Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

User Guide

Integration with CipherTrust Manager

search

Please Note:

Integration with CipherTrust Manager

Perform the following steps to integrate ProtectApp LUKS with the CipherTrust Manager:

  1. Configuring ks_config and ks_user_config Files

  2. Configuring ProtectApp LUKS Partition

Configuring ks_config and ks_user_config Files

Note

It is expected that before using ProtectApp LUKS all appropriate configuration is done on /etc/ks_config and /etc/ks_user_config files.

  1. The basic configuration parameters in /etc/ks_config file that are required to be changed are:

    • NAE_IP: refers to the IP address of the CipherTrust Manager

    • NAE_Port: refers to the port of the CipherTrust Manager. The default value is 9000.

    • Protocol: refers to the protocol used for communication between the client and server. The protocol can be tcp or ssl.

    • CA_File: refers to the CA certificate that was used to sign the server certificate presented by the NAE Server to the client. (for ssl only)

    • Cert_File: stores the path and filename of the client certificate. This is only used when your SSL configuration requires clients to provide a client certificate to authenticate to the CipherTrust Manager appliances. (for ssl only)

    • Key_File: refers to the private key associated with the client certificate specified in the Cert_File parameter. (for ssl only)

    • Log_Level: refers to the level of logging performed by the client. Values are not case-sensitive. The default value is WARN and can be set to DEBUG for troubleshooting.

    • Log_File: refers to the file name and full path to the log file. The user must have write permissions on this path and file.

    You can further configure the ProtectApp LUKS Provider to meet the requirements of your environment. Refer to Configuring the Properties File for more details.

  2. Create a user and a key on the CipherTrust Manager. For details on creating a user and key, refer to the following links:

  3. The basic configuration parameters in /etc/ks_user_config file that are required to be changed are:

    • key_name: refers to the key present on CipherTrust Manager to be used for ProtectApp LUKS Operations.

    • user_name: refers to the username associated with the user account to log into the CipherTrust Manager.

    • key_version: refers to the version of the key present on CipherTrust Manager to be used.

    • enable: refers to the mode of LUKS.

      • If the value of the parameter is 'yes', ProtectApp LUKS is enabled

      • If the value of the parameter is 'no', Native LUKS is enabled.

    You need to edit the /etc/ks_user_config file based on the authentication type:

  4. ProtectApp LUKS is now ready to be used by executing the standard ProtectApp LUKS commands.

Note

  • If ProtectApp LUKS is already installed on the system, the new installation keeps a backup of the old ProtectApp LUKS files as <filename>_bak. However, while creating the backup for the first time, backup will be created as <filename>_orig.

  • ks_config and ks_user_config files will be accessed at boot time. These files must not be renamed.

Configuring ProtectApp LUKS Partition

ProtectApp LUKS partition can be configured for the following:

Note

The CipherTrust Manager provides both the mode of Authentication. However, only one authentication mode is supported at a time.

Configuring ProtectApp LUKS Partition for User Based Authentication

To initialize the volume, execute the following command. It prompts for a passphrase entry only for user based authentication and sets an initial key from Ciphertrust Manager.

Note

From ProtectApp LUKS 8.5.0 onwards, LUKS2 is the default type that supports disk encryption. However, the legacy LUKS1 can be used with cryptsetup command using the option --type luks1.

!yaml

cryptsetup -y -v luksFormat /dev/

For Legacy Luks1, run the following command:

cryptsetup -y -v luksFormat /dev/<disk_name> --type luks1

The above commands return the following output:

Sample Output:

WARNING! ======== This will overwrite data on /dev/<disk_name> irrevocably.
Are you sure? (Type uppercase yes): YES 
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

Configuring ProtectApp LUKS Partition for Passwordless Certificate Based Authentication

To initialize the volume, execute the following command.

cryptsetup -q -v luksFormat /dev/<disk_name>

For Legacy Luks1, run the following command:

cryptsetup -q -v luksFormat /dev/<disk_name> --type luks1

The above commands return the following output:

Sample Output:

WARNING! ======== This will overwrite data on /dev/<disk_name> irrevocably.
Are you sure? (Type uppercase yes): YES  
Command successful.

Note

You can use -q is used to suppress the above warning and confirmation message.

To specify the Ciphers explicitly, use the option --cipher. The default Cipher is aes-xts-plain64.

Example:

cryptsetup -q -v luksFormat /dev/sdb --cipher aes-cbc-essiv:sha256

and

cryptsetup -v luksOpen /dev/sdb backup2 --cipher aes-cbc-essiv:sha256

Refer to the Sample for Boot Time Configuration.

On this page