Password bank

The Password Bank is a password repository used to decrypt certain password-protected files during inventory, discovery and basic and native imaging. By creating a password bank, you can have Relativity run passwords against each encrypted document until it finds a match. Likewise, when you run an imaging job, mass image, or use image-on-the-fly, the list of passwords specified in the bank accompanies that job so that encrypted files are imaged in that job.

The password bank potentially reduces the number of errors in each job and eliminates the need to address password errors outside of Relativity.

Note: You can locate the Password Bank tab under both the Imaging and the Processing applications, if both are installed.

Password bank in processing workflow

The following steps illustrate how the password bank typically fits into the processing cycle.

  1. Create a password bank that includes a list of passwords that correspond with the files you intend to process.
  2. Create a processing set and add data sources that contain the encrypted documents to the set.
  3. Start inventory and/or discovery on the files in the data sources attached to the processing set.
  4. All passwords supplied to the password bank become synced via an agent and accompany the job as it goes to the processing engine.
  5. The processing engine discovers the files in the processing set. If the file is encrypted, Relativity checks the Password Bank to see if a password exists for the file. If a password exists, Relativity uses the password to open the file and extract the text, metadata, and native/basic imaging. The native file remains unmodified in its encrypted state, as the password is only used to open and extract content. The extracted text, metadata, and native/basic imaging are not encrypted.
  6. Publish the discovered files in the processing set.
  7. The published documents are now available for review in the workspace. To view or image any encrypted native files, the password must remain in the Password Bank, otherwise you will see an error.

The following scenario depicts the basic procedure by which you'd address errors due to password-protected files in a processing set. In this scenario, you would:

  1. Run publish on your discovered files.
  2. Navigate to the Files tab after publish is complete and locate all errors resulting from password protection.
  3. Outside of Relativity, locate the passwords designated to unlock those files.
  4. Return to Relativity, go to the Password Bank, and create entries for every password that corresponds with the errored files.
  5. Run retry on the files that previously resulted in password-protection errors.
  6. From the Files tab, use the Republish mass action to retry to job.

Note: The PDF mass action does not work with the Password Bank. Specifically, Save as PDF isn't able to connect with the password bank to grab passwords for encrypted documents. That connection is only available for native imaging and processing.

Creating or deleting a Password Bank entry

Note: There is no limit on the number of passwords you can add to the password bank; however, having more than 100 passwords could degrade the performance of your processing and imaging jobs.

To create a new entry in the bank:

  1. Navigate to Processing, and click the Password Bank tab.
  2. Click New on the Password Entry category.
    New button on Password entry category
  3. Complete the fields on the Password Entry Layout. See Fields for more information.
  4. Click Save. The entry appears among the others under the Password Entry object.

To delete a password, select the check box next to its name and click Delete on the Password Entry object.

Note: When you create a password entry and submit any job that syncs with the processing engine (imaging or processing), an entry is created in the engine for that password and that workspace. Even if you delete that password entry from the password bank, any future jobs will continue to try that password.

Fields

The Password Bank layout contains the following fields:

New password bank entry

  • Type - the type of password entry you're creating. The options are:
    • Passwords - any file that you want to decrypt that is not grouped with the three other types of Lotus Notes, Email encryption certificates, or AD1 encryption certificates.
      • Although you're able to process EnCase Logical Evidence files, the password bank doesn't support password-protected Encase files.
      • When you select this type, you must enter at least one password in the Passwords field in order to save.
      • The password bank doesn't support Microsoft OneNote files.
      • For imaging jobs, this is the only relevant option for a password entry.
      • For imaging and processing jobs, a slipsheet is not created automatically for documents that are password-protected. However, you can create an image outside of Relativity and use the password-protected document's control number as the image key to then load the image into Relativity through the Import/Export tool and have it display as the image for that encrypted document.
    • Lotus Notes - any file generated by Lotus Notes software.
      • Even though the Password(s) field doesn't display as being required, you must enter passwords for all encrypted Lotus Notes files if you want to decrypt them during the processing job. This is because Lotus Notes files require a matching password and file.
      • When you select this type, you must upload a file with an extension of User.ID in the Upload file field.
      • If processing is installed, you can associate a custodian with the Lotus files you upload. To do this, select a custodian from the Custodians field, which appears on the layout only when you select Lotus Notes as the type. Doing this syncs the password bank/custodian with the processing engine, which can then access partially encrypted Lotus Notes files. Passwords associated with a custodian have a higher priority.
      • For encrypted Lotus documents, Relativity only supports user.id files whose public key size is 630 bits.
    • Email encryption certificate - files protected by various encryption software certificates.
      • Even though the Password(s) field doesn't display as being required, you must enter passwords for all email encryption certificates if you want to decrypt them during the processing job.
      • When you select this type, you must upload one .pfx or .p12 file in the Upload file field.
      • You can only upload one file per email encryption entry.
    • AD1 Encryption Certificate - AD1 files protected by an encryption software certificate.
      • Even though the Password(s) field doesn't display as being required, you must enter passwords for all AD1 encryption certificates if you want to decrypt them during the processing job.
      • When you select this type, you must upload one .pfx, .p12, .pem, or .key file in the Upload file field. You'll receive an error if you attempt to upload any other file type.
      • You can only upload one file per AD1 encryption entry.
  • Description - a description of the entry you are adding to the bank. This helps you differentiate between other entry types.
  • Password(s) - the one or more passwords you are specifying for the type you selected. Only enter one password per line, and separate passwords with a carriage return. If you enter two passwords on the same line, the password bank interprets the value as a single password.
    •  If you select Passwords as the file type, you must add at least one password here in order to save.
    • You can also add values here if you are uploading certificates that don't have passwords. See Example password.
    •  Unicode passwords for zip files aren't supported.
    • Relativity bypasses passwords on .pst and .ost files automatically during file discovery; thus, passwords aren't required for these files to get discovered.
  • Upload file - the accompanying file you're required to upload for Lotus Notes, Email encryption certificate, and AD1 encryption certificate types. If uploading for Lotus Notes, the file extension must be User.ID with no exceptions. The file types eligible for upload for the Email encryption certificate type are .pfx and .p12. The file types eligible for upload for the AD1 encryption certificate type are .pfx, .p12, .pem, and .key.

Note: If you save a Powerpoint or Excel document in pre-2007 format, like .PPT or .XLS, and the document is read-only, we use the default known password to decrypt the document, regardless of whether or not the password exists in the Password Bank.

Example password

When supplying passwords to the password bank, if you enter:

password@1

bookmark@56

123456

the password bank recognizes three passwords.

If you enter:

password@1

bookmark@56, 123456

the password bank only recognizes two passwords.

Validations, errors, and exceptions

Note the following:

  • Including a password that doesn't belong to a document in your data set doesn't throw an error or affect the process.
  • A password can unlock multiple files. If you provide the password for a Lotus Notes file that also happens to correspond to a Word file, the password unlocks both files.
  • If you delete a password bank entry after submitting a processing or imaging job, you can still complete those jobs.

You may encounter an exception called Word template files while using the password bank. In this case,the password bank can't unlock an encrypted Word file that was created based on an encrypted Word template where the Word file password is different than the template password, regardless of whether both passwords are in the password bank.

You can resolve password bank errors by supplying the correct password to the bank and then retrying those errors in their respective processing or imaging jobs.

Note: When you supply a valid password to the password bank, the processing engine extracts metadata and extracted text from the document that the password unlocks. However, when you publish that document, its password security isn't removed, in which case it technically remains in an encrypted state even after it's published to the workspace. However, you can view the still-encrypted document in the viewer, because the viewer will recognize that a valid password has been supplied. If the Password Protected field indicates that a document has been decrypted, that designation only refers to the fact that you provided a valid password for it to the password bank for the purposes of processing.

Viewing audits

Every time you send a Password Bank to the processing engine, Relativity adds an audit. The Password Bank object's audit history includes the standard Relativity audit actions of update and run, as well as a list of all passwords associated with a discovery job at run time.

To view the passwords sent to the processing engine during a job:

  1. Navigate to Processing, and then click Password Bank.
  2. Click View Audit on the Password Bank layout.
  3. Click Details on the Password Bank history layout.
    Password bank details
  4. Refer to the Value field on the audit details window. Any properties not set on the password bank entry are not listed in the audit.