Beruflich Dokumente
Kultur Dokumente
50-1000000-01
MAY 28, 20 14
ii
iii
ARISING OUT OF CONDUCT OR INDUSTRY PRACTICE. ACCORDINGLY, VORMETRIC DISCLAIMS ANY LIABILITY, AND SHALL
HAVE NO RESPONSIBILITY, ARISING OUT OF ANY FAILURE OF THE SOFTWARE TO OPERATE IN ANY ENVIRONMENT OR IN
CONNECTION WITH ANY HARDWARE OR TECHNOLOGY, INCLUDING, WITHOUT LIMITATION, ANY FAILURE OF DATA TO
BE PROPERLY PROCESSED OR TRANSFERRED TO, IN OR THROUGH LICENSEE'S COMPUTER ENVIRONMENT OR ANY
FAILURE OF ANY TRANSMISSION HARDWARE, TECHNOLOGY, OR SYSTEM USED BY LICENSEE OR ANY LICENSEE
CUSTOMER. VORMETRIC SHALL HAVE NO LIABILITY FOR, AND LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD
VORMETRIC HARMLESS FROM AND AGAINST, ANY SHORTFALL IN PERFORMANCE OF THE SOFTWARE, OTHER
HARDWARE OR TECHNOLOGY, OR FOR ANY INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AS A
RESULT OF THE USE OF THE SOFTWARE IN ANY ENVIRONMENT. LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD
VORMETRIC HARMLESS FROM AND AGAINST ANY COSTS, CLAIMS, OR LIABILITIES ARISING OUT OF ANY AGREEMENT
BETWEEN LICENSEE AND ANY THIRD PARTY. NO PROVISION OF ANY AGREEMENT BETWEEN LICENSEE AND ANY THIRD
PARTY SHALL BE BINDING ON VORMETRIC.
Protected by U.S. patents:
6,678,828
6,931,530
7,143,288
7,283,538
7,334,124
Vormetric Data Security includes a restricted license to the embedded IBM DB2 database. That license stipulates that
the database may only be used in conjunction with the Vormetric Security Server. The license for the embedded DB2
database may not be transferred and does not authorize the use of IBM or 3rd party tools to access the database
directly.
iv
.....
|v
.....
Contents
...................................
1
1
1
1
2
2
3
3
4
5
5
6
7
7
8
11
11
13
13
3 Host Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Protected Host Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Add the protected host names to the DSM database . . . . . . . . . . . . . . . . . . . . . . . . 15
Switch to the domain where you want to create the access policy . . . . . . . . 16
Document Draft Version 0.4
Contents
21
21
23
23
24
26
27
29
31
31
33
36
38
39
39
43
43
43
44
44
45
46
46
46
47
47
48
48
48
49
Contents
.....
|vii
52
52
53
56
59
60
62
62
64
64
64
65
66
70
71
72
73
75
75
76
76
79
79
79
80
80
81
83
83
83
84
84
Contents
Contents
.....
|v
PREFACE
.....................................................................
This guide describes:
1
How to set up and configure the Vormetric Data Security Platform (VDS Installation and
Configuration Road Map on page 4).
The essential features, concepts and high-level architecture of the VDS Platform.
Instructions for how to protect your data on a cloud or on-site host machine. (Data Encryption
and Protection on page 28).
How to set up automatic DSM backup (DSM Backup and Restore on page 52).
How to set up an HA cluster for DSM (Clustering the DSM for High Availability on page 60).
This book is intended to teach your how to quickly use the Vormetric Data Security Platform
(VDS Platform) to secure sensitive data. More detailed information is available in the Vormetric
Data Security User Guide.
SCOPE
This document describes the basic steps to get your VDS Platform up and running.
INTENDED AUDIENCE
The VDS Quick-start Guide is intended for security teams who are setting up the VDS Platform
for the first time.
Assumptions
This document assumes that you have the following:
Vormetric Data Security Manager (DSM)
Linux, UNIX or Windows hosts on which you wish install the Vormetric Transparent Encryption
Agent to protect your data
VDS documentation (see Related documents on page vi)
This documentation assumes knowledge of network configuration.
Preface
.....
|vi
RELATED DOCUMENTS
Vormetric Data Security Platform User Guide
Vormetric Data Security Manager Installation Guide
Vormetric Transparent Encryption Agent Installation and Configuration Guide
Vormetric Data Security Release Notes
TYPOGRAPHICAL CONVENTIONS
This section lists the common typographical conventions for Vormetric technical publications.
Typographical Conventions
Convention
Usage
Example
commands
arguments
switches
options
variables
elements
properties, objects, parameters, events
session set
appname=
Example:
session start
iptarget=192.168.253.102
Preface
.....
|vii
Typographical Conventions
Convention
quotes
Usage
Example
Non-literal symbols
myport, Failover.Port
/usr/bin/
http://server.domain.com:90/
Text to be replaced
<hostname>
Emphasis
New terminology
File extensions
Attribute values
Terms used in special senses
.js, .ext
true false, 0
1+1 hot standby failover
Preface
.....
|viii
Preface
.....
...................................
This chapter describes the features, components and high-level architecture of the Vormetric
Data Security Platform (VDS Platform). It also describes how to log on to the VDS Management
Console. This chapter consists of the following sections:
VDS Installation and Configuration Road Map on page 2
Product Overview on page 1
Management Console Overview on page 3
PRODUCT OVERVIEW
.....................................................................
.....
V D S I N S T A L L A T I O N A N D C O N F I G U R A T I O N R O A D M A P |2
.....................................................................
Use the following road map to install and configure your VDS system.
Prerequisites:
You have received from Vormetric:
DSM device(s)
.....
M A N A G E M E N T C O N S O L E O V E R V I E W |3
Agent licenses. A default number of licenses are installed on the DSM devices. If you run out or
the licenses expire, contact Vormetric Customer Support to get more.
VDS documentation (DSM Installation Guide, VDS Users Guide, this VDS Quick-start Guide and
the Windows, UNIX and Linux Release Notes).
You have installed:
UNIX, Linux, or Windows hosts on which you would like to protect data. These hosts conform to
the support matrices in the VDS UNIX, Linux or Windows Release Notes, and they have network
connectivity to the DSM.
.....................................................................
The VDS Management Console is the primary interface to the security features of the VDS
Platform. VDS administrators perform almost all security work through the Management
Console. You can access the Management Console as soon as the DSM has been installed and
configured (see the Data Security Manager Installation Guide). In this section you will do the
following:
.....
M A N A G E M E N T C O N S O L E O V E R V I E W |4
2 Enter the default login and password. The default login is admin. The default password is
admin123.
Note: You will be asked to change the default password upon first log in. Remember this new
password or you will not be able to log in again!
The Dashboard window displays.
.....
M A N A G E M E N T C O N S O L E O V E R V I E W |5
Install licenses
Upload a license file
1 Get the license file from Vormetric.
2 Log on to the Management Console on the primary server as an administrator of type System
Administrator or All.
3 Select System > License in the menu bar. The License window opens.
4 Click Upload License File. The Upload License File window opens.
Note: If you are in a domain, the Upload License File button is disabled. Click Domain > Exit
Domain.
5 In the License File box, enter the full path of the license file or click Browse to locate and select
the license file.
6 Click Ok.
.....
M A N A G E M E N T C O N S O L E O V E R V I E W |6
Change Policy Evaluation/Level to INFO, and check the Policy Evaluation/Log to File/Level
checkbox.
Click Apply and Ok. This is a more useful log preference setting.
.....
...................................
Once your DSM is installed and configured, you must 1) create VDS administrator accounts for
the administrators who will be responsible for data security, and 2) create VDS domains
containing the hosts that VDS administrators will protect. Once hosts are added to the
domains, VDS administrators can create encryption keys and policies, assign them to sensitive
data, and perform other data security operations through the Management Console.
This chapter describes Vormetric Data Security (VDS) administrators and domains--what they
are and how to create them. It contains the following sections:
VDS Administrator and Domain Overview on page 7
To create VDS Platform administrators on page 11
Create a VDS Domain on page 13
.....................................................................
VDS Platform administrators (or simply VDS administrators) manage VDS infrastructure and perform
various security operations to protect sensitive data on hosts. Vormetric recommends not to assign this role
to system administrators of protected hosts. System administrators generally have access to all the
data on all the machines that they administer. A VDS administrator should have no access to
data or user accounts on any protected host to enforce separation of duties. The VDS
administrators sole responsibility is to provide data access to those who need it and block data
access to those who don't need it--including system administrators.
The VDS platform allows to group one or more protected hosts and its associated encryption
keys and policies in a container called VDS domain. VDS domains allow horizontal separation
of DSM where different business units, application teams or geographical locations can share
DSM without having access to each others security configuration. The domain is a logical
entity that separates administrators and the data they access from other administrators.
Administrative tasks are performed in each domain based upon each administrators assigned
type. The benefits of administrative domains are:
Segregation of data for increased security
Separation of responsibilities
.....
V D S A D M I N I S T R A T O R A N D D O M A I N O V E R V I E W |8
No one administrator has complete control over Vormetric Data Security and the data it
protects
VDS administrators
VDS administrators protect data by establishing data access policies, encrypting data, and
auditing data access attempts. VDS administrators are assigned to domains, which are a group
of one or more VDS-protected hosts sharing the same administrators and data security policies.
After initial DSM configuration, you can login with default VDS System Administrator account
admin. It is highly recommended that you use this account to log into DSM web console and
create other Administrator accounts. After this operation, you should not use admin account
and use these newly created accounts for any further configuration.
Five types of administrators are provided, each is allowed to perform specific administrative
tasks. The administrator types are:
.....
V D S A D M I N I S T R A T O R A N D D O M A I N O V E R V I E W |9
Role
Permissions
System Administrator
Domain Administrator
Add and remove administrators (Domain, Security, All) to and from domains Configure
Security Administrator roles (Audit, Key, Policy, Host, Challenge & Response)
Configure syslog server for application-level messages
View preferences
View logs
Security Administrator
All
System, Domain, and Security Administrators combined. Administrators of type All are
deleted from the DSM database upon switching from relaxed to strict domain mode.
By default, an administrator is assigned one administrative type and is allowed to perform the
tasks for that one administrative type only. This approach requires at least three administrators,
.....
V D S A D M I N I S T R A T O R A N D D O M A I N O V E R V I E W |10
each assigned to a different type. Administrator type assignment can also be configured where
one administrator can perform the tasks of all three administrative types--System, Domain, and
Security administrators. This approach provides less control because one administrator can
administer the entire DSM. Also, a single administrator can be configured to perform the tasks
of a Domain Administrator and Security Administrator combined. The Domain and Security
Administrator can perform every task that is allowed a user from inside a domain. For example,
the Domain and Security Administrator can add users to the domains of which it is a member,
but it cannot create new users.
System Administrator type
The System Administrator type operates outside of domains. It creates domains and assigns
administrators of type Domain Administrator to the domains. Administrators of types Domain
Administrator and Security Administrator operate within those domains. Administrators of type
All can operate both inside and outside of domains. When an administrator of type All enters a
domain, the administrator can perform Domain Administrator and Security Administrator
tasks. When an administrator of type All exits the domain, the administrator can perform
System Administrator tasks.
The default DSM administrator, admin, has a System Administrator type. In this type, the
admin administrator creates additional administrators and domains, and then it assigns one
administrator of type Domain Administrator to each domain.
Domain Administrator type
The Domain Administrator adds additional Domain Administrators to each domain. One
Domain Administrator can be a member of multiple domains. If a Domain Administrator is a
member of multiple domains, it can easily switch between the domains. The Domain
Administrator also adds Security Administrators to a domain and assigns them roles (for
example, Audit, Key, Policy, Host, and/or Challenge & Response) that are applied only within
that domain.
The System Administrator creates domains but does not operate within them; however, all
tasks performed by the Domain Administrator and Security Administrator occur within
domains. The Domain Administrator and Security Administrator must always know what
domain they are in before performing any task. If you log in as a Domain Administrator or a
Security Administrator, and you notice that the administrator, host, or log data is wrong, you
are most likely in the wrong domain.
.....
TO C R E A T E V D S P L A T F O R M A D M I N I S T R A T O R S |11
.....................................................................
This section describes how to create VDS administrators. A default VDS Administrator called
admin is already created. Additional administrators are required to perform duties that admin
cannot.
.....
TO C R E A T E V D S P L A T F O R M A D M I N I S T R A T O R S |12
2 Click Administrators.
The Administrators window opens listing all the administrators for this DSM.
.....
C R E A T E A V D S D O M A I N |13
Note: The first time you log in to the Management Console on a newly created VDS
Administrator account, you will be prompted to change its password. You will not be allowed to
use the same password that you enter here. If you have a specific password you want to use, do
not enter it here as you will have to change it at first login.
5 Click Ok. A new Vormetric Administrator is created.
.....................................................................
A VDS domain is a group of one or more VDS-protected hosts under the control of an assigned
VDS administrator. Before a protected host can be administered, it must placed in a domain.
.....
C R E A T E A V D S D O M A I N |14
2 On the menu bar click Domains > Manage Domains to bring up Manage Domains window.
4 Under the General tab, fill in a Domain Name. For example, Marketing_Domain. The next two
fields are optional. Description identifies the domain. Help Desk Information is the phone
number to call to get the response string for challenge-response authentication. If you leave this
box empty, the default message is Please contact a Security Server administrator for a
response.
5 Click Ok to create the new domain.
6 Click the Assign Admin tab to assign a VDS administrator. You can assign an administrator
anytime after the domain is created. Note that you will not be able to switch to, or access, the
domain until you assign an administrator.
7 After the domain is created and has an administrator, you can add hosts to it. See Add the
protected host names to the DSM database on page 11 and Install the Agent on the Host on
page 14.
H OST P ROTECTION
.....
...................................
A host is a machine that stores your sensitive data. A protected host contains a VTE agent that
downloads the data protection policies and encryption keys from the DSM. The agent enforces
those policies and encrypts data as specified.
This chapter describes how to create protected hosts. It consists of the following sections:
Protected Host Overview on page 15
Add the protected host names to the DSM database on page 15
Install the Agent on the Host on page 19
.....................................................................
Before you can create protected hosts, you must have a working DSM and your hosts must have
network connectivity to the DSM. The steps for creating protected hosts are:
Add the protected host names to the DSM database (Add the protected host names to the DSM
database on page 15).
Install the VTE Agent on the host and register them with the DSM. See Vormetric Transparent
Encryption Agent Installation and Configuration Guide.
Add encryption and access policies to specific directories on the host (VDS Policies on page 15).
.....................................................................
Your host names must be added to the DSM database before the VTE agent can be installed and
data is protected on them. This section describes how to do this. To add the host to the DSM
database, you will need the hosts name, Fully Qualified Domain Name (FQDN--54 character
max) or IP address.
Host Protection
.....
A D D T H E P R O T E C T E D H O S T N A M E S T O T H E D S M D A T A B A S E |16
Switch to the domain where you want to create the access policy
1 Log on to the Management Console as a Security Administrator with Key and Policy roles or as an
administrator of type All.
2 Switch to the domain containing the host you wish to protect. Click Domains > Switch Domains
3 Select the domain that will contain the protected host and click Switch to domain. The domain
in which you are working is displayed in the upper right corner of the Management Console. A
domain was created in Create a VDS Domain on page 13.
Host Protection
.....
A D D T H E P R O T E C T E D H O S T N A M E S T O T H E D S M D A T A B A S E |17
Host Protection
.....
A D D T H E P R O T E C T E D H O S T N A M E S T O T H E D S M D A T A B A S E |18
then the user will be given a challenge string to provide to the Security Administrator who will
use the string a generate a dynamic password. Select Generate.
Description: Optional. Enter text to identify the host or its function. Limited to 256 characters.
Registration Allowed Agents: Select the agents that will run on the host system. Depending on
your license, your choices are FS (file system), Key (for Oracle database or Microsoft SQL TDE)
and DB2 (backup). You must select the agents here before you can register that agent with the
DSM.
License Type: Choose the type of license that will run on this host. Options are Perpetual,
Term, and Hourly, depending on the system license.
4 Click Ok. You are returned to the Hosts window.
5 Click the hostname link that you just added to the DSM database. This brings up the General tab
of the Edit Host window. Make sure the Communication Enabled checkbox is checked for all
agent types registered.
Host Protection
.....
I N S T A L L T H E A G E N T O N T H E H O S T |19
.....................................................................
Once your hostnames are added to the DSM database, you can install the VTE agent on the
host and register it with the DSM. See the Agent Installation and Configuration Guide. After
installing and registering your VTE agent on your host, you can create policies to protect its
data. See VDS Policies on page 15.
The Hosts window with protected hosts is shown below.
Host Protection
.....
I N S T A L L T H E A G E N T O N T H E H O S T |20
Host Protection
VDS P OLICIES
.....
...................................
This chapter describes data security policies and how to create them. You will create a policy
that will be used in subsequent chapters. This chapter contains the following sections:
Policy Overview on page 21
Creating encryption keys on page 23
Creating the Basic Encryption Policy on page 26
Creating the initial operational policy on page 31
Creating GuardPoints: Applying policies to directories on page 39
POLICY OVERVIEW
.....................................................................
The VDS Security Administrator creates policies to protect data. Policies employ two
mechanisms to do this:
Data encryption. Policies can specify that data written to a particular directory (called a
GuardPoint) is encrypted. That data can only be decrypted by specified users. Anyone else who
tries to access it will only get useless unecrypted data.
Access control. Policies can specify which users can access which files and directories in a
GuardPoint. Policies can furthermore specify which executables, and actions can be used and at
what times.
Thus, policies govern access to, and encryption of, the files in Vormetric-protected directories
called GuardPoints. Furthermore, policies can enable auditing such that each time a user
accesses a GuardPoint, a log message is created with all the details.
VDS Policies
.....
P O L I C Y O V E R V I E W |22
A VDS policy itself consists of a set of rules that control how GuardPoint data can be accessed
by users and processes. Each rules consist of five criteria and an effect:
Criteria
Action
Resource
User
Specifies which user(s) or groups can access protected data. Default is All.
Process
When
Specifies the time range when protected data can be accessed. Default is All.
Action
Specifies the allowed action(s) on the protected data. Example: read, write, remove,
rename, make directory. Default is All.
Every time a user or application attempts to access a GuardPoint file, the access attempt passes
through each rule of the policy until it finds a rule where all the criteria are met. When a rule
matches, the Effect associated with that rule is enforced. Effect can have the following values:
Permit or Deny - Specifies whether access to protected data permitted or denied.
VDS Policies
.....
C R E A T I N G E N C R Y P T I O N K E Y S |23
Apply Key - Specifies that data going in or coming out of a GuardPoint be encrypted.
Audit - Specifies that data access attempts be recorded and logged.
A criteria field that is left blank specifies a value of All. Thus, if User is blank, the rule applies to
all users; if When is blank, the rule applies to all times; if Process is blank, the rules applies to all
executables, and so on. Effect can never be blank. It must have at least a permit (allow access)
or deny (deny access).
Rules are evaluated much like firewall rules; they are evaluated in order, from first to last, and
evaluation stops when a match is made on a given rule. Therefore, it is important to carefully
order a policy's rules to achieve the desired result.
Note: We recommend creating policies that follow the model of PERMIT ALL EXCEPT, as it is
generally easy to create, understand, and accommodates most circumstances.
Policy creation
The rest of this chapter will describe how to create policies. Two specific policies will be
described: the Basic Encryption Policy and the Initial Operational Policy.
The Basic Encryption Policy simply encrypts data written to a GuardPoint, and decrypt it when
it is accessed from the GuardPoint directory by an authorized user (a user with directory-read
permissions). Anyone else who obtains the GuardPoint data will only get encrypted unsuable
data. This is described in Creating the Basic Encryption Policy on page 26.
The initial operational policy is designed to encrypt the data and also control user access. The
initial operational policy audits all GuardPoint activity and provides a detailed log of access and
usage. By studying the audit log, the Security Administrator can tune the policies to limit which
users have access to the decrypted data, as well as what executables and actions they can use.
See Creating the initial operational policy on page 31.
Before either of these policies a created, you must create encryption keys. See Creating
encryption keys on page 23.
.....................................................................
Encryption keys encrypt and decrypt data. Once encryption is applied, you must keep track of
the encryption keys that you are using. Encrypted data is unusable without the proper keys.
A keys attributes and the policies you apply to a host determine if a constant connection is
required between the DSM and File System Agent. Hosts with their keys Stored on DSM Server
require a constant connection to the DSM. As long the DSM and host are connected, the
VDS Policies
.....
C R E A T I N G E N C R Y P T I O N K E Y S |24
policies stay in effect. When the network connection is interrupted, users cannot access
encrypted data. Users can resume access after the network connection is re-established.
Hosts with the keys Cached on Host are a different matter. The policies stay in effect as long the
DSM and host are connected. When the network connection is interrupted, data access is
interrupted, however users can still access encrypted data by requesting a temporary password
from a security administrator.
See the VDS Users Guide for more details.
VDS Policies
.....
C R E A T I N G E N C R Y P T I O N K E Y S |25
VDS Policies
.....
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |26
the host and DSM. All hosts using the same encryption key can access encrypted data on other
hosts that use the same key. The Unique to Host checkbox is displayed when Cached on Host is
selected.
Unique to Host: When enabled with Cached on Host, makes the encryption key unique. The
key is downloaded to the host, encrypted using the host password, and stored. These keys are
used for locally attached devices, as files encrypted by them can only be read by one machine.
Do not enable this checkbox for cloned systems, RAID configurations, clustered environments,
or any environment that utilizes host mirroring. Requires that Key Creation Method is set to
Generate.
Key Creation Method: Select to generate a key using a random seed (Generate) or by Manual
Input.
Expiry Date: Date the key expires.
Key Refreshing Period (minutes): Used only with the Oracle Database TDE and Microsoft SQL
Server TDE Key Agent. Minutes you want the key in the local key cache before it is refreshed.
Example:
Name:
Description:
Algorithm:
SALES_PROD_KEY_AES256_2014-04_2
Key for Sales Dept.
AES256
.....................................................................
The Basic Encryption Policy encrypts data written to a GuardPoint and decrypt it when it is
accessed from the GuardPoint directory by an authorized user (a user with directory-read
permissions). Anyone else who obtains the GuardPoint data will only get encrypted unsuable
data. This is described in Creating the Basic Encryption Policy on page 26.
The Basic Encryption Policy consists of a single rule:
Rule 1 specifies that data written to a GuardPoint is encrypted, and that any user with access to
the GuardPoint directory can access the decrypted data.
VDS Policies
.....
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |27
The rest of this section describes how to create the initial operational policy.
Create policy
1 Log on to the Management Console as an administrator of type All, or as a Security
Administrator with Key and Policy roles. Switch to the domain containing the host you wish to
protect (see Switch to the domain where you want to create the access policy on page 17).
2 Create a data encryption key for the Basic Encryption Policy. See Creating encryption keys on
page 23.
3 Click Policies > Manage Policies to list the policies available to this domain. In this example,
there are two policies.
VDS Policies
.....
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |28
4 Click Add Online Policy to create a new policy. The Add Online Policy window opens. Enter a
name and optional description for your policy. In our example we use the name basicencryption-policy.
5 Click Add in the Security Rules panel. The Add Security Rule window opens.
VDS Policies
.....
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |29
6 Click Effect. The Select Effect window opens. Select Permit (permit user access) and Apply Key
(encrypt data written into the GuardPoint).
7 Click Select Effect. The Edit Security Rule window opens with Effect defined. Click Ok. The Edit
Online Policy window opens with Rule 1 added.
VDS Policies
.....
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |30
3 Select Key. The Agent Keys window opens. Select the key you created earlier (our example:
SALES_PROD_KEY_AES256_2014-04_2) and click Select Key. The Add Key Rule window returns.
Resource field is optional. It opens the Resource Set List window from which you can select or
create the resource set whose members are to be encrypted. See VDS Users Guide for details.
4 Click Ok. The Edit Online Policy window opens with the new key added to the Key Selection Rules
panel.
5 Click Ok. The basic-encryption-policy is created. When you apply this policy to a
directory, that directory becomes a GuardPoint, and any data written to that directory is
encrypted. encrypts data copied in and decrypts data accessed from the GuardPoint.
VDS Policies
.....
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |31
.....................................................................
An initial operational policy is often the first data security policy applied to a GuardPoint. The
initial operational policy described here:
Encrypts all data written into the GuardPoint.
Decrypts the GuardPoint data for any user who attempts access.
Audits and creates log messages for every GuardPoint access.
Reduces log message noise so you can analyze the messages that are important to you for
tuning this policy.
In a common VDS deployment you apply the initial operational policy to a GuardPoint, write
your sensitive information into the GuardPoint directory so that its encrypted, and direct data
users to this new directory. Over time you analyze the audit messages to assess who accesses
protected data and how. You then tune the initial operational policy to limit access and
decryption to only those who need it, using only appropriate executables, exercising only the
appropriate actions (read, write, modify and so on) and at the appropriate times.
The initial operational policy described here consists of two rules:
Rule 1 specifies that all users can read the attributes and properties of any file and directory in
a GuardPoint. The purpose of this rule is to reduce excessive log messages so you can analyze
log files without excess noise.
Rule 2 specifies that files written in the GuardPoint are encrypted, that all users have unlimited
access to the decrypted files, and that every operation is audited.
The rest of this section describes how to create the initial operational policy.
Name Policy
1 Log on to the Management Console as an administrator of type All, or as a Security
Administrator with Key and Policy roles. Switch to the domain containing the host you wish to
protect (see Switch to the domain where you want to create the access policy on page 17).
2 Create a data encryption key for the initial operational policy. See Creating encryption keys on
page 23.
VDS Policies
.....
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |32
3 Click Policies > Manage Policies to list the policies available to this domain. In this example,
there are two policies.
4 Click Add Online Policy. The Add Online Policy window opens.
5 Enter a name and optional description for your policy. In our example we use the name basicaccess-policy. Select Learn Mode.
Learn Mode permits a policy to be tested without actually denying access to resources. In Learn
Mode, all actions that would have been denied are instead permitted. These actions are logged
to assist in tuning and troubleshooting policies. The Learn Mode is highly recommended for
policies that restrict by application (process), as many applications use multiple binaries that
may not be known to the creator of the policy at time of creation. See the Vormetric Data
Security Platform Users Guide for details.
VDS Policies
.....
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |33
Enabling the Learn Mode will disable the policy, but track each attempt that matches any
security rule in the policy. A deny statement in Effect must include apply_key when Learn Mode
is enabled. This option generates a warning each time an access attempt is made that matches
any security rule in the policy. This warning is sent as a log message and it can be viewed in the
Management Console (if its configured to accept Warnings).
6 Click Add in the Security Rules panel.
Create Rule 1
The purpose of this rule is to reduce excessive log messages so you can analyze log files without
excess noise.
1 Select Action in the Add Security Rule window.
VDS Policies
.....
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |34
2 The Select Action window opens. Select f_rd_att, f_chg_sec, d_rd_tt and d_rd_sec.
VDS Policies
.....
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |35
3 Click Select Action. The Add Security Rule window opens with Action defined.
VDS Policies
.....
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |36
5 Select Permit (permit GuardPoint access) and then Select Effect. The Edit Security Rule window
opens with Effect defined. Click Ok. The Edit Online Policy window opens with Rule 1 added.
VDS Policies
.....
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |37
5 Select Deny (deny access to GuardPoint), Apply Key (see below) and Audit (create a log entry for
access attempts). Then click Select Effect. The Add Security Rule window opens with Effect
defined.
Apply Key - Applies an encryption key to data in a GuardPoint. Data copied into the GuardPoint
is encrypted with the key specified in the Key Selection Rules tab. Data accessed from the
GuardPoint is decrypted using the same key.
6 Click Ok. The Edit Online Policy window opens with Rule 2 added.
VDS Policies
.....
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |38
3 Select Key. The Agent Keys window opens. Select the key you created earlier (our example:
SALES_PROD_KEY_AES256_2014-04_2) and click Select Key. The Add Key Rule window returns.
4 Click Ok. The Edit Online Policy window opens with the new key added to the Key Selection Rules
panel.
5 Click Ok. basic-access-policy encrypts data copied in and decrypts data accessed from the
GuardPoint.
VDS Policies
.....
C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I E S |39
.....................................................................
When a policy is applied to a directory, that directory is called a GuardPoint. This section
describes how to create GuardPoints.
VDS Policies
.....
C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I E S |40
3 Click on the protected host name in blue where you will create the GuardPoints. The Edit Host
screen opens.
4 Click the Guard FS (File System) tab. The hosts GuardPoints, if any, are displayed. Click Guard to
create a new GuardPoint.
VDS Policies
.....
C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I E S |41
For Policy, choose the policy name you want to apply to the directory. For example, basicencryption-policy or basic-access-policy.
For Type, use Directory (Auto Guard) for directories.
For Path, enter the GuardPoint directory. For example, /vipdata for Linux and UNIX hosts or
c:\Users\Marketing1\vipdata for Windows hosts.
Optionally, click Browse to browse and highlight the GuardPoint directory. Note that Browse
will not work if the host was registered with One-way Communication.
6 Click Ok to apply the policy to the GuardPoint. The Edit Host panel opens with the new
GuardPoint.
VDS Policies
.....
C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I E S |42
A red status indicator means that the policy hasn't taken effect. Click Refresh until the Status
turns green. This may take up to 30 seconds. The policy is now activated and the GuardPoint is
protected.
VDS Policies
.....
...................................
By now, you have set up your DSM, created VDS administrators, installed agents on your
protected hosts, and created an initial operational policy. This chapter describes how to encrypt
your sensitive data and tune your data protection policy to prevent unwanted access. This
chapter contains these sections:
Data Protection Overview on page 43
Determine encryption method on page 44
Using the Copy or Restore encryption method on file systems on page 46
Using the Copy or Restore encryption method on block devices on page 48
Using dataxform to encrypt your data on page 52
Viewing the audit logs on page 62
Tune the Policies on page 64
.....................................................................
.....
D E T E R M I N E E N C R Y P T I O N M E T H O D |44
.....................................................................
VDS provides three encryption methods: the Copy, Restore, and dataxform methods. The
optimal method depends on three things: 1) Whether you are encrypting data on a block
device or directory; 2) the amount of disk space you have; 3) speed of your backup devices.
Note: Whichever method you select, it is essential that you have a good backup of the data
before your encrypt it.
In this example, users access a number of databases on the protected host. To protect
\database-3, first block user access to it, create a GuardPoint on \database-3 and then
restore the backup data from the backup media into \database-3. This method requires no
.....
D E T E R M I N E E N C R Y P T I O N M E T H O D |45
extra disk space, and the speed of encryption depends on the speed of the restore. Slower
backup media, like tape drives, will result in a slower encryption speed.
Block access
In this example, users access a number of SQL databases on the protected host. To protect
\mssql\data\3 you block access to the directory, rename it to \mssql\data\3-OLD, create
a new \mssql\data\3 directory, block access to it, create a GuardPoint on it, copy the data in
\mssql\data\3-OLD to \mssql\data\3, open access to \mssql\data\3. This method
requires additional disk space at least as large as \mssql\data\5. The speed of the backup
depends on the speed of the copy.
.....
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N F I L E S Y S T E M S |46
Note: Completing this process can take considerable time, and if you have less than 10GB of
data, it may be better to simply encrypt with dataxform rather than estimate the time.
Heres an overview of the dataxform method:
1 Block all access to the directory containing the sensitive data.
2 Create a dataxform policy for the GuardPoint on this directory.
3 Run dataxform on the directory. After completion, the data in the GuardPoint is encrypted.
4 Remove the dataxform policy on the GuardPoint and replace it with an operational policy.
5 Open access to the directory.
.....................................................................
The process for using the Copy or Restore encryption method on file systems is as follows:
.....
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N F I L E S Y S T E M S |47
Note: If you apply an encryption GuardPoint to a folder with files in them, those files remain
unencrypted. However, if you try to access those files, they will be encrypted. The only way to
access those files in an unencrypted state is to disable or remove the GuardPoint.
Prerequisites
1 Verify that there is a good backup of the data to be encrypted. This step is vital.
2 Stop ALL access and services to the data to be encrypted. Make sure no processes, services or
users are currently accessing the data.
3 Make sure you have enough empty storage space to copy the data.
.....
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N B L O C K D E V I C E S |48
.....................................................................
The process for using the Copy or Restore encryption method on block devices and raw disks is
much the same as with file systems. The basic procedures is as follows:
Create an encryption policy.
Apply the initial operation policy to a block device on the protected host.
Copy the files to be encrypted into GuardPoint.
Test, monitor and tune the policy.
Note: If you apply an encryption GuardPoint to a folder with files in them, those files remain
unencrypted. However, if you try to access those files, they will be encrypted. The only way to
access those files in an unencrypted state is to disable or remove the GuardPoint.
For detailed information see the VDS Users Guide.
Prerequisites
1 Verify that there is a good backup of the data.
2 The block device must be new or clean as all existing data will be unusable.
3 Stop ALL services and access to the block device to be encrypted.
.....
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N B L O C K D E V I C E S |49
GuardPoints to the individual host. It defeats the purpose of a host group when you add
GuardPoints to an individual host. If you want to apply GuardPoints globally to a set of hosts,
configure the GuardPoints in a host group.
Partitions are identified by their device name. Device names for partitions vary between
platforms.
.....
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N B L O C K D E V I C E S |50
3 Click on the protected host name (block device) in blue where you will create the GuardPoints.
The Edit Host screen opens.
4 Click the Guard FS tab. The hosts GuardPoints, if any, are displayed. Click Guard.
.....
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N B L O C K D E V I C E S |51
For Policy, choose the name of the initial operational policy you created in Creating the Initial
Operational Policy (IOP) on page 17. In our example, the name of the initial operational policy
is basic-access-policy.
For Type, choose the device type that fits the OS and Storage system. For Windows choose Raw
or Block Device (Auto Guard). For Linux/UNIX choose Raw or Block Device (Auto Guard) or
Raw or Block Device (Manual Guard). (Select Raw or Block Device (Manual Guard) for raw
devices that are to be manually guarded and unguarded in order to failover to a different node
in a cluster. See the VDS Users Guide for more information.)
For Path, enter the GuardPoint folder. For example, /dev/sda1
You can browse, but it should show block devices. Click the plus symbol (+) next to a folder to
display the next level of the partition hierarchy. Click the minus symbol (-) to collapse the
hierarchy. Click a partition name.
Inactive partitions are displayed. Open partitions are not displayed, nor are currently guarded
partitions.
Note that third-party applications can open raw devices in obscure ways; causing the Remote
File Browser to ignore, and not display, supposedly inactive devices. For example, inactive raw
devices in the Oracle dbca disk discovery path are not displayed in the Remote File Browser,
even when the devices are not assigned to a disk group. If /dev/sd* is configured in the dbca
disk discovery path, and dbca is running, inactive /dev/sd* devices are not displayed in the
browser. This is because the devices are kept open by the oracle process. To get around the
problem in this example, close dbca and open the browser again. The devices are free,
displayed in the browser, and available for selection
6 Click Ok to apply the policy to the GuardPoint. The Edit Host panel opens.
A red status indicator means that the policy hasn't taken effect. Click Refresh until the Status
turns green. This may take up to 30 seconds. The policy is then activated and the GuardPoint is
protected.
7 Repeat this process for each block device you wish to protect.
8 Make sure that the applications and services access the newly created Vormetric device.
Vormetric encrypted raw or block devices are accessed using the directory:
/dev/secvm/dev/xxxxx where xxxxx is the original device name.
Document Draft Version 0.4
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |52
9 Copy or restore the data into the newly created devices. Use the appropriate method to copy or
restore the data into the encrypted device.
10 Start all services and restore access to the data that is now fully encrypted. The initial
operational policy allows all users to decrypt the data.
11 Start application testing and inform application teams that systems are ready for use.
Theoretically everything should work exactly as before, however, monitor the situation with your
users.
12 Test and monitor systems. Monitor DSM Logs for messages. Check for LEARN_MODE or ALARM
messages in the DSM log files.
13 Tune policies as required. (See Viewing the audit logs on page 62.)
.....................................................................
dataxform is used to encrypt files in place. It does not work on block devices. The process for
using dataxform is as follows:
Create a dataxform policy.
Create GuardPoints by applying the dataxform policy to folders containing the files to be
encrypted.
Run dataxform --rekey to encrypt the data in the folder
After a successful completion of dataxform key step, run dataxform --cleanup to cleanup the
dataxform process.
Remove dataxform policy and apply initial operational policy.
Test, monitor and tune the initial operational policy.
Note: The dataxform instructions here only touch on its full usage. For detailed information
see the VDS Users Guide.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |53
4 Click Add in the Security Rules panel. The Add Security Rule window opens.
5 Select Action. The Select Action window opens.
6 Select key_op and click Selection Action. The Add Security Rule window returns with key_op in
the Action field.
7 Select Effect to bring up the Select Effect window.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |54
8 Select Permit and Apply Key, then click Select Effect.. The Add Security Rule window opens.
9 Click Ok. The Add Online Policy window opens with the Security Rule added. Also, the Key
Selections Rules panel and the Data Transformation Rules Panel are displayed.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |55
10 Click Add in the Key Selection Rules panel. The Add Key Rule window opens.
11 Click Key. The Select Symmetric Key window opens. Select clear_key and click Select Key.
12 The Add Key Rule window opens select clear_key and click Ok. The Add Online Policy window
opens with the Security Rule added.
13 Click Add in the Data Transformation Rules panel. The Add Key Rule window opens.
14 Click Key. The Select Symmetric Key window opens. Select the key you created in Create a data
encryption key on page 18, and click Select Key.
15 The Add Key Rule window opens with the Key name entered. Click Ok.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |56
16 The Add Online Policy window opens with the Data Transformation Rule added.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |57
1 Click Hosts > Hosts in the Management Console. The Hosts window opens.
2 Click on the protected host name in blue that contains the directory with the files to encrypt.
The Edit Host screen opens.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |58
3 Click the Guard FS tab., The hosts GuardPoints, if any, are displayed. Click Guard.
4 The Guard File System panel opens. For Policy, choose dataxform1. For Type, select Directory
(Auto Guard). For Path, enter the directory with the files to be encrypted. In this example we use
/vipdata for Linux/UNIX hosts or c:\vipdata for Windows hosts.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |59
Optionally, click Browse to browse and highlight the GuardPoint directory. Note that Browse
will not work if the host was registered with One-way Communication.
5 Click Ok to apply the policy to the GuardPoint. The Edit Host panel opens. A red status indicator
means that the policy hasn't taken effect. Click Refresh until the Status turns green. This may
take up to 30 seconds. The policy is now activated and the GuardPoint is ready to run the
dataxform executable.
Note the dataxform command line messages as it encrypts files. Specifically note messages
that list files or folders that are skipped and the reasons why. If a dataxform fails during
transformation, you can usually rerun it and it will resume transformation beginning with the
next file. The only risk is that the file that was in progress during the transformation may have
been corrupted (meaning not completely transformed at the point of failure). The dataxform
log file will contain this information and should be used to identify failed transformations. This
is covered in the VDS Users Guide.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |60
2 If the encryption is successful, run the dataxform --cleanup. If not successful, do not run this
process.
dataxform --cleanup --gp <directory>
3 Now click Guard to apply operational GuardPoints for each folder that was recently encrypted.
4 The Guard File System panel opens.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |61
For Policy, choose the initial operation policy name you created in Creating the Initial
Operational Policy (IOP) on page 17. In our example, the name of the initial operational policy
is basic-access-policy.
For Type, use Directory (Auto Guard).
For Path, enter the GuardPoint folder. For example, /vipdata for Linux/UNIX hosts or c:\vipdata
for Windows hosts.
Optionally, click Browse to browse and highlight the GuardPoint directory. Note that Browse
will not work if the host was registered with One-way Communication.
5 Click Ok to apply the policy to the GuardPoint. The Edit Host panel opens.
A red status indicator means that the policy hasn't taken effect (it may take a few seconds).
Click Refresh until the Status turns green. This may take up to 30 seconds. The policy is now
activated and the GuardPoint is protected.
6 Start all services and restore access to the data that is now fully encrypted. The initial
operational policy allows all users to decrypt the data.
.....
V I E W I N G T H E A U D I T L O G S |62
7 Start application testing and inform application teams that systems are ready for use.
Theoretically everything should work exactly as before, however, monitor the situation with your
users.
8 Test and monitor systems. Monitor DSM Logs for messages. Check for LEARN_MODE or ALARM
messages in the DSM log files.
9 Tune policies as required.
.....................................................................
Once the audit keyword is added to the rules of a policy, VDS audits data access in the
GuardPoint. This section shows how to read the audit records.
Note: To generate the log messages in this section, we have created a different environment.
We have create a policy that allows a user called demo-user3 to access a GuardPoint file,
/vipdata2/helloworld.txt, and allows access with the more command, but blocks access
with the cat command.
.....
V I E W I N G T H E A U D I T L O G S |63
vormetric
vormetric
3 Examine the audit records. Audit records contain the following fields:
ID
Time
Severity
Source
Message
Meaning
CGP2604E
SecFS
ALARM
Type of message.
Policy[basic-access-policy]
demo-user3,uid=503,
gid=503\demo-user3\
.....
T U N E T H E P O L I C I E S |64
Audit Fragment
Meaning
Process[/bin/cat]
Action[read_file]
Res[/vipdata2/hello.txt]
Key[AES256-Demo1] (example)
Effect[DENIED
Code (1U,2P,3M)]
The policy rule that governed the action. Code (1U,2P,3M) means
that rule 1 was not met because it was the wrong User, rule 2 was not
met because it was the wrong Process, and rule 3 was Met.
.....................................................................
At this point, your data is encrypted, but the current operational policy allows full access to
decrypted data by any user on the host. Securing the data is a matter of monitoring the DSM
logs to see who needs access to the data and what type of access they need, then, tuning the
policies to allow the appropriate level of access.
.....
T U N E T H E P O L I C I E S |65
.....
T U N E T H E P O L I C I E S |66
Create Rule 1
The purpose of this rule is to allow User-1 to perform read and write operations on any files or
directories in the GuardPoint, but not access the data in a decrypted state.
1 Select User in the Add Security Rule window. The Select User Set window opens.
.....
T U N E T H E P O L I C I E S |67
2 Click Add. The Add User Set window opens. A User Set is a group of users with similar access
permissions. This group of users will have system administration access permissions. Add the
name SysAdmins to this User Set.
.....
T U N E T H E P O L I C I E S |68
4 Click Ok. The Add User Set window for SysAdmin opens with User-1 added.
5 Click Ok. The Select User Set window opens with SysAdmins added.
6 Select SysAdmins and click Select User Set. The Add Security Rule window opens with the User
field set to SysAdmins.
.....
T U N E T H E P O L I C I E S |69
9 Select Permit (permit GuardPoint access) and Audit (audit accesses), then click Select Effect. The
Add Security Rule opens with the Effect set to Permit, Audit.
10 Click Ok. The Add Security Rule window opens with Effect defined.
11 Click Ok. The Edit Online Policy window opens with Rule 1 added.
.....
T U N E T H E P O L I C I E S |70
Add Rule 2
In this rule User-2 and User-3 can perform all operations on any files or directories in the
GuardPoint, and all data is decrypted.
1 Click Add in the Security Rules panel. The Add Security Rule window opens.
2 Select User in the Add Security Rule panel. The Select User Set window opens.
3 Click Add. The Add User Set window opens. This group of users will have full operation access
permissions. Add the name FullOps to this User Set.
4 Click Add. The Add User window opens.
5 Enter User-2 and click Ok. The Add User Set window opens.
6 Click Add again. The Add User window opens. Enter User-3 and click Ok. The Add User Set
window opens with User-2 and User3 added to the User Set.
7 Click Ok. The Select User Set window opens with FullsOps added.
8 Select FullsOps and click Select User Set. The Add Security Rule window opens with the User field
set to FullOps.
9 Select Action. The Select Action window opens.
10 Select all_ops, then click Select Action. The Add Security Rule window opens with the Action
field set to all_ops.
11 Click Effect. The Select Effect window opens.
12 Select Permit (permit GuardPoint access), Audit (audit accesses) and Apply Key (apply key to
decrypt data). Then click Select Effect. The Add Security Rule opens with the Effect set to
Permit, Apply Key, and Audit.
.....
T U N E T H E P O L I C I E S |71
13 Click Ok. The Add Online Policy window opens with Rule 2 added.
Add Rule 3
Rule 3 specifies that Users-4 through 7 can only read decrypted data, but cannot perform any
write operations.
1 Click Add in the Security Rules panel. The Add Security Rule window opens.
2 Select User in the Add Security Rule panel. The Select User Set window opens.
3 Click Add. The Add User Set window opens. This group of users will have read-only access
permissions to GuardPoint data. Add the name ReadOnly to this User Set.
4 Click Add. The Add User window opens.
5 Enter User-4 and click Ok. The Add User Set window opens.
6 Click Add again. The Add User window opens. Enter User-5 and click Ok. The Add User Set
window opens with User-4 and User-5 added to the User Set.
7 Repeat this process for User-6 and User-7.
8 Click Ok. The Select User Set window opens with ReadOnly added.
9 Select ReadOnly and click Select User Set. The Add Security Rule window opens with the User
field set to ReadOnly.
10 Select Action. The Select Action window opens.
Document Draft Version 0.4
.....
T U N E T H E P O L I C I E S |72
11 Select read, then click Select Action. The Add Security Rule window opens with the Action field
set to read.
12 Click Effect. The Select Effect window opens.
13 Select Permit (permit GuardPoint access), Audit (audit accesses) and Apply Key (apply key to
decrypt data). Then click Select Effect. The Add Security Rule opens with the Effect set to
Permit, Apply Key, and Audit.
14 Click Ok. The Add Online Policy window opens with Rule 3 added.
Add Rule 4
Rule 4 specifies that all other users are denied access.
1 Click Add in the Security Rules panel. The Add Security Rule window opens.
2 Click Effect. The Select Effect window opens.
3 Select Deny (deny GuardPoint access) and Audit (audit accesses). Then click Select Effect. The
Add Security Rule opens with the Effect set to Deny and Audit.
.....
T U N E T H E P O L I C I E S |73
4 Click Ok. The Add Online Policy window opens with Rule 4 added.
.....
T U N E T H E P O L I C I E S |74
3 Select Key. The Seleect Symmetric Key window opens. Select the key you created earlier and click
Select Key. The Add Key Rule window returns.
4 Click Ok. The Edit Online Policy window opens with the new key added to the Key Selection Rules
panel.
5 Click Ok. basic-access-policy is add to the Policies Window and is ready to be applied to a
GuardPoint.
.....
...................................
This chapter describes how to backup and restore the DSM databases. This backup can be used
to restore the hosts, encryption keys, and policies of a DSM for software crash recovery or
system changes. This chapter consists of the following sections:
DSM Backup and Restore Overview on page 75
Create a Backup Encryption Wrapper Key on page 76
Backup the DSM on page 79
Restore the DSM from a Backup Image on page 79
Automatic Backups on page 80
This chapter describes the basic elements of DSM backup and restore. For detailed information,
see the Vormetric Data Security Platform User Guide.
.....................................................................
Vormetric System Administrators can create DSM backups using the Management Console.
Included in a backup are:
Embedded databases
Agent/server certificates
Encryption keys and key groups
Hosts and host groups
Domains
High Availability configuration
Administrators
Policies
Log settings
System-level configuration is not backed up. A system-level configuration includes features like
network and timezone settings. You will have to reconfigure these yourself.
.....
C R E A T E A B A C K U P E N C R Y P T I O N W R A P P E R K E Y |76
Each backup is encrypted with a wrapping key. You cant take a backup before you create the
backup wrapping key. Also, you will need the wrapping key to restore the backup onto another
server.
.....................................................................
DSM backup files are encrypted with a wrapper key to keep them secure. This wrapper key
must be created or imported from a previous create operation before running a backup or
restore. This key is required to restore DSM backups during a recovery or restore operation.
Wrapper keys are broken up into key shares, which are pieces of a wrapper key. Key shares are
divided amongst two or more custodians such that each custodian must contribute their key
share in order to assemble a complete wrapper key. This is also referred to as split key
knowledge or M of N configuration.
.....
C R E A T E A B A C K U P E N C R Y P T I O N W R A P P E R K E Y |77
3 From the Operation pull-down select Create, and on the next page, click on Apply to create the
wrapper key. You should see a confirmation message that reads The operation is successful.
4 Select System > Backup and Restore from the menu bar. A green confirmation message appears.
This means that you can proceed.
5 Return to the System > Wrapper Keys menu option and select Export from the Operation pulldown to export key shares.
6 Set a number for both the Minimum Custodians Needed and the Total Number of Custodians
(there should be at least two custodians). This setting will encrypt the backup files and split its
wrapper key value among multiple custodians.
.....
C R E A T E A B A C K U P E N C R Y P T I O N W R A P P E R K E Y |78
7 Select the checkbox next to the administrators (custodians) who will control the backup key.
Administrators of type System Administrator and All are listed. Any of these administrators, with
the exception of admin, can be selected as a custodian. The selected administrators will be given
a share of the password. The password is displayed in their Dashboard window the next time
they log into the Management Console.
8 Click the Apply key in the bottom right hand corner.
9 Ask each selected administrator to login to the Management Console and view the Dashboard
page. Each will see a unique backup encryption key displayed on the dashboard beneath the
fingerprint for the CA.
The backup key share displayed in the Dashboard window is a toggle. Click the string Backup
Key Share to display the backup key share value. Click the backup key share value to display the
string Backup Key Share.
10 Ask each administrator to securely store a copy of this key share. They will need to provide this
during their role in a DSM restore operation.
.....
B A C K U P T H E D S M |79
.....................................................................
A backup is a snapshot of a DSM configuration at one point in time. When restored, the DSM
Management Console will contain and display the same information captured at the time the
backup was originally made.
4 Click Save. Save the file to a secure location that you are sure would still be accessible if the
server fails. By default, the file name will be in the Backup_yyyy_mm_dd_hhmm.tar format
5 Save backup to a secure location. Access to the backup should be limited to only a few
employees and be audited.
.....................................................................
Important:
Following a restore operation, the DSM configuration in the Management Console is replaced by
the configuration stored in the backup copy.
Any new encryption keys, policies, hosts or guard points added since backup will be overwritten
and lost.
.....
A U T O M A T I C B A C K U P S |80
Unless this is a disaster recovery scenario where all appliances were lost, always backup the
current configuration before running a restore operation.
AUTOMATIC BACKUPS
.....................................................................
Set up the Automatic Backup feature to protect the configuration settings as well the
encryption keys and policies. To do this, you will need access to a File Server (a Unix or
Windows host) that is network accessible by the DSM to store the backup files.
.....
A U T O M A T I C B A C K U P S |81
.....
A U T O M A T I C B A C K U P S |82
4 After a successful backup, look in the specified Target Directory on the Target Host to see the
backup files. Example:
backup_config_primary_v4.4.1.0_20120308_2347.data
backup_config_primary_v4.4.1.0_20120308_2347.txt
.....
...................................
This chapter describes the steps required to create a High Availability (HA) Cluster between two
or more DSMs. It assumes that there is already a primary server in operation and a failover
server needs to be brought into the cluster (see the Vormetric Data Security Manager
Installation Guide). This chapter consists of the following sections:
HA Overview on page 83.
Configuring a DSM for Failover on page 83.
HA OVERVIEW
.....................................................................
Clusters are a staple of any HA environment. DSM appliances are configured as primary
appliances by default. This is not an issue in a standalone environment. However, in a clustered
DSM environment, there can be only one primary DSM at a time. Additional DSMs added to
that environment have to be configured as failover appliances and receive their configuration
from the primary. To make changes to the configuration, a Vormetric System Administrator
connects to the primary server and edits the configuration. The changes then get replicated to
the failover servers.
Replication occurs from the primary to the failover server(s) only. It consists of the latest
configuration database running on the primary server. The configuration database contains all
the policies, host configurations, and keys that are used in the VDS Management Console. Log
files are not a part of the information replicated.
To configure HA, you must be a VDS administrator of type System Administrator or All.
.....................................................................
An HA Cluster consists of at least two DSM appliances. The first appliance added to the cluster
is the primary. After installing another DSM (see the DSM Installation Guide), ensure that there
is network connectivity between the existing primary and the failover appliance before
configuration.
.....
C O N F I G U R I N G A D S M F O R F A I L O V E R |84
.....
C O N F I G U R I N G A D S M F O R F A I L O V E R |85
user>
Primary Security Server system administrator password:
This computer may have multiple IP addresses. All the agents will have
.....
C O N F I G U R I N G A D S M F O R F A I L O V E R |86
is
is
is
is
is
SUCCESS: convert server to failover server. The server is started. Please verify the fingerprint
4 Compare the CA Fingerprint value you see on the screen with the value displayed in the
Dashboard window of the primary server. They should match.
.....
C O N F I G U R I N G A D S M F O R F A I L O V E R |87
It will take several minutes to completely replicate the primary DSM configuration to the new
failover. Once replication completes, the checkbox should have an entry indicating successful
replication of the configuration (see below).
.....
C O N F I G U R I N G A D S M F O R F A I L O V E R |88