Creating Standard Policies for DFSR

If you are using the standard (offline) data encryption option, you need to create two polices, a data transformation policy that is used for the initial encryption and an operational policy that is used for day-to-day access of the encrypted data. The initial encryption policy is identical to the one you use for any standard GuardPoint. It is the operational policy that has DFSR-specific requirements.

How you create policies for DFSR depends on the key manager that you are using.

Procedure Using CipherTrust Manager

1. Log into the CipherTrust Manager Console and switch to the correct domain if required.

2. If you do not know which symmetric key you want to use to encrypt the data or you want to create a new key to use for the DFSR namespace, launch the Keys & Access Management application and locate an existing symmetric key or create a new symmetric key. For details on creating a symmetric key for standard encryption, see the CTE Data Transformation Guide.

3. Launch the Transparent Encryption application.

4. In the left-hand menu bar, click Policies.

5. To create the initial data encryption policy, click Create Policy and enter the following information.

   The following example assumes you are using dataxform to encrypt the data in place. If you are using the copy or restore encryption method, create your initial data transformation policy as described in the CTE Data Transformation Guide.

   1. In the Name field, enter a name for the policy. This example uses DFSR-Std-Initial.

   2. In the Policy Type field, select Standard.

   3. Enable the Data Transformation option.

      

   4. Click Next.

   5. On the Security Rules page, make sure there is a security rule with the action key_op and the effect permit, applykey. If CipherTrust Manager did not add this security rule automatically, go back to the General Info page and make sure that the Data Transformation option is enabled.

   6. On the Security Rules page, click Create Security Rule and add another security rule that prevents any other process from accessing the data while it is being encrypted:

      • In the Action field, click Select and choose all_ops.

      • In the Effect field, click Select and choose Deny.

      When you are done, click Add to save the security rule.

      

   7. Click Next.

   8. On the Key Rules page, click Create Key Rule. In the Current Key Name field, click Select and choose clear_key.

      

      In a DFSR environment, you must apply the initial encryption policy on unencrypted data ONLY (the current key must be set to clear_key). If your data is already encrypted, you must decrypt it and completely remove the existing GuardPoint before re-encrypting the data with a new key from scratch. For details, see Considerations with DFSR.

   9. Click Add to save the key rule.

   10. Click Next.

   11. On the Data Transformation page, click Create Data Transformation Rule. In the Transformation Key Name field, click Select and choose the symmetric key you want to use for data transformation.

   12. Click Add to save the data transformation rule.

       

   13. Click Next.

   14. Verify the policy information and click Save to save the initial encryption policy.

6. To create the production policy, Create Policy and enter the following information.

   1. In the Name field, enter a name for the policy. This example uses DFSR-Std-Policy.

   2. In the Policy Type field, select Standard.

   3. Click Next.

   4. On the Security Rules page, click Create Security Rule and add the following security rule:

      • In the User Set field, click Select and choose the user set you created that contains NT AUTHORITY. For details, see Creating Required DFSR Policy Components.

      • In the Process Set field, click Select and choose the process set you created that contains the required DFSR processes dfsrs.exe and ntoskrnl.exe.

      • In the Effect field, click Select and choose Permit and Audit.

   5. Click Add.

      

   6. Add any other security rules you need to your policy. When you have added all your security rules, click Next.

   7. On the Key Rules page, click Create Key Rule. In the Current Key Name field, click Select and choose the symmetric key you used to encrypt the data in the initial data encryption policy.

      

   8. Verify the policy information and click Save to save the production policy.

7. When you have both policies ready, you can create the required DFSR GuardPoints as described in Creating Standard GuardPoints with the DFSR Hub and Spoke Topology or Creating Standard GuardPoints with the DFSR Full Mesh Topology.