered when a conversion operation is destructively interrupted, for example by removing power (from a desktop or workstation that doesn't have or use a battery).
Finally, if a file's Hostlist State does not match what's found in local storage, the Date/Time value will include an asterisk. This is a rare error condition that should seldom (if ever) be observed, and as a result warrants further investigation if/ when present.
Archivelist File Hashes
The Versionlist Hash value reflects Plaintext computation using MD5 or SHA1 as configured for the managing Account. Note that both Plaintext and Ciphertext hashes can be found in associated :Assess File Report entries.
In very rare circumstances, the Archivelist may display the FileID and Hash in place of the expected Filename and Last Utilized Folder. If you encounter this condition, contact Support so we can work with you to restore normal operation.
Archivelist Functions
Controls are nearly the same as those described in the article, Managing Host Data, except as noted in the next section. This holds true for column-based sorting, and as you may notice, Lists are first displayed with most recent items at the top, descending by the Date/Time (UTC) associated with the item's last secured write/ close operation.
As expected, you can Filter/ Clear using the controls described for the Hostlist (don't forget the Filter retains its' entry when navigating to other List displays), and you can also choose an item then Open Folder to open File Explorer in the target's native folder. If for some reason the native location has been removed, File Explorer will display the Default Folder.
Static Load, Refresh for Changes
The Managed Files/ Restore Lists are loaded and enumerated when you navigate to the context menu and choose to display content. As you perform operations and move from one List to another, you will find a need to see updated values. Use the Refresh button from any of the three displays to render updated content.
IMPORTANT: Switching from one List view to another does NOT refresh content, for performance reasons - though it may be re-sorted on the fly.
Archive and Hostlist Divergence
Hostlist functionality differs from the Archivelist for Clean and Refresh operations, which are described below. Opt Filter is not available from the Archivelist, though Replicate is unique to the Archivelist and not enabled elsewhere. Additional Replicate details are available in the aforementioned articles further detailing :Recover.
Client "Cache"
The Archivelist can be quite long, and Archive Filenames are not stored in plaintext. For this reason, creating the plaintext enumeration can slow down enumeration of very large lists of files (1000s).
For this reason, SSProtect keeps and refers to interim data that maintains state for all known entries, providing quicker secured access to changes (though this is not a true cache). Interim data is updated on the fly, each time application logic or end-user actions refer to Archivelist resources. This allows you to perform Archivelist Refresh operations that return updated information more quickly.
Cleaning the Archivelist
Archivelist Clean removes the above-noted interim data then re-acquires all content going back to the very first day your Account was used. This can take some time after a couple years of use, as each entry can take upwards of a second to process, depending on your host computer and dependency details.
Note that you shouldn't have a need to Clean your Archivelist except when troubleshooting issues.
Additional Resources
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v10.8.4 of the :Foundation Client