Creating Policies for Standard Encryption with CipherTrust Manager

When you use standard encryption, you need to create two policies:

• The initial encryption policy specifies the current encryption key (if any) and the encryption key you want CTE to use when it encrypts the data. This policy also denies access to any other process trying to access the GuardPoint.

  You apply the initial encryption policy when you first create the GuardPoint, and you leave it in place until all of the data has been encrypted. After that, you remove this policy from the GuardPoint.

• The production policy specifies the same encryption key as the initial encryption policy along with any security rules you want to use to protect your data. After the initial encryption has completed, you apply the production policy to the GuardPoint and allow users and applications to access the now-protected data.

Creating the Initial Encryption Policy

1. Log into CipherTrust Manager and launch the CTE application.

2. In the left-hand menu bar, click Policies.

3. Click Create Policy.

4. For Name, make sure you use a name that clearly designates this as an initial-encryption policy and not a production policy. You will need to be able to find this policy name from the list of all available policies when you create the GuardPoint.

5. For Policy Type, select Standard.

6. Enable the Data Transformation check box.

7. Click Next to go to the Security Rules page. CipherTrust Manager should have automatically added a security rule for Action: key_op, Effect: permit,applykey. If this security rule is not there, click Back and make sure you have enabled the Data Transformation check box.

8. Click Create Security Rule and do the following:

   1. In the Action field, select all_ops.

   2. In the Effect field, select deny.

   3. Click Add to return to the Security Rules page.

   You should now have two security rules, as shown:

   

9. Click Next to go to the Key Rules page.

10. Click Create Key Rule.

11. In Current Key Name, click Select to specify the current encryption key used for the data. If the data is unencrypted, specify clear_key as the encryption key. When you are done, click Add. For example:

    

    You can also create a new key at this point if desired. For details on creating an encryption key, see your CipherTrust Manager documentation.

12. Click Next to go to the Data Transformation page.

13. Click Create Data Transformation Rule.

14. In the Transformation Key Name field select the encryption key you want to use to encrypt the data. This key must match the one specified in the production policy you intend to apply to the GuardPoint after the data has been encrypted. For example, if you want to encrypt the data with the key CS1_AES256, you would specify the following transformation rule:

    

15. Click Next to go to the Confirmation page.

16. Verify your selections and click Save to save the policy.

Creating the Production Policy

1. Launch the CTE application.

2. In the left-hand menu bar, click Policies.

3. Click Create Policy.

4. For Name, make sure you use a name that clearly designates this as a production policy and not an initial encryption policy. You will need to be able to find this policy name from the list of all available policies when you create the GuardPoint.

5. For Policy Type, select Standard.

6. Click Next to go to the Security Rules page. Enter the security rules you want to use based on your production environent requirements. You can add as many security rules as you need to define who should have access to the protected data.

7. When you are done, click Next to go to the Key Rules page.

8. Click Create Key Rule.

9. In Key Name field, click Select to specify the encryption key used to transform the data in the initial encryption policy. When you are done, click Add. For example:

   

10. Click Next to go to the Data Transformation page.

11. Click Create Data Transformation Rule.

12. In the Transformation Key Name field select the encryption key you want to use to encrypt the data. This key must match the one specified in the production policy you intend to apply to the GuardPoint after the data has been encrypted. For example, if you want to encrypt the data with the key CS1_AES256, you would specify the following transformation rule:

    

13. Click Next to go to the Confirmation page.

14. Verify your selections and click Save to save the policy.