Getting Started with Transparent Encryption
Vormetric Training 5.2.1
Lab Exercises:
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 2
Contents
Introduction ................................................................................................................................ 3
Part 1 Creating users and domains ........................................................................................ 5
1.1 Add license file ............................................................................................................. 5
1.2 Create super user account ........................................................................................... 9
1.3 Create the domain and add user to domain ................................................................10
Part 2 Adding and registering hosts .......................................................................................13
2.1 Adding hosts to the DSM ............................................................................................13
2.2 Installing and registering agents ..................................................................................16
Part 3 Creating Keys .............................................................................................................32
3.1 Create a data encryption key ......................................................................................32
Part 4 Creating Policies .........................................................................................................35
4.1 Create a basic Windows policy ...................................................................................36
4.2 Create a basic Linux/Unix policy .................................................................................52
4.3 Create a basic data transform policy ...........................................................................65
Part 5 Encrypting data ...........................................................................................................74
5.1 Encrypt Windows data ................................................................................................74
5.2 Encrypt Linux/Unix data ..............................................................................................83
Additional Tasks and Questions ................................................................................................93
Vormetric Software
Page 3
Introduction
The purpose of this lab is to introduce the general steps of implementing Vormetric Transparent
Encryption (TE) which is a security component of the Vormetric Data Security (VDS) platform.
You will be introduced to each of the following activities.
Creating a domain
Creating users
Creating keys
Creating polices
Registering hosts
Encrypting data
Implementation details, best practices, and trouble shooting of TE implementation will be
covered in future labs.
Lab Architecture
Figure 1 illustrates the overall architecture of the lab.
Figure 1 Lab Architecture
Primary DSM
Hostname = dsm-server-1.voredu.com
eth0 = 192.168.10.10
Data Server (Linux)
Hostname = data-node-1.voredu.com
eth0 = 192.168.10.20
Data Server (Windows)
Hostname = data-node-2.voredu.com
eth0 = 192.168.10.21
VM Image
The virtual machines you will use in this lab are
data-node-1.voredu.com
data-node-2.voredu.com
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 4
dsm-server-1.voredu.com
User ID and password list
Table 1 lists the User IDs and passwords used in the lab. You may be prompted to update the
password while performing the lab tasks. You may use a new password of your choosing or
use the recommended password update.
Table 1 User IDs and password
Server User ID Default Password Recommened Update
Web Console admin admin123 Admin123!
data-node-1.voredu.com root Admin123!
data-node-1.voredu.com user1 Admin123!
data-node-2.voredu.com Administrator Admin123!
Vormetric Software
Page 5
Part 1 Creating users and domains
The Vormetric Data Security (VDS) solution uses a separation-of-duties model for user
administration. Users within the VDS solution can be divided into three types:
System administrators
Domain administrators
Security administrators
User administration will be covered in more detail in future lab material. For the purpose of this
lab, you will create one super account user (superuser) that will be able to perform all
administration tasks.
1.1 Add license file
The Data Security Manager (DSM) image is configured with networking and the security server
software has been started. No other modifications have been made so you will be working with
the DSM with a default configuration.
__1. Login to host data-node-1, ID = root, Password = Admin123!
__2. Open the firefox browser
__3. Login to the management console, ID = admin, Password = admin123
Note: This will not work until DSM is fully booted. Check DSM before logging attempting to logon on.
https://dsm-server-1.voredu.com
Add and confirm any exceptions.
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 6
Vormetric Software
Page 7
__4. Change the password, the recommend password is Admin123!
__5. Note: Passwords are case sensitive. Password complexity and history are configurable by system administrators.
__6. Install the license file
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 8
__a. Select System > License
__7.
__a. Click Upload License File
__b. Click Browse navigate to the desktop select the license file, click Open
__c. Click Ok to install the license
Note: The license imported for the purpose of this is lab is a temporary license and may differ by
expiry date and name of file. Customer entitlements receive permanent licenses based on their
entitlement.
Vormetric Software
Page 9
1.2 Create super user account
__1. Click Administrators
__2. Click Add
__3. Type the following information into the corresponding fields
Login = superuser
Description = Super User Account
Password = Temp123!
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 10
Confirm Password = Temp123!
User Type = All
Note: Assigning a password to the account is only temporary. Upon first login the user will be prompted to change the password and cannot be the same as the previous password. If you want to use a consistent password use a temporary password and then change the password to you preferred after login.
__4. Click Ok, to create the user
1.3 Create the domain and add user to domain
A VDS domain is a silo of security. Within a domain you can group sets of security objects that
are only managed within that domain (example: hosts, keys, polices and security
administrators). For the purpose of this lab we will create a single domain and all your security
administration is done within the single domain.
__1. Click Domains
__2. Click Add
Vormetric Software
Page 11
__3. Type the following information into the corresponding fields and click Apply
Domain Name = testdomain
Description = Test Domain
__4. Click Assign Admin > select the superuser account > click Ok
__5. The new super user account is now ready to be used.
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 12
__6. Click Logout
Vormetric Software
Page 13
Part 2 Adding and registering hosts
The communication model of the Transparent Encryption solution is based on secure socket
encryption between the Vormetric agent and the DSM. The secure communication uses key
pairs generated and exchanged during registration of the agent with the DSM. The three steps
to enable communication and exchange keys are:
Add a host entry in the DSM
Register the host with the DSM (this steps includes the key exchange event)
Enable communication
Registration can take place either during the agent install or post agent install with the
registration utility. Registration and key exchange takes place over port 8080. Post registration
communication with the DSM is over ports:
o 7024 – DSM to agent communication
o 8443 – Agent to DSM communication
o 8444 – Agent to DSM auditing communication
o 8446 – DSM to agent using EC keys
o 8447 – Agent to DSM using EC keys
o 8448 – Agent to DSM using EC keys
After completing this lab you will be able to install and register Unix and Windows hosts.
2.1 Adding hosts to the DSM
Adding hosts to the DSM configuration is a function of the security Host role.
__1. Login to the management console, ID = superuser, Password = Temp123!
https://dsm-server-1.voredu.com
__2. Change the password when prompted, Old Password = Temp123!, New Password = Admin123!
__3. Switch to the testdomain, click Domains > Switch Domains
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 14
__4. Select the testdomain > Switch to domain
Note: When you switch to a domain the domain you are managing appears in the upper right-hand corner of the browser session. Depending on your role you will get varying tabs to perform administration tasks. The superuser security administrator will have all the security administration roles and therefore all the tabs.
__5. Click Hosts
__6. Click Add
__7. Type the following information into the corresponding fields and mark appropriate check boxes
Host Name = data-node-1.voredu.com
Description = Linux Server
Registration Allowed agents = FS
License Type = Term
Vormetric Software
Page 15
__8. Click Ok
__9. Click Add
__10. Type the following information into the corresponding fields and mark appropriate check boxes
Host Name = data-node-2.voredu.com
Description = Windows Server
Registration Allowed agents = FS
License Type = Term
__11. Click Ok
Note: There are now two servers that have been added to the DSM configuration. Only the File System Agent (FS Agent) component can attempt registration. The FS Agent component allows for the encryption, access control and auditing of data files on the target host. It is the core functionality of the TE solution.
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 16
__12. Log out of root
__13. Log out
2.2 Installing and registering agents
During agent installation the registration process is automatically activated. If for whatever
reason the registration fails it is not necessary to reinstall the product the registration can be
attempted via the registration utility.
2.2.1 Setup firewall rules
If using the Linux local firewall, the following firewall rules are needed to enable the Vormetric
DSM to contact the agent otherwise on agent initiated communication can be used. Make a
copy current firewall configuration
__1. Login to data-node-1, ID = root, Password = Admin123!
Vormetric Software
Page 17
__2. iptables-save > /etc/sysconfig/iptables.old
__3. Update the firewall rules using iptables.
iptables -I INPUT -m state --state NEW -p tcp --dport 7024 -j
ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8046 -j
ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8080 -j
ACCEPT
__4. Make the changes available upon reboot
iptables-save > /etc/sysconfig/iptables
2.2.2 Install VDS agent on Linux host
__1. Login to data-node-1, ID = root, Password = Admin123!
__2. Note: The FS agent must be installed as root as certain modules and services can only be created by root.
__3. Right-click on the desktop and click Open in Terminal
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 18
As an alternative you can use a shell session via a utility like putty to browse the file system.
__4. Change directory to the /software directory
cd /software
__5. Make the file executable
chmod 744 vee-fs-5.2.1-31-rh6-x86_64.bin
__6. Execute the agent installer
./vee-fs-5.2.1-31-rh6-x86_64.bin
__7. press “q” to immediate navigate to the bottom of the agreement
__8. Type “Y” to accept the license agreement
__9. Press Enter to continue with registration
__10. Note: At shell prompts within Vormetric utilities, the choice within the square brackets is the default choice if you press enter.
Vormetric Software
Page 19
__11. Type the DSM server name, dsm-server-1.voredu.com, and press Enter
__12. Check the spelling of your entry and press Enter
__13. Press Enter to accept the hostname for this system entered in the DSM
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 20
__14. When prompted to associate the agent with the hardware, type “N” to not use this option.
Vormetric Software
Page 21
__15. Type “Y” to accept the fingerprints match
The Linux server is now registered with the DSM. Communication will be enabled in a
subsequent section.
2.2.3 Install VDS agent on Windows
__1. Login to data-node-2, ID = Administrator, Password = Admin123!
__2. Run the VDS agent installer
c:\software\vee-fs-5.2.1-40-win64.exe
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 22
__3. Click Next to continue the installation
__4. Accept the license agreement, click Next
Vormetric Software
Page 23
__5. Click Next to accept the installation directory
__6. Click Install
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 24
__7. Click Finish
__8. Click Next to begin registration
Vormetric Software
Page 25
__9. Click Next to register the data-node-2.voredu.com
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 26
__10. Enter DSM server info, dsm-server-1.voredu.com
Vormetric Software
Page 27
__11. Click Register
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 28
__12. Confirm the fingerprint for the CA (the DSM), click Yes
__13. Confirm the fingerprint for local certificate, click OK
Vormetric Software
Page 29
__14. Click Finish
__15. Click Yes to reboot
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 30
2.2.4 Enable communication
As a final step of you need to enable communication with the agent.
Warning: Overlooking this step is one of the most common errors made.
__1. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1.voredu.com
__2. Switch to the testdomain, click Domains > Switch Domains
__3. Select the testdomain > Switch to domain
__4. Click Hosts
Note: The host OS Types are now known.
__5. Click each of the hosts and select Communication Enabled and click Ok
Note: Each host is now enabled for communication.
Vormetric Software
Page 31
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 32
Part 3 Creating Keys
There are many keys used within the VDS solution. Keys are used to encrypt the internal data
stores, communication between the DSM and the agents, and DSM configuration backups.
Most keys of this type are automatically managed within the system. The keys used to encrypt
your data are known as data encryption keys (DEK) and require the Key role to administer.
There are a few other key types that can be administered as part of the VDS solution, however
the use of these key types are not a focus of this lab and are secondary use cases to the much
more common use of DEK keys.
TE key administration is very simple. A security administrator with Key role generates a key
with the following attributes:
Key name
Key type
Key length
The actual key value is not known by the key administrator or any other administer of the TE
solution. The key is never persisted in the clear.
After completing this section you will be able to create data encryption keys.
3.1 Create a data encryption key
__1. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1.voredu.com
__2. Switch to the testdomain, click Domains > Switch Domains
__3. Select the testdomain > Switch to domain
__4. Click Keys
__5. Click Add
Vormetric Software
Page 33
__6. Type the following information into the corresponding fields and select appropriate values
Name = testkey-AES256-2015
Description = Test AES 256 Key 2015
Algorithm = AES256
Note: It is not necessary to change any of the other fields in most cases.
__7. Click Ok
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 34
Note: The key is now ready to be used.
Vormetric Software
Page 35
Part 4 Creating Policies
TE is based on controlling access to and encrypting sensitive data files. These files maybe data
files within a structured data store of a database or other data files that reside in the file system
or in file shares.
Guard Points are the points (directories) within the file system where you apply a TE policy.
Once applied the TE policy governs all access to files within the guard point this includes files in
any subdirectory of the guard point.
A TE Policy is a set of rules that govern every IO performed within the guard point’s directories.
The IO characteristics are evaluated according to the policy’s rules and once a matching policy
rule is found the effect of the rule is performed.
Policy rules
The 5 rule attributes are:
Resource – the file system object (ie. directory or file) being accessed
User – the user ID performing the IO
Process – the executable performing the IO
When – when the IO is taking place
Action – what type of IO is being performed (read, write, create directory)
The rule effects are:
Permit – allow the IO (exclusive to Deny)
Deny – deny the IO (exclusive to Permit)
Apply_key – encrypt or decrypt the IO
Audit – generate an audit record
Table 2 illustrates an example of a working database policy.
Table 2 Database policy
Resource User Process When Action Effect
1 db_engine permit apply_key
2 read permit
3 deny audit
Rules are evaluated in order and the first rule that meets the criteria of all the attributes will have
that rule’s effect applied to the IO. A blank for an attribute indicates “all”. Rule 3 is the catch-all
rule because it applies to all IOs not handled by the other rules.
Only rule 1 allows the application of the encryption key (Effect = permit + apply_key) and is
limited to the DB engine (Process = db_engine). Rule 2 allows reads (Action = read) but does
not allow application of the key. The overall effect is that only DB can perform all IOs and apply
the encryption key while all other writes are denied and reads are permitted without application
of the key.
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 36
Resource Sets
The attributes of a policy rule contain sets of objects. For example the db_engine process
attribute is a set of database executables.
After completing this lab you will be able to create basic TE policies and guard points. Creating
policies in more detail and best practices will be covered in more dedicated material.
4.1 Create a basic Windows policy
In this basic windows policy you will use two IO attributes (user and process) to create simple
rules. You will grant user, user1, full access to the c:\vipdata directory as well as the ability to
encrypt and decrypt data. User, Administrator, will be granted only read access and will not be
able to either write to the c:\vipdata directory nor decrypt the files within the directory.
Note: If you have any issues using your local browser you can use the browser in data-node-
2.test.com.
__1. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1.voredu.com
__2. Switch to the testdomain, click Domains > Switch Domains
__3. Select the testdomain > Switch to domain
__4. Click Policies
__5. Click Add Online Policy
Note: The top section is for the policy rules. The bottom section for the keys to use.
__6. Add the policy details,
Vormetric Software
Page 37
Name: test-windows-policy
Description: Test Windows Policy
__7. Click Add, to add a new rule
__8. Click Select next to the Effect to add effects for the rule
__9. Select Deny and Audit and click Select Effect
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 38
__10. Click Ok to create the rule
__11. Your policy now has 1 rule.
Vormetric Software
Page 39
Note: The way to interpret the new rule is to consider if each criteria of the rule is true for a given IO. If all the criteria evaluate to true then the rule’s Effect is triggered. A blank for a particular criteria means all of that criteria type would be met. So this rule if applied to data would deny all access to protected data. The way to read the rule would be: for all Resources, for all Users, for all Processes, for all Actions, for all times (When), Deny access and generate an Audit event.
__12. Click Add to add an additional rule
__13. Click Select next to the User criteria
__14. Click Add to add a new User set
__15. Type the name of the new user set, user1, click Browse Users
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 40
__16. Select the following from the Host Name and Domain dropdown menus and click Ok
Hostname = data-node-2.test.com
Domain = DATA-NODE-2
__17. Provide the login credentials to browse the remote host known user lists, Login = Administrator, password = Admin123!
__18. Select user1 and click Ok
Vormetric Software
Page 41
__19. Click Ok to finish the user set
__20. Select the user1 user set and click Select User Set
__21. Click Select next to the Effect to add effects for the rule
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 42
__22. Select Permit and Apply Key and click Select Effect
__23. Click Ok to create the rule
Vormetric Software
Page 43
__24. Your policy now has 2 rules. Rule order is very important. The first rule to trigger an Effect stops the rule evaluation process.
__25. Select the user1 policy rule and click Up
__26. Click Add in Key Selection Rules to add a key rule
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 44
__27. Click Select next to the Key entry
__28. Select the testkey-AES256-2014 key and click Select Key
__29. Click Ok to add the key rule
__30. Click Add in the Security rules to add an additional rule
Vormetric Software
Page 45
__31. Click Select next to the User criteria
__32. Click Add to add a new User set
__33. Type the name of the new user set, Administrator, click Browse Users
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 46
__34. Select the following from the Host Name and Domain dropdown menus and click Ok
Hostname = data-node-2.voredu.com
Domain = Test
__35. Select Administrator and click Ok
__36. Click Ok to finish the user set
Vormetric Software
Page 47
__37. Select the Administrator user set and click Select User Set
__38. Click Select next to the Action entry
__39. Select read operations and click Select Action
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 48
__40. Click Select next to the Effect to add effects for the rule
Vormetric Software
Page 49
__41. Select Permit and click Select Effect
__42. Click Ok to create the rule
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 50
__43. Select the Administrator policy rule and click Up
__44. The policy should now look like the following:
Vormetric Software
Page 51
__45. Note: The effect of the policy is as follows:
Rule 1 – user1 will be able to perform any action within the guard point and the application of the encryption key will take place
Rule 2 – Administrator will have read access within the guard point but the encryption key will not be applied and therefore any encrypted data file will remain encrypted during a read. Any writes will be denied
Rule 3 – will be applied to all IO activity not handled by rule 1 or rule 2 and will deny the IO
__46. The policy will allow user1 full access to data and use the encryption key, testkey-AES256-2015, to encrypt and decrypt for user1. The Administrator can only read the data and without the apply_key effect he will only be able the see cipher text. All other access will denied.
__47. Click Ok to create the rule
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 52
4.2 Create a basic Linux/Unix policy
There is no fundamental difference between Linux/Unix polices and Windows policies. The
practical difference is that the super accounts will likely be different and the directory structure
for guard points will be different.
__1. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1.voredu.com
__2. Switch to the testdomain, click Domains > Switch Domains
__3. Select the testdomain > Switch to domain
__4. Click Policies
__5. Click Add Online Policy
__6. Add the policy details,
__7. Name: test-linux-policy
__8. Description: Test Linux Policy
Vormetric Software
Page 53
__9. Click Add, to add a new rule
__10. Click Select next to the Effect to add effects for the rule
__11. Select Deny and Audit and click Select Effect
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 54
__12. Click Ok to create the rule
__13. Click Add to add an additional rule
__14. Click Select next to the User criteria
Vormetric Software
Page 55
__15. Click Add to add a new User set
__16. Type the name of the new user set, user1-linux, click Browse Users
__17. Select the following from the Host Name and Domain dropdown menus and click Ok
Hostname = data-node-1.voredu.com
Domain = data-node-1.voredu.com
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 56
__18. Click the arrow to see the next page of users
__19. Select user1 and click Ok
__20. Click Ok to finish the user set
__21. Select the user1-linux user set and click Select User Set
Vormetric Software
Page 57
__22. Click Select next to the Effect to add effects for the rule
__23. Select Permit and Apply Key and click Select Effect
__24. Click Ok to create the rule
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 58
__25. Select the user1-linux policy rule and click Up
__26. Click Add in Key Selection Rules to add a key rule
__27. Click Select next to the Key entry
Vormetric Software
Page 59
__28. Select the testkey-AES256-2014 key and click Select Key
__29. Click Ok to add the key rule
__30. Click Add in the Security rules to add an additional rule
__31. Click Select next to the User criteria
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 60
__32. Click Add to add a new User set
__33. Type the name of the new user set, root, click Add
__34. Type root in the uname field and click Ok
Vormetric Software
Page 61
__35. Click Ok to finish the user set
__36. Select the root user set and click Select User Set
__37. Click Select next to the Action entry
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 62
__38. Select read operations and click Select Action
Vormetric Software
Page 63
__39. Click Select next to the Effect to add effects for the rule
__40. Select Permit and click Select Effect
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 64
__41. Click Ok to create the rule
__42. Select the root policy rule and click Up
__43. The policy should now look like the following:
__44. Click Ok to create the rule
Vormetric Software
Page 65
4.3 Create a basic data transform policy
A data transform policy is used for one specific purpose, to encrypt data. After the data is
encrypted a “runtime” policy is applied to govern regular access to the data files. The policies
created in the previous two sections are runtime policies.
A data transform policy has two rules:
Rule 1 – encrypts the data
Rule 2 – prevents any other access to the data files
__1. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1
__2. Switch to the testdomain, click Domains > Switch Domains
__3. Select the testdomain > Switch to domain
__4. Click Policies
__5. Click Add Online Policy
Add the policy details,
Name: dx-AES256-2015
Description: Data Transform Policy
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 66
__6. Click Add, to add a new rule
__7. Click Select next to the Effect to add effects for the rule
__8. Select Deny and Audit and click Select Effect
Vormetric Software
Page 67
__9. Click Ok to create the rule
__10. Click Add to add an additional rule
__11. Click Select next to the Action criteria
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 68
__12. Select key_op and click Select Action
__13. Note: Key operations actions are unique to data transform. The process of encrypting data for the first time or moving data from one key to another key is known as a keying operation.
__14. Click Select next to the Effect to add effects for the rule
__15. Select Permit and Apply Key and click Select Effect
Vormetric Software
Page 69
__16. Click Ok to create the rule
__17. Move the key_op rule up to be the first rule
__18. Click Add in Key Selection Rules to add a key rule
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 70
__19. Click Select next to the Key entry
__20. Select clear_key key and click Select Key
__21. Click Ok to add the key rule
__22. Click Add in the Data Transformation Rules section
Vormetric Software
Page 71
__23. Click Select next to the Key entry
__24. Select the key ‘testkey-AES256-2014’ and click Select Key
__25. Click Ok to create the key rule
__26. Click Ok to create the rule
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 72
__27. Your data transform policy now looks like this:
Vormetric Software
Page 73
Rule 1 – allows the data transform utility to read the data files with clear_key and write the data files with testkey-AES256-2014 key. Clear_key represents data not yet encrypted. If the data was already encrypted then you would use the current key for the data read and the data transform key to be the new key you want the data encrypted width.
Rule 2 – will be applied to all IO activity not handled by rule 1 or rule 2 and will deny the IO
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 74
Part 5 Encrypting data
There are two basic ways to encrypt data with TE:
Copy files into a guard point
Use data transform
The copy of files into a guard point will encrypt the file if the policy rule that is met contains the
apply_key effect.
In this lab you will use both the copy method as well as the data transform method to encrypt
data. More details on data transform will be covered in future lab material.
After completing this lab you will be able to encrypt data as well as demonstrate the data is
encrypted and access control is restricted by TE access control.
5.1 Encrypt Windows data
__1. Login to data-node-2.test.com, ID = Administrator Password = Admin123!
__2. Create a new directory c:\vipdata2
__3. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1.voredu.com
__4. Select the testdomain > Switch to domain
__5. Click Hosts
5.1.1 Create a guard point
__1. Click data-node-2.test.com
Vormetric Software
Page 75
__2. Click Guard FS
__3. Click Guard
__4. Select the test-windows-policy
__5. Click Browse to navigate the file system on data-node-2
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 76
__6. From the Remote File Browser, select the c:\vipdata2 directory, click Ok
__7. Note: You do not have to use the remote file browser. You can type in the entries in the Path field.
__8. Click Ok to create the new guard points
Vormetric Software
Page 77
__9. Click Refresh until the Status is green, this make take a few seconds.
Note: The guard point is now started and the policy rules are now in effect. The Administrator can only perform reads and user1 has full access with application of the encryption key.
__10. Trying creating a new file in c:\vipdata2 using an application like wordpad
5.1.2 Encrypt the data
__1. Logout of data-node-2 as Administrator
__2. Login to data-node-2, ID = user1 Password = Admin123! (You must be user1)
__a. Click Switch User
__b. Click Other User
__c. Type ID and Password
__3. Copy all the files from c:\vipdata to c:\vipdata2
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 78
Note: The files are now encrypted in c:\vipdata2. When user1 copies the data to c:\vipdata2 the application key is applied because of the apply_key effect of the rule.
__4. Open each of the files in c:\vipdata2
Note: The application of encryption is completely transparent for user1.
__5. Logoff
__6. Login to data-node-2, ID = Administrator, Password = Admin123!
__7. Open each of the files in c:\vipdata2
Note: The behavior of Administrator is different than user1. Administrator has read ability for the data files but without the apply_key for the rule effect all the reads are not unencrypted.
__8. Warning: You will get a denied message if you try to use notepad. This is because notepad is coded in such a way that the file open may not actually open the file but do a memory map type of open on a file buffer. The Vormetric agent prevents this type of access that would bypass policy enforcement. Use wordpad instead.
5.1.3 Encrypt the data using data transform
__1. Close all open applications and logoff of any session on data-node-2
__2. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1
__3. Switch to the testdomain, click Domains > Switch Domains
__4. Select the testdomain > Switch to domain
__5. Click Hosts
__6. Click data-node-2.test.com
__7. Click Guard FS
__8. Click Guard
__9. Select the dx-AES256-2015 policy
Vormetric Software
Page 79
__10. Click Browse to navigate the file system on data-node-2
__11. From the Remote File Browser, select the c:\vipdata directory, click Ok
__12. Click Ok to create the new guard points
__13. Click Refresh until the Status is green, this make take a few seconds.
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 80
__14. Login to data-node-2, ID = Administrator, Password = Admin123!
__15. Note: To run the data transform utility you need administrator access. In this case, Administrator as well as user1 are members of the administrator group.
__16. From the Start menu, right-click Command Prompt > select Run as administrator
__17. Run the data transform utility on the c:\vipdata guard point
cd “c:\Program Files\Vormetric\DataSecurityExpert\agent\vmd\bin”
dataxform --rekey --gp c:\vipdata
Vormetric Software
Page 81
__18. Press “y” to continue with data transform when prompted
__19. Run cleanup when data transform is complete
dataxform --cleanup --gp c:\vipdata
__20. Press “y” to continue with data transform when prompted
__21. Note: The data files are now encrypted.
5.1.4 Establish the new guardpoint
__1. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1.voredu.com
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 82
__2. Switch to the testdomain, click Domains > Switch Domains
__3. Select the testdomain > Switch to domain
__4. Click Hosts
__5. Click data-node-2.test.com
__6. Click Guard FS
__7. Select the c:\vipdata guard point and click Unguard
__8. Click Refresh until the guard point is unguarded
__9. Click Guard
__10. Select the test-windows-policy
__11. Click Browse to navigate the file system on data-node-2
Vormetric Software
Page 83
__12. From the Remote File Browser, select the c:\vipdata directory, click Ok
__13. Click Ok to create the new guard point
__14. Click Refresh until the Status is green, this make take a few seconds.
__15. Note: The basic benefit of the data transform method of encrypting data is that there is no need to create copies of the data files and is highly advantageous on large data sets.
5.2 Encrypt Linux/Unix data
__1. Login to data-node-1, ID = root Password = Admin123!
__2. Right-click on the desktop and click Open in Terminal
__3. Create a new directory /vipdata2
mkdir /vipdata2
__4. Make the directory fully accessible to any user
chmod 777 /vipdata2
__5. Note: TE access control is in addition to any OS access control. So even though you may create a policy that grants access to data file within a guard point the OS access control may still deny access.
__6. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 84
__7. Select the testdomain > Switch to domain
__8. Click Hosts
5.2.1 Edit Host Settings for data-node-1
On Unix/Linux the use of ID or group information in a policy rule is not effective until you
configure when this information can be trusted. For example, on Linux and Unix the root
account can assume any user’s ID. TE can prevent this by tracking how IDs are used in the
system and can detect if a user actually logged to the system or assumed another user’s
identity (this is known as ID chaining). In this example we are going to simply trust all accounts
in the system regardless of how their identity was established.
__1. Click data-node-1
__2. Click Host Settings
__3. Add the following entry into Host Settings:
__4. |trust|*
Vormetric Software
Page 85
__5. Click Ok
__6. Note: The entry allows all processes to establish ID context that is acceptable for policy rule evaluation. More use cases will be covered in later material.
5.2.2 Create a guard point
__1. Click data-node-1
__2. Click Guard FS
__3. Click Guard
__4. Select the test-linux-policy
__5. Click Browse to navigate the file system on data-node-1
__6. From the Remote File Browser, select the /vipdata2 directory, click Ok
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 86
__7. Click Ok to create the new guard points
__8. Click Refresh until the Status is green, this make take a few seconds.
Vormetric Software
Page 87
__9. Note: The guard point is now started and the policy rules are now in effect. Root can only perform reads and user1 has full access with application of the encryption key.
__10. Warning: Using user and groups in policy rules on Unix/Linux cannot be evaluated in policy rules unless the Host settings are updated.
__11. Try creating a new file in /vipdata2
touch /vipdata2/testfile
5.2.3 Encrypt the data
__1. On data-node-1, logout of the root account
__2. Login to data-node-1, ID = user1 (You must be user1)
__3. Right-click on the desktop and click Open in Terminal
__4. Copy all the files from vipdata to vipdata2 (use file manager as an alternative)
cp /vipdata/* /vipdata2/
__5. Note: The files are now encrypted in /vipdata2.
__6. Open each of the files in /vipdata2
__7. Note: The application of encryption is completely transparent for user1.
__8. Logout
__9. Login to data-node-1, ID = root
__10. Open each of the files in /vipdata2
__11. Note: The behavior of root is different than user1. Root has read ability for the data files but without the apply_key for the rule effect all the reads are not unencrypted.
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 88
5.2.4 Encrypt the data using data transform
__1. Close all open applications and logout of any session on data-node-1
__2. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1
__3. Switch to the testdomain, click Domains > Switch Domains
__4. Select the testdomain > Switch to domain
__5. Click Hosts
__6. Click data-node-1
__7. Click Guard FS
__8. Click Guard
__9. Select the dx-AES256-2014 policy
__10. Click Browse to navigate the file system on data-node-1
__11. From the Remote File Browser, select the /vipdata directory, click Ok
Vormetric Software
Page 89
__12. Click Ok to create the new guard point
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 90
__13. Click Refresh until the Status is green, this make take a few seconds.
__14. Login to data-node-1, ID = root, Password = password
__15. Right-click on the desktop and click Open in Terminal
__16. Note: To run the data transform utility you must be root.
__17. Run the data transform utility on the /vipdata guard point
dataxform --rekey --gp /vipdata
__18. Press “y” to continue with data transform when prompted
__19. Run cleanup when data transform is complete
dataxform --cleanup --gp /vipdata
__20. Press “y” to continue with data transform when prompted
__21. Note: The data files are now encrypted.
Vormetric Software
Page 91
5.2.5 Establish the new guardpoint
__1. Login to the management console, ID = superuser, Password = Admin123!
https://dsm-server-1
__2. Switch to the testdomain, click Domains > Switch Domains
__3. Select the testdomain > Switch to domain
__4. Click Hosts
__5. Click data-node-1
__6. Click Guard FS
__7. Select the /vipdata guard point and click Unguard > Click OK
__8. Click Refresh until the guard point is unguarded
__9. Click Guard
__10. Select the test-linux-policy
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 92
__11. Click Browse to navigate the file system on data-node-1
__12. From the Remote File Browser, select the /vipdata directory, click Ok
__13. Click Ok to create the new guard point
__14. Click Refresh until the Status is green, this make take a few seconds.
__15. Note: The basic benefit of the data transform method of encrypting data is that there is no need to create copies of the data files and is highly advantageous on large data sets.
__16. Test file access as user1 and root and note the difference in application and user data availability.
Vormetric Software
Page 93
Additional Tasks and Questions
The following additional tasks are self-directed and are designed to exercise the lab objectives. .
Tasks:
1) Work with users and groups
- Create a new user and group on data-node-1
- Edit the test-linux-policy to grant access to just the user’s group
- Edit the test-windows-policy to add a rule allowing full access to the domain group
‘Guests’
2) Work with keys
- Create a new key
- Create a new data transform policy for the new key
- Create a directory of your choice, place some data in directory, use you new
transform policy to encrypt the data
- Create a data transform policy to unencrypt the data
- Use the policy to unencrypt the guard poing
3) Work with encryption
- Create a directory /vipdata3 on data-node-1
- Unencrypt the data by copying the data from /vipdata2 or /vipdata2 whichever is still
encrypted.
Questions:
4) What kind of keys can a security administrator with key role create?
5) What would happen to the agent and guardpoints if you changed the hostname of data
server?
6) What would happen if you changed the IP of the data server?
7) What is the purpose of agent registration?
8) Is it possible to use domain users and group in a policy?
Vormetric Software
© Vormetric Corporation Inc, 2014 Page 94