# Security The security architecture of emCA ensures the protection of the CA’s private key and issued certificates against physical, logical, and network threats.
**Physical Security** * **HSM (Hardware Security Module)**\ The CA’s private key is stored in an HSM, which provides tamper detection and key destruction in the event of physical attacks. * **Isolation**\ The HSM is isolated from the rest of the emCA system to prevent physical and side-channel attacks. **Logical Security** * **Encryption**\ All communication between emCA components is encrypted using TLS/SSL protocols to protect data integrity and confidentiality. * **Access Control**\ emCA restricts access to authorized users through role-based access control (RBAC), multi-factor authentication (MFA), and audit logging. * **Audit Logging**\ emCA logs all activities for monitoring and security incident detection. **Data Security** * **Encryption at Rest and in Transit** Sensitive data, certificate metadata, and audit logs, is encrypted at rest and in transit using AES-256. * **Key Management**\ Private keys are securely stored, with strict access control policies enforced. * **Backup and Recovery**\ Data backups are encrypted and stored in secure, access-controlled environments. Backup data retention and disposal are managed according to defined lifecycle policies to ensure compliance. **Role Based Access Control** To ensure security, the emCA application is designed such that each role has a unique set of permissions. The following are the roles and their corresponding duties. **CA Administrator** * **Initial setup:** Completes the initial setup process of the emCA application. * License registration: Generates a license request and uploads the license to register the emCA application. * **User management:** Creates and manages Administrator users. * **Certificate authority (CA) management:** Deletes Root CA, CA, and Sub/Issuing CA certificates and key pairs. **Administrator** * **Certificate profile management:** Creates and manages certificate profiles. * **Key profile management:** Creates and manages key profiles. * **User management:** Creates and manages Officer, Auditor, and Operator users. **Officer** * **CA key generation:** Generates CA keys. * **CA hierarchy management:** Creates and manages the CA hierarchy. * **Certificate revocation list (CRL)/Online Certificate Status Protocol (OCSP) service management:** Creates and manages CRL/OCSP services. * **Certificate management:** Creates and manages CA, user, and OCSP certificates using certificate profiles created by the Administrator. * **Scheduler configuration:** Configures the scheduler. * **Certificate revocation and reinstatement:** Revokes and reinstates certificates as needed. * **Key recovery:** Performs complete key recovery activities. **Auditor** * **Audit log management:** Views and downloads audit logs. * **Report generation:** Generates various types of reports. **Operator** * Backup and restore: Performs backup and restore operations.