Encrypting NAS NFS with CTE Linux using LDT policies

This reference page describes the initial migration and key rotation when encrypting data in a shared NAS folder exported over NFS, using CTE, with Live Data Transformation (LDT) policies for defining the client behavior for data transformation.

Considerations

• CipherTrust Transparent Encryption supports NFS v3 and v4.

• NFS supports auto-mounted shares.

• If a share is mounted on multiple clients, the mount paths must be identical on each client.

• You must apply GuardPoints on a share to each client where the share is mounted. You can achieve this by using client groups on CipherTrust Manager.

• You can apply GuardPoints either on the base mount folder of the share, or one of its sub-folders.

• Administrators must ensure that NFS mounts persist across reboots. Failure to do so might result in a GuardPoint not starting or pointing to incorrect paths.

• NFS servers installed on CTE-compatible Linux platforms cannot export an NFS share from a path that contains a GuardPoint.

Assumptions for this example

• Configure LDT over NFS on 4 nodes installed with CTE v7.6, or a subsequent version, with valid LDT licenses.

• All CTE agents have LDT enabled and are registered to a CipherTrust Manager with v2.16.0, or a subsequent version.

• NFS server is setup and a path is exported. For this example we used:

  Path: /opt/testData/sharedFolder/

  NFS server IP: 10.1.1.1

• Mount a path on the CTE client, for example: /root/test_nfs/.

• Test the path from the client machine using the command showmount -e <NFS_server_IP_address>.

• In CTE, create a few folders and sample files to contain data inside this mounted path.

Setup

CipherTrust Transparent Encryption Installation and Configuration

1. Log on to the host where you will install the CTE Agent as root. You cannot install the CTE Agent without root access.

2. Copy or mount the installation file to the host system. If necessary, make the file executable with the chmod command.

3. Install the CTE Agent. A typical installation uses the following syntax:

   ./vee-fs-<release>-<build>-<system>.bin
   

   For example:

    ./vee-fs-7.7.0-87-rh8-x86_64.bin
   

   To install the CTE Agent in a custom directory, use the -d <custom-dir> option. For example:

    ./vee-fs-7.7.0-87-rh8-x86_64.bin -d /home/my-cte-dir/
   

   Note

   If possible, Thales recommends that you use the default directory /opt/vormetric.

   To view all installer options, use the -h parameter. For example:

    ./vee-fs-7.7.0-87-rh8-x86_64.bin -h
   

4. The Thales License Agreement displays. When prompted, type Y and press Enter to accept.

   The install script installs the CTE Agent software in either /opt/vormetric or your custom installation directory and then prompts you about registering the CTE Agent with a key manager.

   Welcome to the CipherTrust Transparent Encryption File System Agent Registration Program.

    Agent Type: CipherTrust Transparent Encryption File System Agent
    Agent Version: <Release.build-number>
   
    In order to register with a CipherTrust Manager you need a valid registration token from the CM.
   
    Do you want to continue with agent registration? (Y/N) [Y]:
   

5. Type N and press Enter to end the installation procedure without registering the CTE Agent with a key manager.

6. Enter Y to continue with the registration process. The install script prompts you to enter the host name or IP address of the CipherTrust Manager with which you want to register CTE. For example:

   CTE for CipherTrust Manager

   Do you want to continue with agent registration? (Y/N) [Y]: Y
   
   Please enter the primary key manager host name: 10.3.200.141
   
   You entered the host name 10.3.200.141
   
   Is this host name correct? (Y/N) [Y]: Y
   

   CTE for CDSPaaS

   Do you want to continue with agent registration? (Y/N) [Y]: Y
   
   Enter the primary key manager host name of the service:
   
   You entered the host name us1.ciphertrust.dpondemand.io
   
   Is this host name correct? (Y/N) [Y]: Y
   

   Host names:

   • Europe: ciphertrust.dpondemand.io

   • North America: us1.ciphertrust.dpondemand.io

   Note

   The default communication port is 443. If you want to specify a different communication port, enter it with the primary key manager host name in the format: <hostName>:<port#>

7. Enter the client host name when prompted.

   Please enter the host name of this machine, or select from the following list.
   
   [1] sys31186.qa.com
   [2] 10.3.31.186
   
   Enter a number, or type a different host name or IP address in manually:
   What is the name of this machine? [1]: 2
   You selected "10.3.31.186".
   

8. Enter the CipherTrust Manager registration token, profile name, host group and host description. If you omit the profile name, CipherTrust Manager associates the default client profile with this client.

   Please enter the registration token: 12345
   Please enter the profile name for this host: My-Profile
   Please enter the host group name for this host, if any:
   Please enter a description for this host: RHEL7 system West Coast Datacenter
   
   Token            : 12345
   Profile name     : My-Profile
   Host Group       : (none)
   Host description : RHEL7 system West Coast Datacenter
   Are the above values correct?  (Y/N) [Y]: Y
   

9. At the hardware association prompt, select whether you want to enable the hardware association feature to prevent cloning. The default is Y (enabled):

   It is possible to associate this installation with the hardware of this machine. If selected, the agent will not contact the key manager or use any cryptographic keys if any of this machine's hardware is changed. This can be rectified by running this registration program again. Do you want to enable this functionality? (Y/N) [Y]: Y

10. Type Y to support Filesystem encryption and to choose other features. Type N if you only want to support Ransomware Protection. If you type N, then LDT and COS are not supported.

    Do you want this host to have Filesystem encryption support enabled on the server? (Y/N) [Y]:
    

11. At the LDT prompt, specify that you want this client to use CTE-LDT by typing Y and pressing Enter:

    Do you want this host to have LDT support enabled on the server? (Y/N) [N]: Y
    

12. If you are planning to create GuardPoints on NFS shares, enter the name of the LDT Communication Group that this node will join.

    Enter the LDT Communication Group name: LCG1
    

    Warning

    The registration token, profile name, client group name and LDT Communication Group name are case-sensitive. If any of these are entered incorrectly, the client registration will not succeed. If the registration fails, click Back in the installer and verify that the case is correct for all entries on this page.

13. At the Cloud Object Storage (COS) prompt, specify whether you want this client to use CTE COS.

    Do you want to configure this host for Cloud Object Storage? (Y/N) [N]:
    

14. Specify if you want to enable Ransomware Protection.

    Do you want this host to have Ransomware Protection support enabled on the server?  (Y/N) [N]:
    

15. CTE finishes the installation and registration process.

    Generating key pair for the kernel component...done.
    Extracting SECFS key
    Generating EC certificate signing request for the vmd...done.
    Signing certificate...done.
    Enrolling agent with service on 10.3.200.141...done.
    Successfully registered the CipherTrust Transparent Encryption CTE Agent with the CipherTrust Manager on 10.3.200.141.
    
    Installation success.
    

16. In CipherTrust Manager, change the client password using the manual password creation method. This password allows users to access encrypted data if the client is ever disconnected from the CipherTrust Manager. For details on changing the password, see the CipherTrust Manager documentation.

CipherTrust Manager Configuration

Perform the following steps on a CipherTrust Manager to create GuardPoints on the two clients.

1. Make this clients part of an LDT Communication Group. Ensure that all of the clients that will access the same GuardPoint are contained in the same LDT Communication Group.

   

2. Log on to CipherTrust Manager, and click Products > Transparent Encryption > Client Groups and click Create Client Group

3. Enter the following information:

   • Name for the client group

   • Cluster Type: Non Cluster

   • Client profile: DefaultClientProfile or an alternative profile

   

4. Click Next and select the clients that you want to include in the Client Group.

5. Click Next and select Inherit Client Group Settings.

   

6. Click OK and then click Create GuardPoint.

7. In the Add GuardPoint window:

   a. Select an LDT policy which provides access to the designated user set.

   

   b. Use a CBC-CS1 key set for encryption.

   

   c. Select a client.

   d. Enter a path for the GuardPoint such as: \\someserver\sharedfolder\guardpoint1.

   e. Click Create and then Next, the GuardPoint displays in the client group.

   

8. Click Membership to see the individual clients of the client group.

   

9. Click GuardPoints and then click on any client name to see the status of its GuardPoints.

10. In the CTE navigation pane, click Policies -> Policy Elements and create a resource set.

11. Click Policies and create an LDT policy:

    • Create a Security rule with a user set. Select the following for your security rule:

    • uname: cte-linux-userset

    • Action: all-ops

    • Effect: permit, applykey

      

12. Create Key Rule with the following:

    • Current key: clear_key

    • Transformation Key: Create a new CBC_CS1 key and select it as the Transformation Key

    

13. In CTE, check that the agents are configured properly and verify the LDT Communication Group information, type:

    voradmin ldt group comm_info
    

14. On CipherTrust Manager, in the Client Group that you created, Create a GuardPoint.

    The GuardPoint is now created on CipherTrust Manager.

Key Rotation

If you want to add a new key version on the CipherTrust Manager, this will trigger the key rotation on the guarded path(s) at the agent. The key rotation operation generates a new version of a key with same key name and attributes, but with new key material.

To add a new key version:

1. Open the CipherTrust Manager Key Manager application.

2. In the left pane, click Keys.

3. Select the desired key.

4. Click Add a new key version. The key version is rotated.

5. On CTE agent, you can track the rekey:

   voradmin ldt attr get <GP path>
   

Access and Verification

1. In CTE client, check the logs for new policies and GuardPoints, type:

   secfsd -status guard
   

   The new GuardPoint should be listed as Active.

2. Access the NFS share directly on the NAS server. Access any file within the GuardPoint as a user other than root. Observe that it is encrypted, type:

   cat <fileName>
   

3. Access the NFS share as the root user. Verify that you can read and write the file.

4. Check the LDT rekey status, type:

   voradmin ldt attr get <GP path>