Encrypting Data to Prevent Data Leaks Caused by a Stolen or Disposed Machine
You can prevent data leaks by encrypting data on the machine even if the memory device is stolen, the machine is replaced with a new one, or the machine is disposed of.
Encrypting data on the machine
Encryption is an effective measure against data leaks. Be sure to keep the encryption key secure to use for decryption. Print it on a sheet.
Overwriting data to prevent restoration
You can delete data that you do not want to be restored. The Auto Erase Memory function deletes the data temporarily stored on the optional hard disk for printing, and the Erase All Memory function deletes all data and initializes the machine's VRAM as well as the optional hard disk of the machine.
Encrypting Data on the Machine
You can encrypt data contained in the address book and authentication information on the machine's VRAM as well as documents stored on the optional hard disk to prevent data leaks in case the memory device(s) is removed from the machine.
Once encryption is enabled, all data subsequently stored on the machine will be encrypted.
The encryption algorithm used in the machine is AES-256.
This function is only available for the standard hard disk. If your machine is equipped with the Enhanced Security HDD Option, data on the hard disk is always encrypted. Therefore, this function can only encrypt the machine's NVRAM data.
The machine cannot be operated while encrypting data, updating the encryption key, or canceling encryption.
Do not turn off the power of the machine while encrypting data, updating the encryption key, or canceling encryption. If you turn off the power, the optional hard disk may be damaged and all data may be unusable.
The encryption process of the optional hard disk takes several hours. Once the encryption process starts, it cannot be stopped.
The encryption key is required for data recovery or migration to another machine. Be sure to keep the encryption key secure by printing it on a sheet.
To transfer data from the machine to another machine, you must decrypt the encrypted data. Contact your service representative for data migration.
If you specify both the Erase All Memory function and the encryption function, the Erase All Memory function is performed first. Encryption starts after the Erase All Memory function has been completed and the machine has been rebooted.
When the optional hard disk is installed, the process will take up to 7 hours 15 minutes if you use [Erase All Memory] and encryption simultaneously, and select overwrite 3 times for [Random Numbers]. Re-encrypting from an already encrypted state takes the same amount of time.
The Erase All Memory function also clears the machine's security settings, so that neither machine nor user administration will be possible. Ensure that users do not save any data on the machine after the Erase All Memory process has completed.
Rebooting will be faster if there is no data to carry over to the hard disk and if encryption is set to [Format All Data], even if all data on the hard disk is formatted. Before you perform encryption, we recommend you back up important data.
The encryption key is required for data recovery if the machine malfunctions. Be sure to store the encryption key safely for retrieving backup data.
The machine cannot be used while the encryption key is being updated.
The encryption key is required for recovery if the machine malfunctions. Be sure to store the encryption key safely for retrieving backup data.
When the encryption key is updated, encryption is performed using the new key. After completing the procedure on the machine's control panel, turn off the main power and restart the machine to enable the new settings. Restarting can be slow when the optional hard disk is installed and there is data to be carried over to the hard disk.
Once the updating of the encryption key starts, it cannot be stopped. Make sure that the machine's main power is not turned off while the encryption process is in progress. When the optional hard disk is installed, the hard disk will be damaged and all data on it will be unusable if the machine's main power is turned off during the encryption process.
If the encryption key update was not completed, the created encryption key will not be valid.
The machine cannot be used while data encryption is being cancelled.
After completing the canceling on the machine's control panel, turn off the main power and restart the machine to enable the new settings. Restarting can be slow when the optional hard disk is installed and there is data to be carried over to the hard disk.
Once the canceling of data encryption starts, it cannot be stopped. Make sure that the machine's main power is not turned off while the encryption process is in progress. When the optional hard disk is installed, the hard disk will be damaged and all data on it will be unusable if the machine's main power is turned off during the encryption process.
When disposing of a machine, completely erase the memory. For details about erasing all the memory, see the section below:
Initializing the Machine with the Erase All Memory Function.
To enable the encryption settings
Press the [Menu] key.
Log in to the machine as the machine administrator on the control panel.
Select [Security Options], and then press the [OK] key.
Select [Machine Data Encryption], and then press the [OK] key.
Make sure that [Encrypt] is selected, and then press the [OK] key.
When the optional hard disk is not installed, proceed to Step 7.
When the optional hard disk is installed, proceed to Step 6.
Press the [
] or [
] key to select the data to be carried over to the hard disk and not be reset, and then press the [OK] key.
The settings of the machine are not initialized regardless of the option you select.
When using the Embedded Software Architecture application, be sure to select [Carry Over All Data] or [CarryOver FileSys DataOnly].
Format All Data: Initializes data that are both encrypted and initialized when [CarryOver FileSys DataOnly] is specified.
CarryOver FileSys DataOnly: The following data are encrypted or initialized:
Data that are encrypted
Program/log of the Embedded Software Architecture application, address book, registered fonts, job logs, access logs, spooled jobs
Data that are initialized
Documents stored on the optional hard disk (Locked Print files, Sample Print files, Stored Print files, Hold Print files)
Carry Over All Data: Encrypts all data.
Press the selection key beneath [Print].
Press the selection key beneath [Continue].
Press the selection key beneath [Exit].
Press the selection key beneath [Logout].
Turn off the main power switch, and then turn the main power switch back on.
The machine will start to convert the data on the memory after you turn on the machine. Wait until the message “Memory conversion complete. Turn the power switch off.” appears, and then turn the main power switches off again.
If the desired menu item is not on the screen, press the [
] or [] key on the control panel until it appears.
To update the encryption key
Press the [Menu] key.
Log in to the machine as the machine administrator on the control panel.
Select [Security Options], and then press the [OK] key.
Select [Machine Data Encryption], and then press the [OK] key.
Select [Update Encryption Key], and then press the [OK] key.
When the optional hard disk is not installed, proceed to Step 7.
When the optional hard disk is installed, proceed to Step 6.
Press the [] or [] key to select the data to be carried over to the hard disk and not be reset, and then press the [OK] key.
The settings of the machine are not initialized regardless of the option you select.
When using the Embedded Software Architecture application, be sure to select [Carry Over All Data] or [CarryOver FileSys DataOnly].
Format All Data: Initializes data that are both encrypted and initialized when [CarryOver FileSys DataOnly] is specified.
CarryOver FileSys DataOnly: The following data are encrypted or initialized:
Data that are encrypted
Program/log of the Embedded Software Architecture application, address book, registered fonts, job logs, access logs, spooled jobs
Data that are initialized
Documents stored on the optional hard disk (Locked Print files, Sample Print files, Stored Print files, Hold Print files)
Carry Over All Data: Encrypts all data.
Press the selection key beneath [Print].
Press the selection key beneath [Continue].
Press the selection key beneath [Exit].
Press the selection key beneath [Logout].
Turn off the main power switch, and then turn the main power switch back on.
The machine will start to convert the data on the memory after you turn on the machine. Wait until the message “Memory conversion complete. Turn the power switch off.” appears, and then turn the main power switches off again.
If the desired menu item is not on the screen, press the [
] or [] key on the control panel until it appears.
To cancel data encryption
Press the [Menu] key.
Log in to the machine as the machine administrator on the control panel.
Select [Security Options], and then press the [OK] key.
Select [Machine Data Encryption], and then press the [OK] key.
Select [Cancel Encryption], and then press the [OK] key.
When the optional hard disk is not installed, proceed to Step 7.
When the optional hard disk is installed, proceed to Step 6.
Press the [] or [] key to select the data to be carried over to the hard disk and not be reset, and then press the [OK] key.
The settings of the machine are not initialized regardless of the option you select.
When using the Embedded Software Architecture application, be sure to select [Carry Over All Data] or [CarryOver FileSys DataOnly].
Format All Data: Initializes data that are both encrypted and initialized when [CarryOver FileSys DataOnly] is specified.
CarryOver FileSys DataOnly: The following data are encrypted or initialized:
Data that are encrypted
Program/log of the Embedded Software Architecture application, address book, registered fonts, job logs, access logs, spooled jobs
Data that are initialized
Documents stored on the optional hard disk (Locked Print files, Sample Print files, Stored Print files, Hold Print files)
Carry Over All Data: Encrypts all data.
Press the selection key beneath [Exit].
Press the selection key beneath [Logout].
Turn off the main power switch, and then turn the main power switch back on.
If the desired menu item is not on the screen, press the [
] or [] key on the control panel until it appears.
To back up the encryption key
Press the [Menu] key.
Log in to the machine as the machine administrator on the control panel.
Select [Security Options], and then press the [OK] key.
Select [Machine Data Encryption], and then press the [OK] key.
Select [Back Up Encryption Key], and then press the [OK] key.
Press the selection key beneath [Print].
Press the selection key beneath [Logout].
If the desired menu item is not on the screen, press the [
] or [] key on the control panel until it appears.
Encrypting Data in the Address Book
By encrypting data in the Address Book, you can protect it from being read.
Press the [Menu] key.
Log in to the machine as the user administrator on the control panel.
Select [Security Options], and then press the [OK] key.
Select [Extended Security], and then press the [OK] key.
Select [Encrypt Address Book], and then press the [OK] key.
Press the selection key beneath [Enter].
Press the [
] or [
] key to select a character for the encryption key, and then press the [OK] key to enter the character. Repeat this to complete the encryption key, and then press the selection key beneath [Accept].
Enter the encryption key using up to 32 alphanumeric characters.
To enter upper-case letters, numerals, or symbols, press the selection key beneath [ABC/123].
To delete a character that has been entered, press the selection key beneath [Delete].
Press the selection key beneath [Enter].
Follow the instructions in Step 8 to re-enter the encryption key, and then press the selection key beneath [Accept].
Make sure that [On] is selected, and then press the [OK] key.
Confirm the message, and then press the selection key beneath [OK].
Do not switch the main power off during encryption, as doing so may corrupt the data.
Encrypting the data in the address book may take a long time.
The time it takes to encrypt the data in the address book depends on the number of registered users.
The machine cannot be used during encryption.
If you press [Stop] during encryption, the data is not encrypted.
If you do not press [Stop] during decryption, the data stays encrypted.
Normally, once encryption is complete, [Exit] appears.
Press the selection key beneath [Exit].
Press the selection key beneath [Logout].
If the desired menu item is not on the screen, press the [
] or [] key on the control panel until it appears.If you register additional users after encrypting the data in the Address Book, those users are also encrypted.
Specifying Auto Erase Memory
When the optional hard disk is installed and [Auto Erase Memory Setting] is set to [On], temporary data that remained on the hard disk while [Auto Erase Memory Setting] was set to [Off] might not be overwritten.
Do not stop the overwrite mid-process. Doing so will damage the hard disk.
If an error occurs before overwriting is completed, turn off the main power. Turn it on, and then repeat from Step 1.
You can overwrite and erase job data that was temporarily stored on the optional hard disk.
Press the [Menu] key.
Log in to the machine as the machine administrator on the control panel.
Select [Security Options], and then press the [OK] key.
Select [Auto Erase Memory Setting], and then press the [OK] key.
Select [On].
Press the selection key beneath [HDDErase], and then select the method of overwriting.
The default method for overwriting is "Random Numbers", and the default number of overwrites is 3.
NSA*1
Overwrites data twice with random numbers and once with zeros.
Select [NSA], and then press the [OK] key.
DoD*2
Overwrites data with a random number, then with its complement, then with another random number, and the data is verified.
Select [DoD], and then press the [OK] key.
Random Numbers
Overwrites data multiple times with random numbers. Specify the number of overwrites from one to nine.
Select [Random Numbers], and then press the [OK] key.
Press the [
] or [] key to specify the number, and then press the [OK] key.
*1 National Security Agency (U.S.A)
*2 Department of Defense (U.S.A)
Press the [OK] key.
Press the selection key beneath [Logout].
If the desired menu item is not on the screen, press the [
] or [] key on the control panel until it appears.If you enable both overwriting and data encryption, the overwriting data will also be encrypted.
To check the Auto Erase Memory status
The machine will not enter Sleep mode while overwriting is in progress. When overwriting has been completed, the machine enters Sleep mode.
Do not turn off the main power of the machine while overwriting is in progress.
You can use the Memory Erase Status screen to find out whether there is any data to be erased on the optional hard disk.
[Memory Erase Status] appears only when:
The optional hard disk is installed.
[Auto Erase Memory Setting] is set to [On] on the Security Options menu.
Press the [Menu] key.
Select [Memory Erase Status].
Press the [OK] key.
Check the current memory status.
[Data to erase remaining.]: Data remains on the hard disk.
[Currently no data to erase.]: No data remains on the hard disk.
Press the [OK] key.
Press the [Menu] key.
If the desired menu item is not on the screen, press the [
] or [] key on the control panel until it appears.
Initializing the Machine with the Erase All Memory Function
Initialize the machine's memory when you relocate or dispose of the machine. When the optional hard disk is installed, all the data on the hard disk are overwritten and erased as well.
If your machine is equipped with the Enhanced Security HDD Option, the hard disk automatically discards the encryption key, making it impossible to decrypt the data on the hard disk before the data is erased using the selected overwriting method.
For details about using the machine after executing Erase All Memory, contact your service representative.
If the main power switch is turned off before the Erase All Memory process is completed, overwriting will be stopped and data will be left on the hard disk.
Do not stop the overwrite mid-process. Doing so will damage the hard disk.
We recommend that before you use the Erase All Memory function, you use Device Manager NX to back up the user codes, the counters for each user code, and Address Book. For details, see Device Manager NX Help.
If the method of Random Numbers is selected and overwrite three times is set when the optional hard disk is installed, the Erase All Memory process takes up to 3 hours and 45 minutes. You cannot operate the machine during overwriting.
The Erase All Memory function also clears the machine's security settings, so that neither machine nor user administration will be possible. Ensure that users do not save any data on the machine after the Erase All Memory process has completed.
Press the [Menu] key.
Log in to the machine as the machine administrator on the control panel.
Select [Security Options], and then press the [OK] key.
Select [Erase All Memory], and then press the [OK] key.
Select the method of erasing the data.
The default method for overwriting is "Random Numbers", and the default number of overwrites is 3.
NSA*1
Overwrites data twice with random numbers and once with zeros.
Select [NSA], and then press the [OK] key.
DoD(5220.22-M)*2
Overwrites data with a random number, then with its complement, then with another random number, and the data is verified.
Select [DoD], and then press the [OK] key.
Random Numbers
Overwrites data multiple times with random numbers. Specify the number of overwrites from one to nine.
Select [Random Numbers], and then press the [OK] key.
Press the [
] or [] key to specify the number, and then press the [OK] key.BSI/VSITR
Overwrites data seven times with the fixed value (for example: 0x00).
Select [BSI/VSITR], and then press the [OK] key.
Secure Erase (ATA)
Overwrites data using an algorithm that is built in to the optional hard disk drive.
Select [Secure Erase], and then press the [OK] key.
Format
Formats the optional hard disk. Data is not overwritten.
Select [Format], and then press the [OK] key.
*1 National Security Agency (U.S.A)
*2 Department of Defense (U.S.A)
Press the selection key beneath [Yes].
Depending on the method of erasing selected in Step 6, [Yes] may not appear.
The machine restarts automatically, and then overwriting starts.
When overwriting is completed, press [Exit], and then turn off the main power.
If the desired menu item is not on the screen, press the [
] or [] key on the control panel until it appears.When the optional hard disk is installed, overwriting will stop and data will be left on the hard disk if the main power switch is turned off before the Auto Erase Memory process is completed.
If an error occurs before overwriting is completed, turn off the main power. Turn it on again, and then repeat from Step 1.