Setting up Microsoft DPM with CTE
Microsoft System Center Data Protection Manager (DPM) is a robust enterprise backup and recovery system that contributes to your BCDR (Business Continuity and Disaster Recovery) strategy by facilitating the backup and recovery of enterprise data. The DPM is a server-agent configuration setup. DPM agent is usually pushed over to the managed host by the DPM server. See Data Protection Manager for more information.
Prerequisite
If you are using LDT, create two new LDT policies. If you are not using LDT, create two new standard policies.
LDT No-View policy
-
In CipherTrust Manager, create a new LDT policy.
-
In that policy, create a process set called DPM process which contains the following directory and file:
Directory File C:\Program Files\Microsoft Data Protection Manager\DPM\bin DPMRA.exe -
Create a security rule for a noview key that contains the following criteria:
Order Field Value 1 Action key_op Effect permit, applykey 2 Process Set DPM process Action all_ops Effect permit, audit 3 Action all_ops Effect permit, applykey, audit 4 Action all_ops Effect deny, audit Once you have the policy with the Process Set (No-View) rule applied, you can guard any directory, disk, or even a bare metal system backup and recovery, and the encrypted data is backed up.
LDT Open Policy
-
In CipherTrust Manager, create a new LDT policy.
-
Create a security rule for an open key, (where the backup job backs up decrypted data to clear format), that contains the following criteria:
Order Field Value 1 Action key_op Effect permit, applykey 2 Action all_ops Effect permit, applykey, audit 3 Action all_ops Effect deny, audit
If you use an open security rule, the backed up data is not encrypted. You can restore the backup job to a baseline directory. It is clear and readable.
Standard No-View Policy
-
In CipherTrust Manager, create a new standard policy.
-
In that policy, create a process set called DPM process which contains the following directory and file:
Directory File C:\Program Files\Microsoft Data Protection Manager\DPM\bin DPMRA.exe -
Create a security rule for a noview key, (where the backup job backs up the encrypted data), that contains the following criteria:
Order Field Value 1 Process Set DPM process Action all_ops Effect permit, audit 2 Action all_ops Effect permit, applykey, audit 3 Action all_ops Effect deny, audit
Once you have the policy with the Process Set (No-View) rule applied, you can guard any directory, disk, or even a bare metal system backup and recovery, and the encrypted data is backed up.
Standard Open Policy
If you are not using LDT, create a standard policy:
-
In CipherTrust Manager, create a new standard policy.
-
Create a security rule for an open key, (where the backup job backs up decrypted data to clear format), that contains the following criteria:
Order Field Value 1 Action all_ops Effect permit, applykey, audit 1 Action all_ops Effect deny, audit
If you use an open security rule, the backed up data is not encrypted. You can restore the backup job to a baseline directory. It is clear and readable.
Installing and Setting up CipherTrust Transparent Encryption
-
Copy dataset
E:\office2007_bk
folder toE:\data folder
. -
Install Windows CTE agent and register the host to your key manager.
-
Convert the
VMLFS
driver toVMFILTR
driver:voradmin config enable vmfiltr
Response
migrating to vmfiltr !!! System reboot required !!!
-
Using the policy that you created in the Prerequisites section, guard the
to E:\data
folder
Installing and Configuring DPM
- Setup and configure DPM v2022 for your Windows 2019 Server.
Setting up DPM
-
Start System Center 2022 DPM Administrator Console.
-
Add a DPM Storage pool volume:
-
Click Management > Disk Storage > Add.
-
Select an available volume (ex. F:) and click OK.
-
Click Yes to allow DPM to format the volume before adding it to storage pool.
-
-
Create a Protection Group.
-
Click Protection > New and click Next.
-
Select Server and click Next.
-
Select All volumes >
E:\data
and click Next. -
Enter the Protection group name (ex. Protection Group 1) and click Next.
-
Click Specify Short-term Goals and click Next.
-
Choose Replica Creation Method (Automatically or manual) and click Next.
-
Select Run a consistency check if a replica becomes inconsistent or Run a daily consistency check according to the following schedule and click Next.
-
-
Click Create Group.
-
Set up Recovery:
-
Click Recovery > Select Recover and click Next.
-
In Review Recovery Selection, select Recover to the original location or Recover to an alternate location and then enter the alternate location in the field and click Next.
-
Select recovery type:
-
Create Copy
-
Skip
-
Overwrite
-
-
Click Recover to start.
-
Validating Setup
-
Run Windiff to compare the original dataset
E:\office2007_bk
folder and recovery GuardPointE:\data
folder. Make sure that there is no data corruption. -
View a text file from
E:\restore
. Make sure that you see cipher text. -
Using the policy that you created in the Prerequisites section, guard the
E:\restore
folder. -
View a text file from GuardPoint
E:\restore
folder and make sure that you see clear text. -
Run Windiff again to compare GuardPoint
E:\data
folder and the recovery GuardPointE:\restore
folder. Make sure that there is no data corruption. -
Update GuardPoint
E:\data
folder by adding, deleting or modifying a text file. -
In DPM, click Protection, then right-click on
E:\data
and select Create recovery point. -
Choose Create a recovery point after synchronizing and click OK.
-
Click Recovery, then right-click on
E:\data
and select Show All Recovery Points. -
Select latest protection and click Recovery > Select Recover and click Next.
-
In Review Recovery Selection, select Recover to the original location or Recover to an alternate location and then enter the alternate location in the field. Click Next.
-
Select recovery type:
-
Create Copy
-
Skip
-
Overwrite
-
-
Click Recover to start.
-
Using the policy that you created in the Prerequisites section, guard the
E:\restore1
folder. -
Run Windiff to compare the GuardPoint
E:\data
folder and recovery GuardPointE:\restore1\data
folder. Make sure that there is no data corruption.