Creating Standard Policies for DFS(R)
If you are using the standard (offline) data encryption option, you need to create two polices, a data transformation policy that is used for the initial encryption and a standard policy that is used for day-to-day access of the encrypted data. The initial encryption policy is identical to the one you use for any standard GuardPoint. It is the standard policy that has DFS(R)-specific requirements.
How you create policies for DFS(R) depends on the key manager that you are using.
Procedure Using CipherTrust Manager
-
Log into the CipherTrust Manager Console and switch to the correct domain, if required.
-
Select Keys and select a symmetric key to use to encrypt the data, or create a new key to use for the DFS(R) namespace.
-
Launch the Transparent Encryption application.
-
In the left-hand menu bar, click Policies.
-
To create the initial data encryption policy, click Create Policy and enter the following information.
The following example assumes you are using
dataxform
to encrypt the data in place. If you are using the copy or restore encryption method, create your initial data transformation policy as described in the CTE Data Transformation Guide-
In the Name field, enter a name for the policy. This example uses
DFS(R)-Std-Initial
. -
In the Policy Type field, select Standard.
-
Enable the Data Transformation option.
-
Click Next.
-
On the Security Rules page, make sure there is a security rule with the action key_op and the effect permit, applykey. If CipherTrust Manager did not add this security rule automatically, go back to the General Info page and make sure that the Data Transformation option is enabled.
-
On the Security Rules page, click Create Security Rule and add another security rule that prevents any other process from accessing the data while it is being encrypted:
-
In the Action field, click Select and choose
all_ops
. -
In the Effect field, click Select and choose
Deny
.
When you are done, click Add to save the security rule.
-
-
Click Next.
-
On the Key Rules page, click Create Key Rule. In the Current Key Name field, click Select and choose
clear_key
.In a DFS(R) environment, you must apply the initial encryption policy on unencrypted data ONLY (the current key must be set to clear_key). If your data is already encrypted, you must decrypt it and completely remove the existing GuardPoint before re-encrypting the data with a new key from scratch. For details, see Considerations with DFS(R).
-
Click Add to save the key rule.
-
Click Next.
-
On the Data Transformation page, click Create Data Transformation Rule. In the Transformation Key Name field, click Select and choose the symmetric key you want to use for data transformation.
-
Click Add to save the data transformation rule.
-
Click Next.
-
Verify the policy information and click Save to save the initial encryption policy.
-
-
To create the production policy, Create Policy and enter the following information.
-
In the Name field, enter a name for the policy. This example uses
DFS(R)-Std-Policy
. -
In the Policy Type field, select Standard.
-
Click Next.
-
On the Security Rules page, click Create Security Rule and add the following security rule:
-
In the User Set field, click Select and choose the user set you created that contains NT AUTHORITY. For details, see Creating Required DFS(R) Policy Components.
-
In the Process Set field, click Select and choose the process set you created that contains the required DFS(R) processes
dfsrs.exe
andntoskrnl.exe
. -
In the Effect field, click Select and choose Permit.
-
-
Click Add.
-
Add any other security rules you need to your policy. When you have added all your security rules, click Next.
-
On the Key Rules page, click Create Key Rule. In the Current Key Name field, click Select and choose the symmetric key you used to encrypt the data in the initial data encryption policy.
-
Verify the policy information and click Save to save the production policy.
-
-
To allow the system and users to access the metadata on files and folders under the DFS(R) path, you can include the metadata rule. Apply Key is not required because the metadata files and folders is never encrypted.
Rule Permissions Description Action f_rd_attr,f_rd_sec,d_rd,d_rd_attr,d_rd_sec Allows all metadata read operations Effect Permit Allows metadata to read files and folders. -
When you have both policies ready, you can create the required DFS(R) GuardPoints as described in Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology or Creating Standard GuardPoints with the DFS(R) Full Mesh Topology.
DFS(R) GuardPoint Considerations
Remember the following when configuring GuardPoints on protected data. Doing so ensures reliable replication of guarded data:
-
A GuardPoint may not be placed on any replicated folder on the BOOT drive. If the replication point is currently
C:\
, consider moving it to another volume on the server (any non-BOOT drive) and use DFS utilities to re-populate any new namespace or target folder configurations. Then apply a GuardPoint to the replicated folder (dataxform or st_policy). -
When a GuardPoint is not applied to an entire drive, ensure a sub-folder in the GuardPoint, named DFS(R) private, is also guarded with the same policy that is applied to the VDS GuardPoint. DFS(R) private is a hidden sub-folder immediately below the DFS(R) GuardPoint that is auto-generated when you configure a folder as a DFS(R) GuardPoint. DFS(R) keeps intermediate configuration/state files in this sub-folder. The data in this folder constitutes an unstructured matchup of all data (and their deltas) organized in the DFS folders. Objects therein do not resemble their logical counterparts. Guarding this directory, however, is recommended, and will encrypt the data as intended.
Example
-
If the DFS(R) GuardPoint, and the CTE GuardPoint are both
F:\data
, apply the same policy toF:\data\DFS(R)
private that you applied toF:\data
-
If the GuardPoint is
F:\data
and the DFS(R) pGuardPointoint isF:\data\data2
, apply the same policy toF:\data\data2\DFS(R)
private that you applied toF:\data
These rules apply only in situations in which the CTE GuardPoint and the DFS(R) GuardPoint are sub-directories. You do not need to guard the DFS(R) private sub-folder when the DFS(R) GuardPoint and the CTE GuardPoint are applied to the entire drive (e.g., both are the F:\ drive).
-
-
A CTE GuardPoint must be the same as the DFS(R) GuardPoint configured on a folder, or the DFS(R) GuardPoint must be a sub-folder nested beneath the GuardPoint. Do not apply a GuardPoint on a sub-folder of the DFS(R) GuardPoint. Three consistency rules for Guardpoints on DFS folders:
DFS(R) GuardPoint CTE GuardPoint Works F:\
F:\
Yes F:\data
F:\
Yes F:\
F:\data
No
Tip
-
Administrators can accelerate replication completion by pre-populating target folders (seeding) with backup data.
-
Always have a full backup of data in the hub node prior to restoring to a spoke.