In a NAS environment where an unsupported operating system or firmware is running on the NAS server, installing ProtectFile becomes impossible, and network shares and the encryptor client come into play.
The network shares that need to be encrypted are added to the CipherTrust Manager and mounted on the clients where they are accessed. All these clients must be registered with the CipherTrust Manager so that users can access encrypted directories.
Encryptor clients are used in a NAS scenario. A registered ProtectFile client that is designated to perform encryption of existing data is called an encryptor client. The encryptor client is essential because the CipherTrust Manager cannot migrate the NAS share itself and needs a ProtectFile agent to do so. When an encryptor client is assigned, it performs special tasks such as initial migration of data or key rotation. Outside these cases, the encryptor client does nothing and is a normal client with ProtectFile installation accessing the share.
The IP address, hostname, and Fully Qualified Domain Name (FQDN) of the NAS server must be fully resolvable at ProtectFile clients.
It is recommended that NAS server's IP address remains static. If the IP address is changed, the network share becomes inaccessible. Either use the hostname or manually change the IP address on the CipherTrust Manager and flush the DNS cache on the Windows client by running
Before applying a NAS rule from a client running ProtectFile, the network share must be mounted at the specific path on the client. Refer to the "Mounting the Network Share" section in the ProtectFile Clients User's Guide for details.
Creating a Network Share
The following table lists the parameters that are required when creating or managing a network share on the CipherTrust Manager:
|Name||Friendly name to display on the CipherTrust Manager to uniquely identify a network share. This field is mandatory.|
|IP Address or Hostname||IP address or hostname of the NAS/DFS server where NAS path is shared. This field is mandatory.|
|Share Name||Path shared on the NAS/DFS server. This field is mandatory.|
|Share Type||Type of the network share—SMB or NFS. This field is mandatory.|
|Encryptor Client||Name of the client that will perform initial encryption of data on the network share. If an encryptor client is not specified, data on the network share cannot be encrypted. However, you can modify the network share to specify the encryptor client later.|
This document, may at times, abbreviate "encryptor client" to "encryptor."
|User Name||(SMB shares) A username with read/write access to all directories on the network share that will be encrypted. The encryptor client will use this username to access directories on the share.|
|Password||(SMB shares) Password of the user.|
|DFS||(Applicable to ProtectFile Windows clients and SMB shares) Whether the network share is exposed to clients through DFS Namespaces. The default value is false.|
|DFS Alias||(Applicable to ProtectFile Windows clients and SMB shares) This field is applicable when DFS is set to true. Names of machines/domains through which the network shares exposed through DFS Namespace are accessed by users/applications. These names can be NetBIOS names or alias names of domains and/or DFS node clients configured on DNS. Aliases could be IP address, FQDN, NetBIOS name, or hostname. Separate aliases by semicolons.|
Ensure that aliases specified in the DFS Alias field are correct; ProtectFile does not resolve these names.
|Auto Mount||(Applicable to ProtectFile Linux clients) Whether a network share is automatically mounted through Autofs. The default value is false.|
ProtectFile provides options to view existing network shares, view and modify their details, and delete them when they are no longer required.
Linking a Network Share with a Client
A network share needs to be linked with client instances so that authorized client users can access data stored on it. This is called client-network share association. Each client, where the network share will be accessed, must be registered with the CipherTrust Manager.
A network share is automatically linked to the encryptor client if the encryptor is specified during the creation of the network share.
ProtectFile provides options to view the list of network shares linked with a client, and the list of clients accessing a particular network share.