Skip links

SafeCom – End to End Encryption

End to End Encryption is one of the best features of SafeCom, which makes it a lot more refined than many software offerings in the enterprise world of managed print solutions. However, while end to end encryption is available in SafeCom, it is not enabled by default as some people believe. Setting up end to end encryption will depend on your landscape, infrastructure and configuration of the software. Unlike other software, however, the capability is native and not dependant on third party tools. What do we mean by this? Well let’s first look at the main difference between the types of Pull Printing.

’Pull’ vs ‘Sent’

There are several ways that solutions will describe Pull Printing. ‘Hold-Release’, ‘Secure-Release’, and ‘Follow me’ are some examples. Each method works differently, and it is important to understand just how they differ.

The main difference is how the print job arrives at the device, whether it is ‘Pulled’ or ‘Sent’.

Pull Printing

‘Pull’ Printing is much as it sounds. It refers to the concept of ‘pulling’ the job from the server to the output device, using the device itself. This is handled by a piece of software running on the MFP and, in SafeCom, this is commonly referred to as embedded or an embedded client. The MFP executes this software like an app or program within its own firmware & framework. Users interacting with the device are using a program running on the MFP like a program on a computer or an app on a phone. When a job is chosen for release, the software goes to the server or client machine holding the job, and ‘Pulls’ it down to the device. Where possible, SafeCom will utilise Pull Printing in this way.

Sent Printing

’Sent’ printing appears to be very similar to Pull Printing on the surface – login to a device and choose a job and it prints. However, the software running on the device is minimal, or often actually running on the server and just displayed to the user on the MFP screen like a website. When a user chooses to print, a signal is sent to the server. This only contains instructions to ‘send’ the job from the server to the device and is completed by the server. As such, this is not truly ‘Pull Printing’ in the traditional sense. Using this method, the data will have to be decrypted on the server or client machine prior to reaching the device as there is no software application there to decrypt it.

Encryption Methods

So how does SafeCom encrypt data? There are two methods of encryption used by SafeCom: Symmetric and Asymmetric. Each method has advantages and disadvantages so SafeCom makes use of both for different purposes.


Symmetric encryption is used by SafeCom for bulk data information transfers. The main reason for this is speed as SafeCom will be passing large amounts of data between components. Symmetric keys are shared between different sections of the software for secure communication.


Asymmetric encryption is a newer style of encryption than Symmetric and is undoubtably more secure. However, it is measurably slower to use than Symmetric. As such, SafeCom utilises this for non-bulk information transfers throughout the system. Crucially, it also uses Asymmetric encryption to pass Symmetric keys within its environment.

Data Types

Ok, so what data is encrypted? Well, there are 4 main types of data within SafeCom.

Control Data

Control data is the internal communication within SafeCom and its various components. This refers to things like login requests with user details including card numbers, PIN codes and passwords. It also includes things like document lists, tracking data, event log information and communication between servers in multi-server environments. This data always encrypted.

File Data

As with control data, jobs printed to Pull Print queues & held for Pull Printing by SafeCom will always remain encrypted. This encryption takes place as the data is processed and spooled by the port monitor and the encrypted file is held on the server, defined by the port configuration it passed through.

Submission Data

This refers to the data that travels across the network from the user’s machine to the print queue most commonly hosted on a Slave or Print spooler server. SafeCom has no visibility of this data until it reaches the pull print queue. In most cases, this will be unencrypted.

Release data

Release data refers to the data flowing from the server or client machine to the MFD. By default, this data is not encrypted as it will be decrypted by the server or client machine hosting the file before transferring to the MFD, even with a pull print solution such as SafeCom.

Enabling End to End Encryption

As control and file data are always encrypted, the focus is on submission and release data types. If you need to ensure end to end encryption is enabled in your SafeCom environment, contact Betasoft and get your system health check booked in.

Free SafeCom Guide

Why not download our free SafeCom Guide? It runs through everything you need to know and how it can add more value to your business.