Encrypting CIFS with CTE Windows using LDT policies
This feature allows you to protect CIFS shares with CTE using LDT policies.
Network Setup for CIFS shares Mapped to Multiple IP addresses
The following illustration shows how to setup your network. The table below explains the setup in more detail:
In the above sample diagram:
# | Description |
---|---|
1 | LDT nodes are connected to Network 1 and 2 |
2 | CIFS server is connected to both Network 1 and 2, and have one IP address corresponding to each network |
3 | CIFS server may also be connected to more networks, based on use case and requirement |
4 | CipherTrust Manager can be connected to Network 1, 2 or some other network |
5 | Network 1 and 2 nodes can reach CipherTrust Manager and vice versa |
Considerations
-
If a share is mounted on multiple clients, the mount paths must be identical on each client.
-
You must apply GuardPoints on a share to each client where the share is mounted. You can achieve this by using client groups on CipherTrust Manager.
-
You can apply GuardPoints either on the base mount folder of the share, or one of its sub-folders.
-
Administrators must ensure that CIFS mounts persist across reboots. Failure to do so might result in a GuardPoint not starting or pointing to incorrect paths.
Assumptions for this example
-
Configure LDT over CIFS on 4 nodes installed with CTE v7.6, or a subsequent version, with valid LDT licenses.
-
All CTE agents have LDT enabled and are registered to a CipherTrust Manager with v2.16.0, or a subsequent version.
-
CIFS server is setup and a path is exported. For this example we used:
Path:
\\myserver\sharedfolder
CIFS server IP: 10.1.1.1
-
In CTE, create a few folders and sample files to contain data inside this mounted path.
Setup
CipherTrust Transparent Encryption Installation and Configuration
-
Log on to the host as a Windows user with System Administrator privileges.
-
Copy the CTE installation file onto the Windows system.
-
Double-click the installation file. The InstallShield Wizard for CipherTrust Transparent Encryption opens.
-
Verify the version of CTE you are installing and click Next.
-
On the License Agreement page, accept the License Agreement and click Next.
-
Click Next to accept the default folder. When you are done, click Next.
Note
-
Thales recommends that you install CTE in the default installation directory,
C:\Program Files\Vormetric\DataSecurityExpert\agent\
-
You must install the CTE Agent on the same drive as Windows. For example, if Windows is installed on the
C:
drive, you must install the CTE Agent on theC:
drive.
-
-
On the Ready to Install page, click Install. When the installation is finished, the Install Shield Wizard Completed window opens.
-
On the InstallShield Wizard Completed page, make sure the Register CipherTrust Transparent Encryption now option is selected and click Finish. The installer opens the Register CipherTrust Transparent Encryption wizard.
Create a CIFS connection with CIFS credentials
-
Log on to CipherTrust Manager.
-
In the left nav-bar, click Access Management > Connections.
-
Select + Add Connection.
-
In the Select Connection Type, click More.
-
From the Select Connection dropdown, select CIFS/SMB and click Next.
-
In the General Info section, enter the Name and Description for the connection and click Next.
-
In the Configure Connection page, enter valid values for:
-
Host: IP or FQDN of the SMB share server.
-
Port: The port where the SMB service is running on the host.
Note
The Host and Port fields must be specified together. If Host and Port are not specified while creating a connection, these fields cannot be added later.
-
Username: Username to access the SMB share.
-
Password: Password to access the SMB share.
-
Domain: Workgroup or domain under which the username is configured. It is an optional field.
-
Click Test Credentials to validate the connection. If the test is successful, the status is
OK,
else the status isFail
.
Note
The Host, Port, and Test Credentials fields are mandatory for testing the connection credentials.
-
-
Click Add Connection.
CipherTrust Manager Configuration
Perform the following steps on a CipherTrust Manager to create GuardPoints on the two clients.
-
Make this clients part of an LDT Communication Group. Ensure that all of the clients that will access the same GuardPoint are contained in the same LDT Communication Group.
-
Log on to CipherTrust Manager, and click Products > Transparent Encryption > Client Groups and click Create Client Group
-
Enter the following information:
-
Name for the client group
-
Cluster Type: Non Cluster
-
Client profile: DefaultClientProfile or an alternative profile
-
-
Click Next and select the clients that you want to include in the Client Group.
-
Click Next and select Inherit Client Group Settings.
-
Click OK and then click Create GuardPoint.
-
In the Add GuardPoint window:
a. Select an LDT policy which provides access to the designated user set.
b. Use a CBC-CS1 key set for encryption.
c. Select a client.
d. Enter a path for the GuardPoint such as:
\\myserver\sharedfolder\guardpoint1
.e. Click Create and then Next, the GuardPoint displays in the client group.
-
Click Membership to see the individual clients of the client group.
-
Click GuardPoints and then click on any client name to see the status of its GuardPoints.
-
In the CTE navigation pane, click Policies -> Policy Elements and create a resource set.
-
Click Policies and create an LDT policy:
-
Create a Security rule with a user set. Select the following for your security rule:
-
uname:
cte-userset
-
Action:
all-ops
-
Effect:
permit, applykey
-
-
Create Key Rule with the following:
-
Current key:
clear_key
-
Transformation Key: Create a new CBC_CS1 key and select it as the Transformation Key
-
-
In CTE, check that the agents are configured properly and verify the LDT Communication Group information, type:
-
On CipherTrust Manager, in the Client Group that you created, Create a GuardPoint.
The GuardPoint is now created on CipherTrust Manager.
-
Apply GuardPoints in both client groups using the respective network IP addresses.
-
Access the protected CIFS path using the respective IP addresses.
Key Rotation
If you want to add a new key version on the CipherTrust Manager, this will trigger the key rotation on the guarded path(s) at the agent. The key rotation operation generates a new version of a key with same key name and attributes, but with new key material.
To add a new key version:
-
Open the CipherTrust Manager Key Manager application.
-
In the left pane, click Keys.
-
Select the desired key.
-
Click Add a new key version. The key version is rotated.
-
On CTE agent, you can track the rekey:
Access and Verification
-
In CTE client, check the logs for new policies and GuardPoints, type:
The new GuardPoint should be listed as Active.
-
Access the NFS share directly on the CIFS server. Access any file within the GuardPoint as a user other than root. Open the file with Notepad and observe that it is encrypted.
-
Access the NFS share from one of the Windows clients. Open the file with Notepad and observe that it is encrypted.
-
Check the LDT rekey status, type: