When is encrypted data automatically decrypted?

Version: All Versions

Article ID: PE000202

When is encrypted data automatically decrypted?main image


If a data group is stored encrypted “at rest” (i.e. encrypted in the entity storage path with an encryption key), how does the data get decrypted?


Viewing a document automatically decrypts the document while it is being viewed. This happens whether you are viewing the document through the document viewer or viewing it natively.

Processes which are designed for taking data out of PaperVision Enterprise (PVE) will also automatically decrypt the data group and associated files. These processes include migration jobs, exporting, or emailing documents.

Documents remain encrypted when executing a backup job for specific data groups. Backup jobs are intended to back up data that will be restored at some point into a local PVE installation.

Because the SQL database used in PVE knows that the data group is encrypted with a specific key name, there is no need to decrypt documents during the backup. The backup package is intended to be used only inside PVE (or ImageSilo) and includes the encryption key.

If there is a need to run backup jobs on decrypted data that is currently encrypted, the data group will need to be submitted for decryption by the automation service first. The backup job can then be run once the decryption process finishes. After the backup job completes, the data group can be re-submitted for encryption if needed. However, in this scenario, a migration job may be a better alternative as it automatically decrypts the data for use outside of PVE (or ImageSilo).