Notes:
Currently, E2EE is available on On-Premise deployments only.
Keystrokes decryption feature isn't yet available on the Teramind NextGen platform.
Introduction
The primary objective of End-to-End Encryption (E2EE) is to provide the highest level of data privacy and security by applying multi-layered encryption to all communications between the Agent and Server(s). Consider enabling E2EE if maximum data privacy is a priority for your organization.
How E2EE Secures Your Data
When E2EE is enabled, data is encrypted at its origin and remains encrypted at every point throughout the data flow, until it reaches its final consumption or presentation.
The data is only viewable by those possessing the necessary decryption keys and passphrases. This means E2EE prevents unauthorized parties—including external threats and privileged system users—from reading or modifying the data.
Key Benefits of Teramind E2EE
Teramind E2EE provides multi-layered protection by integrating envelope encryption, end-to-end encryption, and secure connectivity:
Transport Layer Security | TLS 1.2 or higher protocol ensures a secure communication channel, guaranteeing data integrity, privacy, and authenticity during transmission. |
Envelope Encryption | Protects the encryption keys themselves (e.g., encrypting an AES key with an RSA key). |
End-to-End Encryption | Safeguards the data itself through secure communications, key management, and encryption for both online and data-at-rest (offline data). |
This combined approach significantly enhances the confidentiality, integrity, and control of sensitive information throughout your Teramind deployment.
E2EE Data Flow
Here's a simplified diagram illustrating the E2EE data flow:
How to Enable E2EE
Crucial Warning: We strongly recommend enabling E2EE on the server side first. If you enable E2EE on the endpoint before the server has the keys, the computer will appear offline until the keys are included on the server. Once the keys are included, you can freely enable or disable E2EE from the endpoint without server disruption.
Server-Side Configuration
Step 1: Generate Private Key
Generate a 2048-bit RSA Private Key file using a tool like OpenSSL:
openssl genrsa -aes256 -out keypair.pem 2048
Securely store the passphrase. You will need it to decrypt data on the Teramind Dashboard.
Note: You can run this command directly on the Teramind server or on a separate computer using tools like OpenSSL for Windows or Strawberry Perl.
Step 2: Set Key Ownership and Permissions
The openssl command above sets the Private Key file root:root UGO permissions 600. You will need to run the following commands to change it:
chown root:prod keypair.pem
chmod 440 keypair.pem
Step 3: Extract Public Key (.crt)
Extract the Public Key file (.crt) from the Private Key file (.pem):
openssl rsa -in keypair.pem -pubout -out publickey.crt
Step 4: Copy Key Files to Server
Copy the Private Key file (e.g., keypair.pem) to /usr/local/teramind/conf/keypair.pem:
cp keypair.pem /usr/local/teramind/conf/keypair.pem
Copy the Public Key file (e.g., publickey.crt) to /usr/local/teramind/conf/publickey.crt:
cp publickey.crt /usr/local/teramind/conf/publickey.crt
Note for Multi-Node Deployments: If you have application server nodes deployed, you must copy the key files to /usr/local/teramind/conf on each terasrv node.
Step 5: Update Database Record
Add the key file paths to the encryption_kek table inside the tm_onsite database:
INSERT INTO encryption_kek (active, priv_encrypted, pub_datafile, priv_datafile) VALUES (true, true, '/usr/local/teramind/conf/publickey.crt', '/usr/local/teramind/conf/keypair.pem');
If you need database credentials, contact the Teramind Support Team.
Step 6: Restart Teramind Server
Apply the changes by restarting the Teramind service.
sudo systemctl restart teramind
Endpoint-Side Configuration
Step 7: Enable Encryption on the Agent
You now need to enable the encryption feature on the endpoint's Agent.
For New Installations: Use the
TMENCRYPTIONparameter during installation.msiexec /i teramind_agent_v0.1.260.3940_x64.msi TMENCRYPTION=1
For Exiting Installations: Edit the Agent configuration file (
config.cfg). Add the following line to the file:enable-encryption=1
The
config.cfgfile is usually located in one of these paths:Hidden Agent:
C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}\configRevealed Agent:
C:\ProgramData\Teramind Agent\configIf the file doesn't exist, create it using a text editor.
Step 8: Install Public Key on the Agent
The Agent needs the Public Key to encrypt data.
Create a new folder named
certsin the following location:C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}\Copy the
publickey.crtfile (from Step 3) to this new folder.Rename the copied file to
kek.pem.
The final path should look like this:
C:\ProgramData\{4CEC2908-5CE4-48F0-A717-8FC833D8017A}\certs\kek.pemTip: If you ran openssl on the server, use scp from your command prompt or WinSCP to easily transfer the publickey.crt file to the endpoint computer.
Step 9: Restart the Agent
Restart the Agent to apply the new configuration.
Revealed Agent: Simply quit the agent and run it again.
Silent/Hidden Agent: Run the following commands from the Command Prompt (run as administrator):
# Stop the Agent service
sc stop tsvchst
# Check status (should show STOPPED)
sc query tsvchst
# Start the Agent service
sc start tsvchstAlternatively, you can restart the computer or run the Teramind Diagnostics tool from the Command Prompt:
tmdiag agent restart
E2EE Verification
Step 10: Verify Encryption on Dashboard
The Session Player, Keystrokes dashboard, etc. will mask the data when E2EE is working properly. See the Changes to the Dashboard section below to learn more.
Step 11: Verify Data on Server
On the server, check the encryption_dek table in the database to confirm that encrypted DEK (Data Encryption Key) data is being generated:
SELECT * FROM public.encryption_dek ORDER BY creation_time DESC;
You should see records with encrypted data:
The above procedure (Steps 1-6 and 8-9) must be completed for each unique Agent that requires E2EE.
You must create unique keypairs for each Agent, using unique filenames throughout the process (Steps 1, 4, and 5) to ensure you do not overwrite existing keypairs on the server. Once keys are included, you can freely enable or disable E2EE from the endpoint without server disruption.
Changes to the Dashboard
E2EE Data Visibility and Scope
End-to-End Encryption (E2EE) operates on an endpoint-basis. Only data originating from a computer where E2EE is enabled will be masked on the Dashboard. Data from non-encrypted computers will appear as usual.
The encryption scope applies to the entire machine:
If E2EE is enabled on a computer with multiple user accounts, the data from all users on that computer will be encrypted on the Dashboard.
The same principle applies to a Terminal Server or VDI; data from all users accessing the server will be encrypted.
When End-to-End Encryption (E2EE) is enabled, screen recordings and keystroke data are masked for security. This data will be displayed as "Encrypted," "No preview available," or hidden entirely within the Session Player, Keystrokes dashboard, and other related widgets.
Below are examples of how masked data appears across the platform.
Session Player
The Session Player will mask the screen in both Live View and History View modes and display a "E2EE (end-to-end encryption) is enabled" message:
To view the recording, enter your passphrase and press the Decrypt button.
Screen Thumbnails
Screen thumbnails - such as those found in the Snapshots and Live montage widgets will display either a "No preview available" or "Encrypted" message:
Keystrokes
The Keystrokes dashboard and any other locations where captured keystrokes are displayed will be replaced with a <Encrypted> message:
The keystroke decryption feature is not yet available on the Teramind NextGen platform. To use this feature, please contact your Customer Success Manager to arrange a switch to the Teramind Legacy platform.
Features & Limitations
The current implementation of Teramind End-to-End Encryption (E2EE) offers the following capabilities and restrictions:
Features
Strong Encryption | Uses strong hybrid encryption: AES-256 for data combined with RSA-2048 (Public Key) for key protection (envelope encryption). |
Ephemeral Cipher Key | Unique key pairs are generated for each session, ensuring high security. |
Secure Key Storage | The AES key material is generated on the client at service start-up and is never written unencrypted to the disk. |
Just-in-Time Use | The server holds the encryption passphrase and plaintext RSA keys in memory only when actively accessing encrypted content, providing resilience against sniffing and other attacks. |
Certificate Pinning | The Agent enforces validation of server certificates, adding security against Man-in-the-Middle (MITM) attacks. |
No External Dependency | Teramind E2EE operates without external resources (e.g., CDN libraries), making it suitable for secure air-gapped networks. |
Low Resource Consumption | The encryption process does not materially impact the performance of the endpoint or the server. |
Data Export Support | Data export options remain functional, allowing unencrypted data to be exported from the server if necessary. |
Limitations
Limited Envelope Encryption Scope | Currently, only Keystrokes and Screen Recordings use full envelope encryption. Other data stored at rest on the endpoint is encrypted using a server public key. Support for additional data types is planned for a future release. |
OCR Functionality | Optical Character Recognition (OCR) functionality is disabled when E2EE is enabled. |
Key Management | There is currently no automated or third-party key management feature available; this capability may be added in the future. |