Client-Rule Associations
After a rule is created, it can be applied (linked) to a single or multiple clients. This linking is referred to as client-rule association. The status of a client-rule association depends on the operation performed on the path.
When linking the rule with a client, specify:
The identifier of the client.
The identifier of the rule to link to the client.
The key to encrypt data. For no encryption rules, an encryption key is not needed.
Note
• ProtectFile Admins must have
ReadKey
permission on encryption keys when creating a client-rule association.
• ProtectFile Users must be grantedReadKey
andExportKey
permissions on encryption keys.
• CTE UserSpace supports versioned keys. Refer to Key Version Rotation for details.The identifier of the access policy group.
Creating a Client-Rule Association
To create a client-rule association:
Open the ProtectFile & Transparent Encryption UserSpace application. The Clients page is displayed.
Under Client Name, click the desired client.
Under Rules for Client "<client-name>", click the Add a Rule to this Client link. The list of available rules is displayed. To refresh the list of rules, click Refresh.
Optionally, create a new rule by clicking New Rule. You might need to scroll down the page.
Select the desired rule.
Click Forward. You might need to scroll down the page. The list of available keys is displayed.
Optionally, create a new key by clicking Create a New Key.
Select the desired key.
Click Forward. You might need to scroll down the page. The list of available Access Policy Groups is displayed.
Optionally, create a new access policy group by clicking New Access Policy Group. You might need to scroll down the page.
Select the desired access policy group.
Click Forward. The details of the client-rule association is displayed.
Review the association details.
If it requires any change, click Back to modify the association.
Click Add Rule to Client.
The client-rule association is created.
Viewing Rules Associated with Clients
CTE UserSpace provides options to view rules associated with a client. Filter rules based on the operations they perform (Any, Encrypt, KeyRotate, Decrypt) and characters in their states.
To view rules linked with a client:
Open the ProtectFile & Transparent Encryption UserSpace application.
In the left pane, click Clients. The Clients page shows the list of existing clients.
Under Client Name, click the desired client.
The Clients page shows the list of linked rules, clusters, and shares. The Rules for Client "<client-name>" section shows the list of associated rules. To refresh the list of rules, click Refresh. The section shows the following details:
Column Description Name Name of the rule. If no name was specified at the rule creation, the rule is named as Rule-XXXX, where XXXX is a random string of 27 characters. Type Whether the path is a directory or file. Path Path of the directory or file to protect. Paths to encrypt or decrypt are referred to as encryption paths in this document. Policy Access policy group linked with the rule. Encrypt Whether the path is configured for encryption, Yes or No. CTE UserSpace does not support access control policies. Skip Migration (Applicable to folder-based rules) Whether the existing encrypted files in a directory are skipped, Yes or No. Yes indicates that the existing encrypted files are skipped during encryption, and no encryption rule is applied to them. After migration, new files created in or moved to the migrated directory are encrypted and protected with the applied access policy. State State of the rule. When a rule is created, its state is Created. When a cryptographic operation is in progress, the state is In Progress. For failures, the state can Validation Failed and Failed. Depending on the cryptographic operation, the final state can be Encrypted (for encryption and key rotation) and Decrypted (for decryption). Refer to Cryptographic Operations and State Flow for details.
Tip
To view additional information about the rule, click the arrow to the left of the Name link. Information such as whether to encrypt single file, encrypt all files, or include/exclude files based on extensions in a folder and its subfolders is displayed. The key for encryption is also displayed.
Note
When at least one process-based policy is applied on a client associated with a profile enforcing process fingerprint check, the Get Fingerprint button is available under the Rules for "<client-name>" section. Refer to Checking Process Fingerprints for details.
Checking Process Fingerprints
When the process fingerprint check is enabled in the associated client profile, CTE UserSpace checks the fingerprint (checksum) of processes while granting the access.
Every process has a unique fingerprint that is stored on the CipherTrust Manager when the associated policy is deployed on the client for the first time.
Every time a process makes requests to access files, the CTE Agent retrieves the fingerprint of the process and compares it with the fingerprint stored on the CipherTrust Manager.
If the fingerprints match, access is granted according to the policy.
If they do not match, for example, when the process executable is modified or tampered with on the client, the access is denied. This can help prevent malicious access attempts to the sensitive data.
If the process on the client is modified as a result of upgrade, maintenance, or any security reasons, the process fingerprint stored on the CipherTrust Manager must be updated. The CipherTrust Manager administrator can retrieve the updated fingerprint from the client by clicking the Get Fingerprint button under the Rules for Client "<client-name>" section of the Clients page.
Note
The updated fingerprint might take some time to be effective based on the polling interval configured in the associated client profile.
Unbinding a Client-Rule Association
To unlink (unbind) a client-rule association:
Open the ProtectFile & Transparent Encryption UserSpace application. The Clients page is displayed.
Under Client Name, click the desired client.
Under Rules for Client "<client-name>", click the overflow icon () corresponding to the rule you want to unlink.
Click Unbind.
The client-rule association is removed. The rule is removed from Rules for Client "<client-name>".
Cryptographic Operations and State Flow
The following table describes the flow of cryptographic operations and possible states a client-rule association goes through.
# | Operation | State | Remarks |
---|---|---|---|
1 | None | Created | A client-rule association is created. |
2 | Encrypt | In Progress | Encryption is in progress. |
Validation Failed | Encryption failed due to validation failures. | ||
Failed | Encryption failed. | ||
3 | None | Encrypted | Path encrypted successfully. The operation is reset. |
4 | Rotate Key | In Progress | Key rotation is in progress. |
Validation Failed | Key rotation failed due to validation failures. | ||
Failed | Key rotation failed. | ||
5 | None | Encrypted | Key rotated successfully. The operation is reset. |
6 | Decrypt | In Progress | Decryption is in progress. |
Validation Failed | Decryption failed due to validation failures. | ||
Failed | Decryption failed. | ||
7 | None | Decrypted | Used internally; not visible to the administrator. Decryption is successful and the client-rule association is removed. The operation is reset. |