Concepts
This section describes the following concepts:
Clients
Note
The CipherTrust Manager must be reachable from the ProtectV clients for successful communication. Firewalls should be configured to allow this communication.
A ProtectV client represents a machine where ProtectV is installed. Such clients are also called as images in this document. The ProtectV client is automatically added to the CipherTrust Manager on successful registration.
After registration, the ProtectV client needs to be enrolled with the ProtectV service for protection of data stored on them.
The following table lists the parameters that are required when enrolling a ProtectV client with the ProtectV services and managing it on the CipherTrust Manager:
Parameter | Description |
---|---|
KeySecure Client ID | ID of a ProtectV client registered with the CipherTrust Manager. |
Cloud ID | Cloud ID of the ProtectV client. This ID identifies the cloud where the ProtectV client is installed. |
Application Metadata | Application metadata of the ProtectV client. |
Authorize New Instances | Flag to authorize new cloned client instances for encryption key. The default setting is true. • When set to true, the new cloned instances will be granted encryption keys. These instances will be up only after receiving the encryption key. • When set to false, the new cloned instances will not be granted encryption keys. These instances will remain inaccessible until they are authorized to receive the encryption key. |
ProtectV provides options to:
View details of a client
View existing clients
Enroll clients with the ProtectV service
Authorize cloned instances for encryption keys
Disable and enable clients on the CipherTrust Manager
Delete clients when they are no longer required
Warning
As soon as a client is deleted from the CipherTrust Manager, all communication between the CipherTrust Manager and the client will stop immediately. It is recommended that the data is decrypted before deleting the client, otherwise the data will become inaccessible.
Instances
A ProtectV instance is a clone of an enrolled ProtectV client. Such instances are also called as client instances in this document. If authorized, the cloned instance automatically gains access to encryption keys. Clones of an enrolled ProtectV client are automatically added to the CipherTrust Manager.
The following table lists the parameters that are required when managing a ProtectV client instance on the CipherTrust Manager:
Parameter | Description |
---|---|
Name | Name of the ProtectV client instance. |
Application Metadata | Application metadata of the ProtectV client instance. |
Authorized | Flag to authorize new cloned client instances for encryption key. The default setting is true. • When set to true, the new cloned instances will be granted encryption keys. These instances will be up only after receiving the encryption key. • When set to false, the new cloned instances will not be granted encryption keys. These instances will remain inaccessible until they are authorized to receive the encryption key. |
Alarmed | Flag to enable or disable alerts about access to encryption keys. The default setting is true. • When set to true, alert is displayed that the disk associated with the instance will not be granted a key unless both the instance and the parent client are authorized. • When set to false, alert about access to the keys is not displayed. |
ProtectV provides options to view existing ProtectV client instances, view their details, authorize new cloned instances for encryption keys, and delete them when they are no longer required.
Warning
As soon as an instance is deleted from the CipherTrust Manager, all communication between the CipherTrust Manager and the instance will stop immediately. It is recommended that the data is decrypted before deleting the instance, otherwise the data will become inaccessible.
Settings
ProtectV provides options to configure a keystore, manage encryption keys, and autoscaling of clients.
Keystore
ProtectV supports the CipherTrust Manager and the SafeNet KeySecure Classic for key management. These key managers are referred to as the keystore in this document.
The following table lists the parameters that are required when specifying a keystore for ProtectV on the CipherTrust Manager:
Parameter | Description |
---|---|
Type | Type of the keystore. Specify keysecure for the KeySecure Classic and local for the CipherTrust Manager. The default keystore is the CipherTrust Manager (local). |
Configuration | Configuration of the keystore. No configuration is required for the CipherTrust Manager. For the KeySecure Classic, specify the following: • ksIP – IP address of the KeySecure Classic. • ksPort – NAE port of the KeySecure Classic. • ksUser – User of the KeySecure Classic. This user must have permission to create keys on the SafeNet KeySecure. • ksPass – Password of the KeySecure Classic user. • ksCA – CA certificate (.crt file) that you generated on the KeySecure Classic. • ksClientCert – Full path of the imported client certificate. For example, /home/pvadmin/ksclientcert.crt. • ksClientPKey – Full path of the KeySecure client's private key. • ksClientPKeyPassphrase – Password of the imported client's private key. |
ProtectV provides options to change the keystore and view details of the current keystore. Refer to Configuring a Keystore for details on configuring a keystore.
Key Management
Key management refers to configuring in-transit key wrapping, Windows auto protection, and key rotation (rekey).
In-transit Key Wrapping
ProtectV can be configured to wrap keys while they are moving between the CipherTrust Manager and the ProtectV Client. This is referred to as in-transit key wrapping.
Enable in-transit key wrapping to protect KEKs against TLS attacks. The KEK is wrapped with a public key by the CipherTrust Manager. This feature is disabled by default. As a ProtectV administrator, you can enable the feature.
Windows Auto Protection
Use the Windows Auto Protection option to configure automatic encryption behavior of Windows client instances on registration. By default, encryption of a Windows client instance starts as soon as it is registered with the CipherTrust Manager.
A ProtectV administrator can disable this configuration. When disabled, encryption of newly registered Windows client instances will not start immediately. This allows selecting specific Windows partitions for encryption for the first time. Encryption of selected partitions will start automatically within an hour as the CipherTrust Manager is contacted between 5 and 60 minutes continuously. Alternatively, reboot the client instance to start the encryption of selected partitions immediately.
Rekey (Key Rotation)
ProtectV provides automatic key renewal, also known as key rotation or rekey. This feature can be helpful in meeting regulatory requirements concerning the change of encryption keys.
As a ProtectV administrator, you can configure the key rotation interval (in number of days) with the date of last key change for data partitions displayed on the console. Key rotation happens automatically after the preset number of days (starting from day of configuration). When rekey is enabled, the default key rotation interval is 180 days.
Note
Key rotation happens for all encrypted partitions of registered client instances; the plaintext partitions are skipped.
The following table lists the parameters that are required during key management for ProtectV on the CipherTrust Manager:
Parameter | Description |
---|---|
Default Encryption | Enable or disable Windows auto protection. The default value is true. |
Enable Key Wrapping | Enable or disable key wrapping. The default value is false. |
Enable Rekey | Enable or disable key rotation. The default value is false. When set to true, you can specify the rekey interval (described below). |
Rekey Interval | (Applicable when enable_rekey is set to true.) The number of days after which the encryption key should be changed. The default value is 180 days. |
ProtectV provides options to view and change configuration settings.
Autoscaling
Autoscaling refers to whether new clones of images will be granted keys automatically. By default, autoscaling is turned off; new clones will not be granted keys automatically.
A ProtectV user can turn on/off autoscaling for individual ProtectV Client images. However, a ProtectV administrator can turn on/off autoscaling for individual ProtectV Client images or for all ProtectV Client images that will be registered subsequently. Turning autoscaling on/off for all ProtectV Client images is referred to as global autoscaling.
When global autoscaling is turned on, encryption keys will be granted to new clones of all ProtectV Client images that will be created in future.
Note
In case of CipherTrust Manager clusters, turn on global autoscaling on all cluster members individually.
ProtectV provides options to view and configure global autoscaling settings. To turn on global autoscaling, set the autoscale
option to true. To turn the feature off, set autoscale
to false.
Partitions
Partitions of encrypted ProtectV clients can be granted or denied access to encryption keys. Encryption of partitions can also be enabled or disabled on the CipherTrust Manager.
The following table lists the parameters that are required when managing partitions' access to encryption keys and encryption or decryption on the CipherTrust Manager:
Parameter | Description |
---|---|
Instance ID | ID of the registered ProtectV client. |
Enable | Flag to enable or disable the partition's access to the encryption key. The default setting is true; that is, the access is granted. To disable (deny) the access, set the flag to false. |
Encrypt | Flag to enable or disable encryption of the partition. The default setting is true; that is, encryption is enabled. To disable encryption, set the flag to false. This sets the partition for decryption. |
ProtectV provides options to view partitions of instances, view details of the partitions of instances, and enable or disable encryption and partitions' access to encryption keys.
Keys
This section provides information on keys used for encrypting data using ProtectV. These keys are created, stored, and managed on the CipherTrust Manager. A CipherTrust Manager administrator creates encryption keys. These keys are referred to as encryption keys in this document. Refer to Viewing Encryption Keys for the list of keys used by ProtectV.
ProtectV uses AES-256 encryption for protecting partitions on clients.
Warning
Exercise extreme caution when deleting keys. Make sure that no partition is encrypted using the key to delete. If a key is erroneously deleted, that key cannot be recreated.
The data on clients is encrypted with encryption keys stored on the CipherTrust Manager. When the ProtectV service starts, it downloads the keys needed by clients.