# Security

The security architecture of emCA ensures the protection of the CA’s private key and issued certificates against physical, logical, and network threats.

<figure><img src="/files/aV4ZojWiThLECm2OvP10" alt=""><figcaption></figcaption></figure>

**Physical Security**

* **HSM (Hardware Security Module)**\
  The CA’s private key is stored in an HSM, which provides tamper detection and key destruction in the event of physical attacks.
* **Isolation**\
  The HSM is isolated from the rest of the emCA system to prevent physical and side-channel attacks.

**Logical Security**

* **Encryption**\
  All communication between emCA components is encrypted using TLS/SSL protocols to protect data integrity and confidentiality.
* **Access Control**\
  emCA restricts access to authorized users through role-based access control (RBAC), multi-factor authentication (MFA), and audit logging.
* **Audit Logging**\
  emCA logs all activities for monitoring and security incident detection.

**Data Security**

* **Encryption at Rest and in Transit**

  Sensitive data, certificate metadata, and audit logs, is encrypted at rest and in transit using AES-256.
* **Key Management**\
  Private keys are securely stored, with strict access control policies enforced.
* **Backup and Recovery**\
  Data backups are encrypted and stored in secure, access-controlled environments. Backup data retention and disposal are managed according to defined lifecycle policies to ensure compliance.

**Role Based Access Control**

To ensure security, the emCA application is designed such that each role has a unique set of permissions. The following are the roles and their corresponding duties.

**CA Administrator**

* **Initial setup:** Completes the initial setup process of the emCA application.
* License registration: Generates a license request and uploads the license to register the emCA application.
* **User management:** Creates and manages Administrator users.
* **Certificate authority (CA) management:** Deletes Root CA, CA, and Sub/Issuing CA certificates and key pairs.

**Administrator**

* **Certificate profile management:** Creates and manages certificate profiles.
* **Key profile management:** Creates and manages key profiles.
* **User management:** Creates and manages Officer, Auditor, and Operator users.

**Officer**

* **CA key generation:** Generates CA keys.
* **CA hierarchy management:** Creates and manages the CA hierarchy.
* **Certificate revocation list (CRL)/Online Certificate Status Protocol (OCSP) service management:** Creates and manages CRL/OCSP services.
* **Certificate management:** Creates and manages CA, user, and OCSP certificates using certificate profiles created by the Administrator.
* **Scheduler configuration:** Configures the scheduler.
* **Certificate revocation and reinstatement:** Revokes and reinstates certificates as needed.
* **Key recovery:** Performs complete key recovery activities.

**Auditor**

* **Audit log management:** Views and downloads audit logs.
* **Report generation:** Generates various types of reports.

**Operator**

* Backup and restore: Performs backup and restore operations.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://emca.emudhra.com/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.