Setting up Microsoft DPM with CTE

Microsoft System Center Data Protection Manager (DPM) is a robust enterprise backup and recovery system that contributes to your BCDR (Business Continuity and Disaster Recovery) strategy by facilitating the backup and recovery of enterprise data. The DPM is a server-agent configuration setup. DPM agent is usually pushed over to the managed host by the DPM server. See Data Protection Manager for more information.

Prerequisite

If you are using LDT, create two new LDT policies. If you are not using LDT, create two new standard policies.

LDT No-View policy

1. In CipherTrust Manager, create a new LDT policy.

2. In that policy, create a process set called DPM process which contains the following directory and file:

   Directory	File
   C:\Program Files\Microsoft Data Protection Manager\DPM\bin	DPMRA.exe

3. Create a security rule for a noview key that contains the following criteria:

   Order	Field	Value
   1	Action	key_op
   	Effect	permit, applykey
   2	Process Set	DPM process
   	Action	all_ops
   	Effect	permit, audit
   3	Action	all_ops
   	Effect	permit, applykey, audit
   4	Action	all_ops
   	Effect	deny, audit

   Note

   Once you have the policy with the Process Set (No-View) rule applied, you can guard any directory, disk, or even a bare metal system backup and recovery, and the encrypted data is backed up.

LDT Open Policy

1. In CipherTrust Manager, create a new LDT policy.

2. Create a security rule for an open key, (where the backup job backs up decrypted data to clear format), that contains the following criteria:

   Order	Field	Value
   1	Action	key_op
   	Effect	permit, applykey
   2	Action	all_ops
   	Effect	permit, applykey, audit
   3	Action	all_ops
   	Effect	deny, audit

Standard No-View Policy

1. In CipherTrust Manager, create a new standard policy.

2. In that policy, create a process set called DPM process which contains the following directory and file:

   Directory	File
   C:\Program Files\Microsoft Data Protection Manager\DPM\bin	DPMRA.exe

3. Create a security rule for a noview key, (where the backup job backs up the encrypted data), that contains the following criteria:

   Order	Field	Value
   1	Process Set	DPM process
   	Action	all_ops
   	Effect	permit, audit
   2	Action	all_ops
   	Effect	permit, applykey, audit
   3	Action	all_ops
   	Effect	deny, audit

Standard Open Policy

If you are not using LDT, create a standard policy:

1. In CipherTrust Manager, create a new standard policy.

2. Create a security rule for an open key, (where the backup job backs up decrypted data to clear format), that contains the following criteria:

   Order	Field	Value
   1	Action	all_ops
   	Effect	permit, applykey, audit
   1	Action	all_ops
   	Effect	deny, audit

Installing and Setting up CipherTrust Transparent Encryption

1. Copy dataset E:\office2007_bk folder to E:\data folder.

2. Install Windows CTE agent and register the host to your key manager.

3. Using the policy that you created in the Prerequisites section, guard the to E:\data folder

Installing and Configuring DPM

• Setup and configure DPM v2022 for your Windows 2019 Server.

Setting up DPM

1. Start System Center 2022 DPM Administrator Console.

2. Add a DPM Storage pool volume:

   1. Click Management > Disk Storage > Add.

   2. Select an available volume (ex. F:) and click OK.

   3. Click Yes to allow DPM to format the volume before adding it to storage pool.

3. Create a Protection Group.

   1. Click Protection > New and click Next.

   2. Select Server and click Next.

   3. Select All volumes > E:\data and click Next.

   4. Enter the Protection group name (ex. Protection Group 1) and click Next.

   5. Click Specify Short-term Goals and click Next.

   6. Choose Replica Creation Method (Automatically or manual) and click Next.

   7. Select Run a consistency check if a replica becomes inconsistent or Run a daily consistency check according to the following schedule and click Next.

4. Click Create Group.

5. Set up Recovery:

   1. Click Recovery > Select Recover and click Next.

   2. In Review Recovery Selection, select Recover to the original location or Recover to an alternate location and then enter the alternate location in the field and click Next.

   3. Select recovery type:

      • Create Copy

      • Skip

      • Overwrite

   4. Click Recover to start.

Validating Setup

1. Run Windiff to compare the original dataset E:\office2007_bk folder and recovery GuardPoint E:\data folder. Make sure that there is no data corruption.

2. View a text file from E:\restore. Make sure that you see cipher text.

3. Using the policy that you created in the Prerequisites section, guard the E:\restore folder.

4. View a text file from GuardPoint E:\restore folder and make sure that you see clear text.

5. Run Windiff again to compare GuardPoint E:\data folder and the recovery GuardPoint E:\restore folder. Make sure that there is no data corruption.

6. Update GuardPoint E:\data folder by adding, deleting or modifying a text file.

7. In DPM, click Protection, then right-click on E:\data and select Create recovery point.

8. Choose Create a recovery point after synchronizing and click OK.

9. Click Recovery, then right-click on E:\data and select Show All Recovery Points.

10. Select latest protection and click Recovery > Select Recover and click Next.

11. In Review Recovery Selection, select Recover to the original location or Recover to an alternate location and then enter the alternate location in the field. Click Next.

12. Select recovery type:

    • Create Copy

    • Skip

    • Overwrite

13. Click Recover to start.

14. Using the policy that you created in the Prerequisites section, guard the E:\restore1 folder.

15. Run Windiff to compare the GuardPoint E:\data folder and recovery GuardPoint E:\restore1\data folder. Make sure that there is no data corruption.