Guarding a Device with CipherTrust Manager

After you register a client with a CipherTrust Manager, you can create as many standard GuardPoints on the client as you need. These GuardPoints can protect an entire device or individual directories.

In order to guard a device or directory, you need to use the CipherTrust Manager Console to:

1. Access the CipherTrust Manager domain in which the client is registered.

2. Identify or create an encryption key that CTE will use to encrypt the data on the device or directory.

3. Identify or create a policy for the device or directory that specifies the access controls and the encryption keys to use for the device or directory.

4. Assign a GuardPoint to the device or directory.

The following example creates a simple policy and uses it to guard a directory on a registered client. For all of the following procedures, you must be logged into the CipherTrust Manager Console as a CipherTrust Manager Administrator, and you must be in the domain with which the client is registered.

For details about any of these procedures or the options for domains, encryption keys, policies, and GuardPoints, see the CipherTrust Manager documentation.

Access the CipherTrust Manager Domain

1. In a web browser, navigate to the URL of the CipherTrust Manager Console you want to use and log in with CipherTrust Manager Administrator credentials.

2. If the client you want to protect is registered to the default domain (root), proceed to Create an Encryption Key. If you need to change to a different domain, do the following:

   1. In the top menu bar, click the user name root/admin on the right-hand side.

   2. Select Switch Domains, then select the domain in which the client is registered.

   3. The logged in user now shows the new domain name/user name.

      

Create an Encryption Key

1. From the Products page in the CipherTrust Manager Console, click Keys in the left hand pane.

   Tip

   To navigate to the Products page from anywhere in the CipherTrust Manager Console, click the App Switcher icon in the top left corner.

2. Above the Key table, click Create a New Key.

3. In the Key Name field, add a name for the key. This name must be unique. For example, Simple-Key.

4. In the Key Usage section, make sure Encrypt and Decrypt are selected.

5. Click Create. CipherTrust Manager displays the properties for the new key.

6. In the general options area, enable the Exportable option.

   You can also enable the Deletable option in this section if you want a CipherTrust Manager Administrator to be able to delete the key.

   

7. In the Key Access section, do the following:

   1. In the Search Groups box, type "cte".

      If no groups are displayed, make sure the Added Only option is disabled.

   2. Click the All check box for both the CTE Admins and CTE Clients groups.

      

   3. When you are done, click Update.

8. Click the CTE tab and set the following properties:

   • CTE Versioned: Specify whether the key is versioned. By default, the key is set as versioned.

     For a standard policy, you should clear this check box. If you do not, the key will not appear in the keys list when you add the key rule to the standard policy.

   • Persistent on Client: Specify whether the key is stored in persistent memory on the client.

     When the check box is selected, the key is downloaded and stored (in an encrypted form) in persistent memory on the client.

     When the check box is left clear, the key is downloaded to non-persistent memory on the client. Every time the key is needed, the client retrieves it from the CipherTrust Manager. This is the default setting.

   • Encryption Mode: Encryption mode of the key. The options are:

     • CBC

     • CBC-CS1

     • XTS

     Encryption using the XTS and CBC-CS1 keys is known as enhanced encryption.

   When you are done, click Update.

Create a Standard Policy

1. In the Applications page of the CipherTrust Manager Console, select the Transparent Encryption application.

2. In the sidebar on the Clients page, click Policies.

3. Click Create Policy. CipherTrust Manager displays the Create Policy Wizard.

4. On the General Info page, set the following options:

   Field	Description
   Name	A unique name for the policy. Make sure you use a name that is descriptive and easy to remember so that you can find it quickly when you want to associate it with a GuardPoint. This example uses "Simple-Policy".
   Policy Type	The type of policy you want to create. In this example, we will create a Standard policy.
   Description	A user-defined description to help you identify the policy later. For example: Standard policy for new GuardPoints.
   Learn Mode	Learn Mode provides a temporary method for disabling the blocking behavior of CTE/CTE-LDT policies. While useful for quality assurance, troubleshooting, and mitigating deployment risk, Learn Mode is not intended to be enabled permanently for a policy in production. This prevents the policy Deny rules from functioning as designed in the policy rule set. Ensure that the policy is properly configured for use in Learn Mode. Any Security Rule that contains a Deny effect must have Apply Key applied as well. This is to prevent data from being written in mixed states, resulting in the loss of access or data corruption. Apply Key will have no effect when combined with a Deny rule unless the policy is in Learn Mode.
   Data Transformation	If you select Standard as the policy type, also select the the Data Transformation option to tell CTE that you want to change the current encryption key used on the data in the GuardPoint, or that you want to encrypt clear-text data for the first time. This option is only displayed for Standard policies.

   When you are done, click Next.

5. On the Security Rules page, define the security rules that you want to use.

   CipherTrust Manager automatically adds a default security access rule with an action of key_op and the effects Permit and Apply Key. This rule permits key operations on all resources, without denying user or application access to resources. This allows it to perform a rekey operation whenever the encryption key rotates to a new version.

   To add additional security rules, click Create Security Rule and enter the requested information. For details about adding security rules, see the CipherTrust Manager documentation.

   When you are done, click Next.

6. On the Create Key Rule page, click Create Key Rule and enter the following information:

   Field	Description
   Resource Set	If you want to select a resource set for this key rule, click Select and either choose an existing resource set or create a new one. Resource sets let you specify which directories or files will either be encrypted with the key or will be excluded from encryption with this key.
   Current Key Name	Click Select to choose an existing key or create a new one. If the data has not yet been encrypted, select clear_key. Otherwise select the name of the non-versioned key that is currently being used to encrypt the data. In this example, select clear_key.
   Transformation Key Name	Click Select to choose an existing versioned key or to create a new one. CTE uses the versioned key specified in this field to encrypt the data in the GuardPoint. If the data is currently encrypted, CTE decrypts it using the key specified in the Current Key Name field and re-encrypts it using the key specified in this field.

   When you are done, click Next.

7. On the Data Transformation page, click Create Data Transformation Rule and enter the following information:

   Field	Description
   Resource Set	If you want to select a resource set for this key rule, click Select and either choose an existing resource set or create a new one. Resource sets let you specify which directories or files will either be encrypted with the key or will be excluded from encryption with this key.
   Transformation Key Name	Click Select to choose an existing key or to create a new one. CTE uses the key specified in this field to encrypt the data in the GuardPoint. If the data is currently encrypted, CTE decrypts it using the key specified in the Current Key Name field and re-encrypts it using the key specified in this field. For this example, select the key Simple-Key you created in Create an Encryption Key.

   When you are done, click Next.

8. Click Next.

9. On the confirmation page, review the information for the policy and click Save.

   

Create a GuardPoint

1. Stop all applications that are accessing the device you want to protect. In this example, we are going to protect the following directories with the same policy and encryption key.

   • /dir/hr/files

   • /dir/accounting/files

   • /dir/shared/hr

   • /dir/shared/accounting

   Tip

   If you want to encrypt data without taking the device offline, you must use CipherTrust Transparent Encryption - Live Data Transformation.

2. In the Applications page of the CipherTrust Manager Console, select the CTE application.

3. In the Clients table, click on the name of the client you want to protect.

4. Above the GuardPoints table, click Create GuardPoint.

5. In the Create GuardPoint page:

   1. In the Policy field, select the policy you created earlier.

   2. In the Type field, select the type of device. You can guard a directory or a raw/block device. For this example, select Auto Directory.

   3. In the Path field, enter the directories you want to protect with this policy or click Browse to select them from a explorer window.

      If you want to enter multiple paths, put each path on its own line. For example:

      

   4. Click Create.

   5. If you want to use the same policy and GuardPoint type on another path, click Yes when prompted. Otherwise, click No. For this example, click No.

   The CTE clients pull the GuardPoint configuration information from the CipherTrust Manager.

6. Type the following to transform the data:

   dataxform --rekey --print_stat --preserve_modified_time --gp <pathToGP>
   

   When the data transformation has finished, applications can resume accessing the now-protected data. (See the CTE Data Transformation Guide for more information.)