kyoceradocumentsolutions.com
Data Encryption/Overwrite
Operation Guide
MA4500ci
2023.2 3MS2Z7KDENUS0
Introduction
This Setup Guide explains the procedures for installing and operating the Data Encryption/Overwrite Functions (hereinafter called Security Functions) and the procedure for system initialization.
Organization administrators should read and understand this manual.
- Nominate a reliable person for the machine administrator when installing the security functions.
- Sufficiently supervise the nominated administrator so that it can observe the security policy and operation rules at the organization to which it belongs and properly operate the machine in accordance with the Operation Guide of the product.
- Sufficiently supervise the general users so that they can operate the machine while observing the security policy and operation rules at the organization to which they belong.
Instructions for General Users (for Both General Users and Administrators)
Security Functions
The security functions enable overwriting and encryption.
NOTE: If you install the security functions, Running security function… appears when the machine starts up and it may take a while.
Overwriting
Multi-functional products (MFPs) temporarily store the data of scanned originals and print jobs, as well as other data stored by users, on the SSD or in FAX memory, and the job is output from that data. As the data storage areas used for such data remain unchanged on the SSD or in FAX memory until they are overwritten by other data, the data stored in these areas is potentially restorable using special tools.
The security functions delete and overwrite (hereinafter collectively referred to as overwrite(s)) the unnecessary data storage area used for the output data or deleted data to ensure that data cannot be restored.
Overwriting is performed automatically, without user intervention.
CAUTION: When you cancel a job, the machine immediately starts overwriting the data that was stored on the SSD or in FAX memory.
Encryption
MFPs store the data of scanned originals and other data stored by users in the SSD. It means the data could be possibly leaked or tampered with if the SSD is stolen. The security functions encrypt data before storing it in the SSD. It guarantees higher security because no data cannot be decoded by ordinary output or operations. Encryption is automatically performed and no special procedure is required.
CAUTION: Encryption helps enhance security. However, the data stored in the Document Box can be decoded by ordinary operations. Do not store any strictly confidential data in the Document Box.
Security Functions
Touch Panel Display after the Security Functions are Installed
Hard Disk Icon Display
In Security Mode, the security functions have been properly installed and is running. The hard disk icon appears on the top right side of the touch panel in Security Mode.
NOTE: If the hard disk icon does not appear on the normal screen, it is possible that the Security Mode is not ON. Call service.
The hard disk icon display changes as follows during overwriting
The table below shows the icons displayed and their descriptions.
| Icon displayed | Description |
 | There is unneeded data on the SSD or in FAX memory. |
 | Overwriting the unwanted data |
 | The unwanted data is overwritten. |
CAUTION: Do not turn the power switch off while is displayed. Risk of damage to the SSD or FAX memory.
NOTE: If you turn the machine off at the power switch during overwriting, data may not be overwritten completely from the SSD. Turn the machine back on at the power switch. Overwriting automatically resumes. If you accidentally turn the main power switch off during overwriting or initialization, the icon might not switch to the second icon shown above. This would be caused by a possible crash or failed overwriting of the data to be overwritten. This will not affect subsequent overwriting processes. However, hard disk initialization is recommended so as to return to normal stable operations. (Initialization should be performed by the administrator following the steps in System Initialization on page 15.)
Instructions for Administrators (for Those in Charge of Installation and Operations of the Security Functions)
If any kind of problem occurs in the installation or use of the security functions, contact your dealer or service technician.
Installing the Security Functions
The Security Functions Contents
The security functions package includes:
- License Certificate
- Installation Guide (for service personnel)
- Notice In case of the standard specification, there will be no bundled items included.
Before Installation
- Make sure that the service representative must be a person who belongs to the supplying company.
- Install the machine in a safe location with controlled access, and unauthorized access to the machine can be prevented.
- The SSD will be initialized during installation of the security functions. This means that the data stored in the hard disk will be all overwritten. Special attention should be given if you install the security functions on the MFP currently used.
- The network to which the machine is hooked up must be protected by a firewall to prevent extraneous attacks.
- [Adjustment/Maintenance] -> [Restart/Initialization] -> [System Initialization] will not be displayed in the System Menu after the installation.
- When installing the security functions, change the machine settings as follows.
| Item | Value | ||
| Job Accounting/ Authentication | User Login Setting | Add/Edit Local User | Change the administrator password. |
| Device Settings | Date/Timer | Date and Time | Set the date and time. |
Installation
Installation of the security function is performed by the service person or the administrator. The service person or the administrator should log in the system menu to enter the encryption code.
Encryption Code
An encryption code of 8 alphanumeric characters (0 to 9, A to Z, a to z) to encrypt data needs to be entered. By default, the code is set 00000000. As an encryption key is then created from this code, it is safe enough to continue using the default code.
CAUTION: Be sure to remember and securely manage the encryption code you entered. If you need to enter the encryption code again for some reason and you do not enter the same encryption code, all the data stored on the SDD will be overwritten as a security precaution.
Installation Procedure
Use the procedure below to select the interface.
- Press the [Home] key.
- Press […] [System Menu] [Add/Delete Application].
- Press [Optional Function List] of Optional Function.
If user login is disabled, the user authentication screen appears. Enter your login user name and password and then press [Login]. For this, you need to log in with administrator privileges. Refer to the machine’s Operation Guide for the default loginuser name and password. - The optional function screen is displayed. Select Data Encryption/Overwrite and press [Activate].
- This function will be activated. The data saved in the large capacity storage will be deleted and the storage will be formatted and encrypted. If there is no problem, press [Yes].
- Turn the power switch on again following to the indication in the panel screen.
- The screen for entering the encryption code is displayed.
To change the encryption code, erase the “00000000” and then enter the 8-digit alphanumeric encryption code (0 to 9, A to Z, a to z) and press [OK]. SSD formatting begins.
If the encryption code is not changed, press [OK]. SSD formatting begins. - When formatting finishes, follow the on screen instructions to turn the Power Switch off and on again.
- After the opening screen is displayed, confirm that a hard disk icon (Overwritten completion icon of unnecessary data) is shown in the top right corner of the screen.
After Installation
Change the machine setting as follows to securely operate it. If the system in the machine is initialized, it returns to the settings before installation, so make changes in the same way. If you allow service personnel to conduct maintenance operations, confirm the set values.
Items changed in Command Center RX
Item | Value | |||||
| Device Settings | Energy Saver/Timer | Energy Saver/Timer Settings | Timer Settings | Auto Panel Reset | On | |
| Panel Reset Timer | Setting any value | |||||
| System | System | Error Settings | Continue or Cancel Err. Job | Job Owner Only | ||
| Function Settings | Printer | Printer Settings | General | Remote Printing | Prohibit | |
| FAX | FAX Settings | Fax Settings | Remote Settings | FAX Remote Diagnostics | Off | |
| Forwarding | Forward Settings | Forwarding | On | |||
| Network Settings | TCP/IP | TCP/IP Settings | Bonjour Settings | Bonjour | Off | |
| IPSec Settings | IPSec | On | ||||
| Restriction | Allowed | |||||
| Allowed IPSec Rules*(“Settings” selection of any of Rule No.) | Policy | Rule | On | |||
| Key Manageme nt Type | IKEv1 | |||||
| Encapsulati on Mode | Transport | |||||
| IP Address | IP Version | IPv4 | ||||
| IP Address (IPv4) | IP Address of the destination terminal | |||||
| Subnet Mask | Setting any value | |||||
| Authentication | Local Side | Authentication Type | Pre-shared Key | |||
| Pre-shared Key | Setting any value | |||||
Item | Value | ||||
| Network Settings | TCP/IP | Allowed IPSec Rules* (“Settings” selection of any of Rule No.) | Key Exchange (IKE phase1) | Mode | Main mode |
| Hash | MD5:Disable, SHA1:Disable, SHA-256:Enable, SHA-384:Enable, SHA-512:Enable AES-XCBC: Disable | ||||
| Encryption | 3DES: Enable, AES-CBC-128: Enable, AES-CBC-192: Enable, AES-CBC-256: Enable | ||||
| DiffieHellman Group | Select one from following option. modp2048(14), modp4096(16), modp6144(17), modp8192(18), ecp256(19), ecp384(20), ecp521(21), modp1024s160 (22), modp2048s224 (23), modp2048s256 (24) | ||||
| Lifetime (Time) | 28800 seconds | ||||
| Data Protection (IKE phase2) | Protocol | ESP | |||
| Hash | MD5:Disable, SHA1:Disable, SHA-256:Enable, SHA-384:Enable, SHA-512:Enable, AES-XCBC: Setting any value, AES-GCM- 128:Enable, AES-GCM- 192:Enable, AES-GCM- 256:Enable, AES-GMAC128: Setting any value, AES-GMAC-192: Setting any value, AES-GMAC-256: Setting any value | ||||
| Item | Value | ||||
| Network Settings | TCP/IP | Allowed IPSec Rules* (“Settings” selection of any of Rule No.) | Data Protection (IKE phase2) | Encryption | 3DES: Enable, AES-CBC-128: Enable, AES-CBC-192: Enable, AES-CBC-256: Enable, AES-GCM-128: Enable, AES-GCM-192: Enable, AES-GCM-256: Enable, AES-CTR: Disable |
| PFS | Off | ||||
| Lifetime Measurement | Time & Data Size | ||||
| Lifetime (Time) | 3600 seconds | ||||
| Lifetime (Data Size) | 100000 KB | ||||
| Extended Sequence Number | Off | ||||
| Network Settings | Protocol | Protocol Settings | Print Protocols | NetBEUI | Off |
| LPD | Off | ||||
| FTP Server (Reception) | Off | ||||
| IPP | Off | ||||
| IPP over TLS | On | ||||
| IPP Authenticati on | Off | ||||
| Raw | Off | ||||
| WSD Print | Off | ||||
| POP3 (E-mail RX) | Off | ||||
| Item | Value | ||||
| Network Settings | Protocol | Protocol Settings | Send Protocols | SMTP (E-mail TX) | On |
| SMTP (E- mail TX) – Certificate Auto Verification | Validity Period: Enable | ||||
| FTP Client (Transmission) | On | ||||
| FTP Client (Transmission ) – Certificate Auto Verification | Validity Period: Enable | ||||
| SMB | Off | ||||
| WSD Scan | Off | ||||
| eSCL | Off | ||||
| eSCL over TLS | Off | ||||
| Other Protocols | SNMPv1/v2c | Off | |||
| SNMPv3 | Off | ||||
| HTTP | Off | ||||
| HTTPS | On | ||||
| HTTP(Client side) – Certificate Auto Verification | Validity Period : Enable | ||||
| Enhanced WSD | Off | ||||
| Enhanced WSD(TLS) | On | ||||
| LDAP | Off | ||||
| IEEE802.1X | Off | ||||
| LLTD | Off | ||||
| REST | Off | ||||
| REST over TLS | Off | ||||
| VNC(RFB) | Off | ||||
| VNC(RFB) over TLS | Off | ||||
| Enhanced VNC(RFB) over TLS | Off | ||||
| OCSP/CRL Settings | Off | ||||
| Syslog | Off | ||||
| Item | Value | |||||
| Security Settings | Device Security | Device Security Settings | Job Status/Job Log Settings | Display Jobs Detail Status | My Jobs Only | |
| Display Jobs Log | My Jobs Only | |||||
| Edit Restriction | Address Book | AdministratorOnly | ||||
| One Touch Key | Administrator Only | |||||
| Device Security | Device Security Settings | Authentication Security Settings | Password Policy Settings | Password Policy | On | |
| Maximum password age | Setting any value | |||||
| Minimum password length | On 8 or more characters | |||||
| Password complexity | Setting any value | |||||
| User Account Lockout Settings | Lockout Policy | On | ||||
| Number of Retries until Locked | Setting any value | |||||
| Lockout Duration | Setting any value | |||||
| Lockout Target | All | |||||
| Network Security | Network Security Settings | Secure Protocol Settings | TLS | On | ||
| Serverside Settings | TLS Version | TLS1.0: Disable TLS1.1: Disable TLS1.2: Enable TLS1.3: Enable | ||||
| Effective Encryption | ARCFOUR: Disable, DES: Disable, 3DES: Enable, AES: Enable, AES-GCM: Setting any value CHACHA20/ POLY1305: Setting any value | |||||
| Hash | SHA1: Enable, SHA2(256/384): Enable | |||||
| HTTP Security | Secure Only (HTTPS) | |||||
| IPP Security | Secure Only (IPPS) | |||||
| Enhanced WSD Security | Secure Only (Enhanced WSD over TLS) | |||||
| eSCL Security | Secure Only (eSCL over TLS) | |||||
| REST Security | Secure Only (REST over TLS) | |||||
| Item | Value | |||||
| Security Settings | Network Security | Network Security Settings | Secure Protocol Settings | Clientside Settings | TLS Version | TLS1.0: Disable TLS1.1: Disable TLS1.2: Enable TLS1.3: Enable |
| Effective Encryption | ARCFOUR: Disable, DES: Disable, 3DES: Enable, AES: Enable, AES-GCM: Setting any value CHACHA20/ POLY1305: Setting any value | |||||
| Hash | SHA1: Enable SHA2(256/384): Enable | |||||
| Management Settings | Authentication | Settings | Authentication Settings | General | Authenticati on | Local Authentication |
| Local Authorization Settings | Local Authorization | On | ||||
| Guest Authorization Settings | Guest Authorization | Off | ||||
| Unknown User Settings | Unknown ID Job | Reject | ||||
| Simple Login Settings | Simple Login | Off | ||||
| History Settings | History Settings | Job Log History | Recipient E-mail Address | E-mail Address for the administrator of the machine | ||
| AutoSending | On | |||||
Items changed on the machine
| Item | Value | ||
| System Menu | Security Settings | Security Level | Very High |
For the procedures for changing the settings, refer to the machine Operation Guide and Command Center RX User Guide.
After changing the settings, run [Software verification] in the system menu to verify that the machine operates correctly. Periodically perform [Software verification] after installation as well.
After installing the security functions, you can change the security password. Refer to page 14 for the procedures.
The administrator of the machine should periodically store the histories, and check each history to make sure there was no unauthorized access or abnormal operation.
Grant regular users permission based on your company rules, and promptly delete any user accounts that stop being used due to retirement or other reasons.
IPsec setting
It is possible to protect data by enabling the IPsec function that encrypts the communication path. Please note the following points when enabling the IPsec function.
- The value set by the IPsec rule has to be matched with the destination PC. Communication error occurs in case the setting does not match.
- IP address set by the IPsec rule has to be matched with the IP address of the SMTP server or FTP server which is set on the main unit.
- In case the setting does not match, data sent by mail or FTP can’t be encrypted.
- Pre-shared key set by the IPsec rule has to be created by using the alphanumeric symbols of 8 digits or more which will not be easily guessed.
Changing Security Functions
Changing Security Password
Enter the security password to change security functions. You can customize the security password so that only the administrator can use the security functions.
Use the procedure below to change the security password.
- Press the [Home] key.
- Press […] [System Menu] [Security Settings].
- Press [Data Security] of Device Security Settings.
If user login is disabled, the user authentication screen appears. Enter your login user name and password and then press [Login].
For this, you need to log in with administrator privileges. Refer to the machine’s Operation Guide for the default login user name and password. - Press [SSD Initialization].
- Enter the default security password, 000000.
- Press [Security Password].
- For the “Password,” enter a new security password with 6 to 16 alphanumeric characters and symbols.
- For “Confirm Password,” enter the same password again.
- Press [OK].
CAUTION: Avoid any easy-to-guess numbers for the security password (e.g. 11111111 or 12345678).
System Initialization
Overwrite all the data stored in the system when disposing of the machine.
CAUTION: If you accidentally turn the power switch off during initialization, the system might possibly crash or initialization might fail.
NOTE: If you accidentally turn the power switch off during initialization, turn the power switch on again. Initialization automatically restarts.
Use the procedure below to initialize the system.
- Press the [Home] key.
- Press […] [System Menu] [Security Settings].
- Press [Data Security] of Device Security Settings.
If user login is disabled, the user authentication screen appears. Enter your login user name and password and then press [Login].
For this, you need to log in with administrator privileges. Refer to the machine’s Operation Guide for the default login user name and password. - Press [SSD Initialization].
- Enter the default security password, 000000.
- Press [System Initialization].
- Press [Initialize] on the screen to confirm the initialization. Initialization starts.
- When the screen appears to show initialization is completed, turn the power switch off and then on.
Warning Message
If the encryption code information of the machine has been lost for some reason, the screen shown here appears when the power is turned on.
Follow the steps below.
- Enter the encryption code that was entered during the installation of the security functions.
CAUTION: Even though entering a different encryption code can also enable continuation of a job, this will overwrite all the data stored in the SSD. Exercise extreme caution when entering an encryption code.
The encryption code is not the same as the security password. - Turn the power switch off and on.
Disposal
If the machine is unused and demolished, initialize the system of this product to erase the SSD data and FAX memory.
If the machine is unused and demolished, obtain directions for disposal from the dealer (from which you purchased the machine) or your service representative.
Appendix
List of factory default settings
The default settings for security mode are shown below.
Items changed in Command Center RX
| Item | Value | |||||
| Device Settings | Energy Saver/Timer | Energy Saver/Timer Settings | TimerSettings | Auto Panel Reset | On | |
| Panel Reset Timer | 90 seconds | |||||
| System | System | Error Settings | Continue or Cancel Err. Job | All users | ||
| Function Settings | Printer | Printer Settings | General | Remote Printing | Permit | |
| FAX | FAX Settings | Fax Settings | Remote Settings | FAX Remote Diagnostics | Off | |
| Forwarding | Forward Settings | Forwarding | Off | |||
| Network Settings | TCP/IP | TCP/IP Settings | Bonjour Settings | Bonjour | On | |
| IPSec Settings | IPSec | Off | ||||
| Restriction | Allowed | |||||
| IPSec Rules (“Settings” selection of any of Rule No.) | Policy | Rule | Off | |||
| Key Management Type | IKEv1 | |||||
| Encapsulation Mode | Transport | |||||
| IP Address | IP Version | IPv4 | ||||
| IP Address (IPv4) | No setting | |||||
| Subnet Mask | No setting | |||||
| Authentication | Local Side | Authentication Type | Pre-shared Key | |||
| Pre-shared Key | No setting | |||||
| Key Exchange (IKE phase1) | Mode | Main Mode | ||||
| Hash | MD5: Disable, SHA1: Enable, SHA-256: Enable, SHA-384: Enable, SHA-512: Enable AES-XCBC: Disable | |||||
| Item | Value | ||||
| Network Settings | TCP/IP | IPSec Rules (“Settings” selection of any of Rule No.) | Key Exchange (IKE phase1) | Encryption | 3DES: Enable, AES-CBC-128: Enable, AES-CBC-192: Enable, AES-CBC-256: Enable |
| Diffie Hellman Group | modp1024(2) | ||||
| Lifetime (Time) | 28800 seconds | ||||
| Data Protection (IKE phase2) | Protocol | ESP | |||
| Hash | MD5: Disable, SHA1: Enable, SHA-256: Enable, SHA-384: Enable, SHA-512: Enable, AES-XCBC: Disable, AES-GCM-128: Enable, AES-GCM-192: Enable, AES-GCM-256: Enable, AES-GMAC-128: Disable, AES-GMAC- 192: Disable, AES-GMAC-256: Disable | ||||
| Encryption | 3DES: Enable, AES-CBC-128: Enable, AES-CBC-192: Enable, AES-CBC-256: Enable, AES-GCM-128: Enable, AES-GCM- 92: Enable, AES-GCM-256: Enable, AES-CTR: Disable | ||||
| PFS | Off | ||||
| Item | Value | ||||
| Network Settings | TCP/IP | IPSec Rules (“Settings” selection of any of Rule No.) | Data Protection (IKE phase2) | Lifetime Measurement | Time & Data Size |
| Lifetime (Time) | 3600 seconds | ||||
| Lifetime (Data Size) | 100000KB | ||||
| Extended Sequence Number | Off | ||||
| Protocol | Protocol Settings | Print Protocols | NetBEUI | On | |
| LPD | On | ||||
| FTP Server (Reception) | On | ||||
| IPP | Off | ||||
| IPP over TLS | On | ||||
| IPP Authentication | Off | ||||
| Raw | On | ||||
| WSD Print | On | ||||
| POP3 (E-mail RX) | Off | ||||
| Send Protocols | SMTP (E-mail TX) | Off | |||
| FTP Client (Transmission) | On | ||||
| FTP Client (Transmission ) – Certificate Auto Verification | Validity Period: Enable | ||||
| SMB | On | ||||
| WSD Scan | On | ||||
| eSCL | On | ||||
| eSCL over TLS | On | ||||
| Item | Value | |||||
| Network Settings | Protocol | Protocol Settings | Other Protocols | SNMPv1/v2c | On | |
| SNMPv3 | Off | |||||
| HTTP | On | |||||
| HTTPS | On | |||||
| HTTP(Client side) – Certificate Auto Verification | Validity Period: Enable | |||||
| Enhanced WSD | On | |||||
| Enhanced WSD(TLS) | On | |||||
| LDAP | Off | |||||
| IEEE802.1X | Off | |||||
| LLTD | On | |||||
| REST | On | |||||
| REST over TLS | On | |||||
| VNC(RFB) | Off | |||||
| VNC(RFB) over TLS | Off | |||||
| Enhanced VNC(RFB) over TLS | On | |||||
| OCSP/CRL Settings | On | |||||
| Syslog | Off | |||||
| Security Settings | Device Security | Device Security Settings | Job Status/Job Log Settings | Display Jobs Detail Status | Show All | |
| Display Jobs Log | Show All | |||||
| Edit Restriction | Address Book | Off | ||||
| One Touch Key | Off | |||||
| Authentication Security Settings | Password Policy Settings | Password Policy | Off | |||
| Maximum password age | Off | |||||
| Minimum password length | Off | |||||
| Password complexity | No more than two consecutive identical char | |||||
| Item | Value | |||||
| Security Settings | Device Security | Device Security Settings | Authentication Security Settings | User Account Lockout Settings | Lockout Policy | Off |
| Number of Retries until Locked | 3 times | |||||
| Lockout Duration | 1 minute | |||||
| Lockout Target | Remote Login Only | |||||
| Security Settings | Network Security | Network Security Settings | Secure Protocol Settings | TLS | On | |
| Serverside Settings | TLS Version | TLS1.0: Disable TLS1.1: Enable TLS1.2: Enable TLS1.3: Enable | ||||
| Effective Encryption | ARCFOUR: Disable, DES: Disable, 3DES: Enable, AES: Enable, AES-GCM: Disable, CHACHA20/ POLY1305: Enable | |||||
| Hash | SHA1: Enable, SHA2(256/384): Enable | |||||
| HTTP Security | Secure Only (HTTPS) | |||||
| IPP Security | Secure Only (IPPS) | |||||
| Enhanced WSD Security | Secure Only (Enhanced WSD over TLS) | |||||
| eSCL Security | Not Secure (eSCL over TLS & eSCL) | |||||
| REST Security | Secure Only (REST over TLS) | |||||
| Clientside Settings | TLS Version | TLS1.0: Disable TLS1.1: Enable TLS1.2: Enable TLS1.3: Enable | ||||
| Effective Encryption | ARCFOUR: Disable, DES: Disable, 3DES: Enable, AES: Enable, AES-GCM: Enable, CHACHA20/ POLY1305: Enable | |||||
| Hash | SHA1: Enable, SHA2(256/384): Enable | |||||
| Item | Value | |||||
| Management Settings | Authentication | Settings | Authentication Settings | General | Authentication | Off |
| Local Authorization Settings | Local Authorization | Off | ||||
| Guest Authorization Settings | Guest Authorization | Off | ||||
| Unknown User Settings | Unknown ID Job | Reject | ||||
| Simple LoginSettings | Simple Login | Off | ||||
| History Settings | History Settings | Job Log History | Recipient E-mail Address | No setting | ||
| Auto Sending | Off | |||||
Items changed on the machine
| Item | Value | ||
| System Menu | Security Settings | Security Level | High |
The initial value of the custom box
| Item | Value |
| Owner | Local User |
| Permission | Private |
Log information
The following settings and status regarding security are shown in the machine log.
- Event date and time
- Type of event
- Information of the log in user or the user who attempted to log in
- Event result (Success or fail)
Event to be displayed in the log
| Log | Event |
| Job Logs | End job/Check job status/Change job/Cancel job |
© 2023 KYOCERA Document Solutions Inc.
is a trademark of KYOCERA Corporation
Documents / Resources
 | KYOCERA MA4500ci Data Encryption Overwrite Operation Guide [pdf] User Guide MA4500ci Data Encryption Overwrite Operation Guide, MA4500ci, Data Encryption Overwrite Operation Guide, Encryption Overwrite Operation Guide, Overwrite Operation Guide |