Getting Started with Transparent Encryption Vormetric ...€¦ · Getting Started with Transparent Encryption Vormetric Training 5.2.1 Lab Exercises: Vormetric Software ... Encryption

Getting Started with Transparent Encryption

Vormetric Training 5.2.1

Lab Exercises:

Vormetric Software

© Vormetric Corporation Inc, 2014 Page 2

Contents

Introduction ................................................................................................................................ 3

Part 1 Creating users and domains ........................................................................................ 5

1.1 Add license file ............................................................................................................. 5

1.2 Create super user account ........................................................................................... 9

1.3 Create the domain and add user to domain ................................................................10

Part 2 Adding and registering hosts .......................................................................................13

2.1 Adding hosts to the DSM ............................................................................................13

2.2 Installing and registering agents ..................................................................................16

Part 3 Creating Keys .............................................................................................................32

3.1 Create a data encryption key ......................................................................................32

Part 4 Creating Policies .........................................................................................................35

4.1 Create a basic Windows policy ...................................................................................36

4.2 Create a basic Linux/Unix policy .................................................................................52

4.3 Create a basic data transform policy ...........................................................................65

Part 5 Encrypting data ...........................................................................................................74

5.1 Encrypt Windows data ................................................................................................74

5.2 Encrypt Linux/Unix data ..............................................................................................83

Additional Tasks and Questions ................................................................................................93

Vormetric Software

Page 3

Introduction

The purpose of this lab is to introduce the general steps of implementing Vormetric Transparent

Encryption (TE) which is a security component of the Vormetric Data Security (VDS) platform.

You will be introduced to each of the following activities.

Creating a domain

Creating users

Creating keys

Creating polices

Registering hosts

Encrypting data

Implementation details, best practices, and trouble shooting of TE implementation will be

covered in future labs.

Lab Architecture

Figure 1 illustrates the overall architecture of the lab.

Figure 1 Lab Architecture

Primary DSM

Hostname = dsm-server-1.voredu.com

eth0 = 192.168.10.10

Data Server (Linux)

Hostname = data-node-1.voredu.com

eth0 = 192.168.10.20

Data Server (Windows)


eth0 = 192.168.10.21

VM Image

The virtual machines you will use in this lab are

data-node-1.voredu.com

data-node-2.voredu.com

Vormetric Software


dsm-server-1.voredu.com

User ID and password list

Table 1 lists the User IDs and passwords used in the lab. You may be prompted to update the

password while performing the lab tasks. You may use a new password of your choosing or

use the recommended password update.

Table 1 User IDs and password

Server User ID Default Password Recommened Update

Web Console admin admin123 Admin123!

data-node-1.voredu.com root Admin123!

data-node-1.voredu.com user1 Admin123!

data-node-2.voredu.com Administrator Admin123!

Vormetric Software

Page 5

Part 1 Creating users and domains

The Vormetric Data Security (VDS) solution uses a separation-of-duties model for user

administration. Users within the VDS solution can be divided into three types:

System administrators

Domain administrators

Security administrators

User administration will be covered in more detail in future lab material. For the purpose of this

lab, you will create one super account user (superuser) that will be able to perform all

administration tasks.

1.1 Add license file

The Data Security Manager (DSM) image is configured with networking and the security server

software has been started. No other modifications have been made so you will be working with

the DSM with a default configuration.

__1. Login to host data-node-1, ID = root, Password = Admin123!

__2. Open the firefox browser

__3. Login to the management console, ID = admin, Password = admin123

Note: This will not work until DSM is fully booted. Check DSM before logging attempting to logon on.

https://dsm-server-1.voredu.com

Add and confirm any exceptions.

Vormetric Software


Vormetric Software

Page 7

__4. Change the password, the recommend password is Admin123!

__5. Note: Passwords are case sensitive. Password complexity and history are configurable by system administrators.

__6. Install the license file

Vormetric Software


__a. Select System > License

__7.

__a. Click Upload License File

__b. Click Browse navigate to the desktop select the license file, click Open

__c. Click Ok to install the license

Note: The license imported for the purpose of this is lab is a temporary license and may differ by

expiry date and name of file. Customer entitlements receive permanent licenses based on their

entitlement.

Vormetric Software

Page 9

1.2 Create super user account

__1. Click Administrators

__2. Click Add

__3. Type the following information into the corresponding fields

Login = superuser

Description = Super User Account

Password = Temp123!

Vormetric Software


Confirm Password = Temp123!

User Type = All

Note: Assigning a password to the account is only temporary. Upon first login the user will be prompted to change the password and cannot be the same as the previous password. If you want to use a consistent password use a temporary password and then change the password to you preferred after login.

__4. Click Ok, to create the user

1.3 Create the domain and add user to domain

A VDS domain is a silo of security. Within a domain you can group sets of security objects that

are only managed within that domain (example: hosts, keys, polices and security

administrators). For the purpose of this lab we will create a single domain and all your security

administration is done within the single domain.

__1. Click Domains

__2. Click Add

Vormetric Software

Page 11

__3. Type the following information into the corresponding fields and click Apply

Domain Name = testdomain

Description = Test Domain

__4. Click Assign Admin > select the superuser account > click Ok

__5. The new super user account is now ready to be used.

Vormetric Software


__6. Click Logout

Vormetric Software

Page 13

Part 2 Adding and registering hosts

The communication model of the Transparent Encryption solution is based on secure socket

encryption between the Vormetric agent and the DSM. The secure communication uses key

pairs generated and exchanged during registration of the agent with the DSM. The three steps

to enable communication and exchange keys are:

Add a host entry in the DSM

Register the host with the DSM (this steps includes the key exchange event)

Enable communication

Registration can take place either during the agent install or post agent install with the

registration utility. Registration and key exchange takes place over port 8080. Post registration

communication with the DSM is over ports:

o 7024 – DSM to agent communication

o 8443 – Agent to DSM communication

o 8444 – Agent to DSM auditing communication

o 8446 – DSM to agent using EC keys

o 8447 – Agent to DSM using EC keys

o 8448 – Agent to DSM using EC keys

After completing this lab you will be able to install and register Unix and Windows hosts.

2.1 Adding hosts to the DSM

Adding hosts to the DSM configuration is a function of the security Host role.

__1. Login to the management console, ID = superuser, Password = Temp123!


__2. Change the password when prompted, Old Password = Temp123!, New Password = Admin123!

__3. Switch to the testdomain, click Domains > Switch Domains

Vormetric Software


__4. Select the testdomain > Switch to domain

Note: When you switch to a domain the domain you are managing appears in the upper right-hand corner of the browser session. Depending on your role you will get varying tabs to perform administration tasks. The superuser security administrator will have all the security administration roles and therefore all the tabs.

__5. Click Hosts

__6. Click Add

__7. Type the following information into the corresponding fields and mark appropriate check boxes

Host Name = data-node-1.voredu.com

Description = Linux Server

Registration Allowed agents = FS

License Type = Term

Vormetric Software

Page 15

__8. Click Ok

__9. Click Add

__10. Type the following information into the corresponding fields and mark appropriate check boxes

Host Name = data-node-2.voredu.com

Description = Windows Server

Registration Allowed agents = FS

License Type = Term

__11. Click Ok

Note: There are now two servers that have been added to the DSM configuration. Only the File System Agent (FS Agent) component can attempt registration. The FS Agent component allows for the encryption, access control and auditing of data files on the target host. It is the core functionality of the TE solution.

Vormetric Software


__12. Log out of root

__13. Log out

2.2 Installing and registering agents

During agent installation the registration process is automatically activated. If for whatever

reason the registration fails it is not necessary to reinstall the product the registration can be

attempted via the registration utility.

2.2.1 Setup firewall rules

If using the Linux local firewall, the following firewall rules are needed to enable the Vormetric

DSM to contact the agent otherwise on agent initiated communication can be used. Make a

copy current firewall configuration

__1. Login to data-node-1, ID = root, Password = Admin123!

Vormetric Software

Page 17

__2. iptables-save > /etc/sysconfig/iptables.old

__3. Update the firewall rules using iptables.

iptables -I INPUT -m state --state NEW -p tcp --dport 7024 -j

ACCEPT


ACCEPT


ACCEPT

__4. Make the changes available upon reboot

iptables-save > /etc/sysconfig/iptables

2.2.2 Install VDS agent on Linux host

__1. Login to data-node-1, ID = root, Password = Admin123!

__2. Note: The FS agent must be installed as root as certain modules and services can only be created by root.

__3. Right-click on the desktop and click Open in Terminal

Vormetric Software


As an alternative you can use a shell session via a utility like putty to browse the file system.

__4. Change directory to the /software directory

cd /software

__5. Make the file executable

chmod 744 vee-fs-5.2.1-31-rh6-x86_64.bin

__6. Execute the agent installer

./vee-fs-5.2.1-31-rh6-x86_64.bin

__7. press “q” to immediate navigate to the bottom of the agreement

__8. Type “Y” to accept the license agreement

__9. Press Enter to continue with registration

__10. Note: At shell prompts within Vormetric utilities, the choice within the square brackets is the default choice if you press enter.

Vormetric Software

Page 19

__11. Type the DSM server name, dsm-server-1.voredu.com, and press Enter

__12. Check the spelling of your entry and press Enter

__13. Press Enter to accept the hostname for this system entered in the DSM

Vormetric Software


__14. When prompted to associate the agent with the hardware, type “N” to not use this option.

Vormetric Software

Page 21

__15. Type “Y” to accept the fingerprints match

The Linux server is now registered with the DSM. Communication will be enabled in a

subsequent section.

2.2.3 Install VDS agent on Windows

__1. Login to data-node-2, ID = Administrator, Password = Admin123!

__2. Run the VDS agent installer

c:\software\vee-fs-5.2.1-40-win64.exe

Vormetric Software


__3. Click Next to continue the installation

__4. Accept the license agreement, click Next

Vormetric Software

Page 23

__5. Click Next to accept the installation directory

__6. Click Install

Vormetric Software


__7. Click Finish

__8. Click Next to begin registration

Vormetric Software

Page 25

__9. Click Next to register the data-node-2.voredu.com

Vormetric Software


__10. Enter DSM server info, dsm-server-1.voredu.com

Vormetric Software

Page 27

__11. Click Register

Vormetric Software


__12. Confirm the fingerprint for the CA (the DSM), click Yes

__13. Confirm the fingerprint for local certificate, click OK

Vormetric Software

Page 29

__14. Click Finish

__15. Click Yes to reboot

Vormetric Software


2.2.4 Enable communication

As a final step of you need to enable communication with the agent.

Warning: Overlooking this step is one of the most common errors made.

__1. Login to the management console, ID = superuser, Password = Admin123!




__4. Click Hosts

Note: The host OS Types are now known.

__5. Click each of the hosts and select Communication Enabled and click Ok

Note: Each host is now enabled for communication.

Vormetric Software

Page 31

Vormetric Software


Part 3 Creating Keys

There are many keys used within the VDS solution. Keys are used to encrypt the internal data

stores, communication between the DSM and the agents, and DSM configuration backups.

Most keys of this type are automatically managed within the system. The keys used to encrypt

your data are known as data encryption keys (DEK) and require the Key role to administer.

There are a few other key types that can be administered as part of the VDS solution, however

the use of these key types are not a focus of this lab and are secondary use cases to the much

more common use of DEK keys.

TE key administration is very simple. A security administrator with Key role generates a key

with the following attributes:

Key name

Key type

Key length

The actual key value is not known by the key administrator or any other administer of the TE

solution. The key is never persisted in the clear.

After completing this section you will be able to create data encryption keys.

3.1 Create a data encryption key





__4. Click Keys

__5. Click Add

Vormetric Software

Page 33

__6. Type the following information into the corresponding fields and select appropriate values

Name = testkey-AES256-2015

Description = Test AES 256 Key 2015

Algorithm = AES256

Note: It is not necessary to change any of the other fields in most cases.

__7. Click Ok

Vormetric Software


Note: The key is now ready to be used.

Vormetric Software

Page 35

Part 4 Creating Policies

TE is based on controlling access to and encrypting sensitive data files. These files maybe data

files within a structured data store of a database or other data files that reside in the file system

or in file shares.

Guard Points are the points (directories) within the file system where you apply a TE policy.

Once applied the TE policy governs all access to files within the guard point this includes files in

any subdirectory of the guard point.

A TE Policy is a set of rules that govern every IO performed within the guard point’s directories.

The IO characteristics are evaluated according to the policy’s rules and once a matching policy

rule is found the effect of the rule is performed.

Policy rules

The 5 rule attributes are:

Resource – the file system object (ie. directory or file) being accessed

User – the user ID performing the IO

Process – the executable performing the IO

When – when the IO is taking place

Action – what type of IO is being performed (read, write, create directory)

The rule effects are:

Permit – allow the IO (exclusive to Deny)

Deny – deny the IO (exclusive to Permit)

Apply_key – encrypt or decrypt the IO

Audit – generate an audit record

Table 2 illustrates an example of a working database policy.

Table 2 Database policy

Resource User Process When Action Effect

1 db_engine permit apply_key

2 read permit

3 deny audit

Rules are evaluated in order and the first rule that meets the criteria of all the attributes will have

that rule’s effect applied to the IO. A blank for an attribute indicates “all”. Rule 3 is the catch-all

rule because it applies to all IOs not handled by the other rules.

Only rule 1 allows the application of the encryption key (Effect = permit + apply_key) and is

limited to the DB engine (Process = db_engine). Rule 2 allows reads (Action = read) but does

not allow application of the key. The overall effect is that only DB can perform all IOs and apply

the encryption key while all other writes are denied and reads are permitted without application

of the key.

Vormetric Software


Resource Sets

The attributes of a policy rule contain sets of objects. For example the db_engine process

attribute is a set of database executables.

After completing this lab you will be able to create basic TE policies and guard points. Creating

policies in more detail and best practices will be covered in more dedicated material.

4.1 Create a basic Windows policy

In this basic windows policy you will use two IO attributes (user and process) to create simple

rules. You will grant user, user1, full access to the c:\vipdata directory as well as the ability to

encrypt and decrypt data. User, Administrator, will be granted only read access and will not be

able to either write to the c:\vipdata directory nor decrypt the files within the directory.

Note: If you have any issues using your local browser you can use the browser in data-node-

2.test.com.





__4. Click Policies

__5. Click Add Online Policy

Note: The top section is for the policy rules. The bottom section for the keys to use.

__6. Add the policy details,

Vormetric Software

Page 37

Name: test-windows-policy

Description: Test Windows Policy

__7. Click Add, to add a new rule

__8. Click Select next to the Effect to add effects for the rule

__9. Select Deny and Audit and click Select Effect

Vormetric Software


__10. Click Ok to create the rule

__11. Your policy now has 1 rule.

Vormetric Software

Page 39

Note: The way to interpret the new rule is to consider if each criteria of the rule is true for a given IO. If all the criteria evaluate to true then the rule’s Effect is triggered. A blank for a particular criteria means all of that criteria type would be met. So this rule if applied to data would deny all access to protected data. The way to read the rule would be: for all Resources, for all Users, for all Processes, for all Actions, for all times (When), Deny access and generate an Audit event.

__12. Click Add to add an additional rule

__13. Click Select next to the User criteria

__14. Click Add to add a new User set

__15. Type the name of the new user set, user1, click Browse Users

Vormetric Software


__16. Select the following from the Host Name and Domain dropdown menus and click Ok

Hostname = data-node-2.test.com

Domain = DATA-NODE-2

__17. Provide the login credentials to browse the remote host known user lists, Login = Administrator, password = Admin123!

__18. Select user1 and click Ok

Vormetric Software

Page 41

__19. Click Ok to finish the user set

__20. Select the user1 user set and click Select User Set


Vormetric Software


__22. Select Permit and Apply Key and click Select Effect


Vormetric Software

Page 43

__24. Your policy now has 2 rules. Rule order is very important. The first rule to trigger an Effect stops the rule evaluation process.

__25. Select the user1 policy rule and click Up

__26. Click Add in Key Selection Rules to add a key rule

Vormetric Software


__27. Click Select next to the Key entry

__28. Select the testkey-AES256-2014 key and click Select Key

__29. Click Ok to add the key rule

__30. Click Add in the Security rules to add an additional rule

Vormetric Software

Page 45



__33. Type the name of the new user set, Administrator, click Browse Users

Vormetric Software




Domain = Test

__35. Select Administrator and click Ok


Vormetric Software

Page 47

__37. Select the Administrator user set and click Select User Set

__38. Click Select next to the Action entry

__39. Select read operations and click Select Action

Vormetric Software



Vormetric Software

Page 49

__41. Select Permit and click Select Effect


Vormetric Software


__43. Select the Administrator policy rule and click Up

__44. The policy should now look like the following:

Vormetric Software

Page 51

__45. Note: The effect of the policy is as follows:

Rule 1 – user1 will be able to perform any action within the guard point and the application of the encryption key will take place

Rule 2 – Administrator will have read access within the guard point but the encryption key will not be applied and therefore any encrypted data file will remain encrypted during a read. Any writes will be denied

Rule 3 – will be applied to all IO activity not handled by rule 1 or rule 2 and will deny the IO

__46. The policy will allow user1 full access to data and use the encryption key, testkey-AES256-2015, to encrypt and decrypt for user1. The Administrator can only read the data and without the apply_key effect he will only be able the see cipher text. All other access will denied.


Vormetric Software


4.2 Create a basic Linux/Unix policy

There is no fundamental difference between Linux/Unix polices and Windows policies. The

practical difference is that the super accounts will likely be different and the directory structure

for guard points will be different.





__4. Click Policies


__6. Add the policy details,

__7. Name: test-linux-policy

__8. Description: Test Linux Policy

Vormetric Software

Page 53




Vormetric Software





Vormetric Software

Page 55


__16. Type the name of the new user set, user1-linux, click Browse Users



Domain = data-node-1.voredu.com

Vormetric Software


__18. Click the arrow to see the next page of users

__19. Select user1 and click Ok


__21. Select the user1-linux user set and click Select User Set

Vormetric Software

Page 57




Vormetric Software


__25. Select the user1-linux policy rule and click Up



Vormetric Software

Page 59

__28. Select the testkey-AES256-2014 key and click Select Key


__30. Click Add in the Security rules to add an additional rule


Vormetric Software



__33. Type the name of the new user set, root, click Add

__34. Type root in the uname field and click Ok

Vormetric Software

Page 61


__36. Select the root user set and click Select User Set

__37. Click Select next to the Action entry

Vormetric Software


__38. Select read operations and click Select Action

Vormetric Software

Page 63


__40. Select Permit and click Select Effect

Vormetric Software



__42. Select the root policy rule and click Up

__43. The policy should now look like the following:


Vormetric Software

Page 65

4.3 Create a basic data transform policy

A data transform policy is used for one specific purpose, to encrypt data. After the data is

encrypted a “runtime” policy is applied to govern regular access to the data files. The policies

created in the previous two sections are runtime policies.

A data transform policy has two rules:

Rule 1 – encrypts the data

Rule 2 – prevents any other access to the data files


https://dsm-server-1



__4. Click Policies


Add the policy details,

Name: dx-AES256-2015

Description: Data Transform Policy

Vormetric Software





Vormetric Software

Page 67



__11. Click Select next to the Action criteria

Vormetric Software


__12. Select key_op and click Select Action

__13. Note: Key operations actions are unique to data transform. The process of encrypting data for the first time or moving data from one key to another key is known as a keying operation.



Vormetric Software

Page 69


__17. Move the key_op rule up to be the first rule


Vormetric Software



__20. Select clear_key key and click Select Key


__22. Click Add in the Data Transformation Rules section

Vormetric Software

Page 71


__24. Select the key ‘testkey-AES256-2014’ and click Select Key

__25. Click Ok to create the key rule


Vormetric Software


__27. Your data transform policy now looks like this:

Vormetric Software

Page 73

Rule 1 – allows the data transform utility to read the data files with clear_key and write the data files with testkey-AES256-2014 key. Clear_key represents data not yet encrypted. If the data was already encrypted then you would use the current key for the data read and the data transform key to be the new key you want the data encrypted width.

Rule 2 – will be applied to all IO activity not handled by rule 1 or rule 2 and will deny the IO

Vormetric Software


Part 5 Encrypting data

There are two basic ways to encrypt data with TE:

Copy files into a guard point

Use data transform

The copy of files into a guard point will encrypt the file if the policy rule that is met contains the

apply_key effect.

In this lab you will use both the copy method as well as the data transform method to encrypt

data. More details on data transform will be covered in future lab material.

After completing this lab you will be able to encrypt data as well as demonstrate the data is

encrypted and access control is restricted by TE access control.

5.1 Encrypt Windows data

__1. Login to data-node-2.test.com, ID = Administrator Password = Admin123!

__2. Create a new directory c:\vipdata2




__5. Click Hosts

5.1.1 Create a guard point

__1. Click data-node-2.test.com

Vormetric Software

Page 75

__2. Click Guard FS

__3. Click Guard

__4. Select the test-windows-policy

__5. Click Browse to navigate the file system on data-node-2

Vormetric Software


__6. From the Remote File Browser, select the c:\vipdata2 directory, click Ok

__7. Note: You do not have to use the remote file browser. You can type in the entries in the Path field.

__8. Click Ok to create the new guard points

Vormetric Software

Page 77

__9. Click Refresh until the Status is green, this make take a few seconds.

Note: The guard point is now started and the policy rules are now in effect. The Administrator can only perform reads and user1 has full access with application of the encryption key.

__10. Trying creating a new file in c:\vipdata2 using an application like wordpad

5.1.2 Encrypt the data

__1. Logout of data-node-2 as Administrator

__2. Login to data-node-2, ID = user1 Password = Admin123! (You must be user1)

__a. Click Switch User

__b. Click Other User

__c. Type ID and Password

__3. Copy all the files from c:\vipdata to c:\vipdata2

Vormetric Software


Note: The files are now encrypted in c:\vipdata2. When user1 copies the data to c:\vipdata2 the application key is applied because of the apply_key effect of the rule.

__4. Open each of the files in c:\vipdata2

Note: The application of encryption is completely transparent for user1.

__5. Logoff


__7. Open each of the files in c:\vipdata2

Note: The behavior of Administrator is different than user1. Administrator has read ability for the data files but without the apply_key for the rule effect all the reads are not unencrypted.

__8. Warning: You will get a denied message if you try to use notepad. This is because notepad is coded in such a way that the file open may not actually open the file but do a memory map type of open on a file buffer. The Vormetric agent prevents this type of access that would bypass policy enforcement. Use wordpad instead.

5.1.3 Encrypt the data using data transform

__1. Close all open applications and logoff of any session on data-node-2





__5. Click Hosts


__7. Click Guard FS

__8. Click Guard

__9. Select the dx-AES256-2015 policy

Vormetric Software

Page 79


__11. From the Remote File Browser, select the c:\vipdata directory, click Ok



Vormetric Software



__15. Note: To run the data transform utility you need administrator access. In this case, Administrator as well as user1 are members of the administrator group.

__16. From the Start menu, right-click Command Prompt > select Run as administrator

__17. Run the data transform utility on the c:\vipdata guard point

cd “c:\Program Files\Vormetric\DataSecurityExpert\agent\vmd\bin”

dataxform --rekey --gp c:\vipdata

Vormetric Software

Page 81

__18. Press “y” to continue with data transform when prompted

__19. Run cleanup when data transform is complete

dataxform --cleanup --gp c:\vipdata


__21. Note: The data files are now encrypted.

5.1.4 Establish the new guardpoint



Vormetric Software




__4. Click Hosts


__6. Click Guard FS

__7. Select the c:\vipdata guard point and click Unguard

__8. Click Refresh until the guard point is unguarded

__9. Click Guard

__10. Select the test-windows-policy


Vormetric Software

Page 83

__12. From the Remote File Browser, select the c:\vipdata directory, click Ok

__13. Click Ok to create the new guard point


__15. Note: The basic benefit of the data transform method of encrypting data is that there is no need to create copies of the data files and is highly advantageous on large data sets.

5.2 Encrypt Linux/Unix data

__1. Login to data-node-1, ID = root Password = Admin123!


__3. Create a new directory /vipdata2

mkdir /vipdata2

__4. Make the directory fully accessible to any user

chmod 777 /vipdata2

__5. Note: TE access control is in addition to any OS access control. So even though you may create a policy that grants access to data file within a guard point the OS access control may still deny access.



Vormetric Software



__8. Click Hosts

5.2.1 Edit Host Settings for data-node-1

On Unix/Linux the use of ID or group information in a policy rule is not effective until you

configure when this information can be trusted. For example, on Linux and Unix the root

account can assume any user’s ID. TE can prevent this by tracking how IDs are used in the

system and can detect if a user actually logged to the system or assumed another user’s

identity (this is known as ID chaining). In this example we are going to simply trust all accounts

in the system regardless of how their identity was established.

__1. Click data-node-1

__2. Click Host Settings

__3. Add the following entry into Host Settings:

__4. |trust|*

Vormetric Software

Page 85

__5. Click Ok

__6. Note: The entry allows all processes to establish ID context that is acceptable for policy rule evaluation. More use cases will be covered in later material.

5.2.2 Create a guard point


__2. Click Guard FS

__3. Click Guard

__4. Select the test-linux-policy


__6. From the Remote File Browser, select the /vipdata2 directory, click Ok

Vormetric Software




Vormetric Software

Page 87

__9. Note: The guard point is now started and the policy rules are now in effect. Root can only perform reads and user1 has full access with application of the encryption key.

__10. Warning: Using user and groups in policy rules on Unix/Linux cannot be evaluated in policy rules unless the Host settings are updated.

__11. Try creating a new file in /vipdata2

touch /vipdata2/testfile

5.2.3 Encrypt the data

__1. On data-node-1, logout of the root account

__2. Login to data-node-1, ID = user1 (You must be user1)


__4. Copy all the files from vipdata to vipdata2 (use file manager as an alternative)

cp /vipdata/* /vipdata2/

__5. Note: The files are now encrypted in /vipdata2.

__6. Open each of the files in /vipdata2

__7. Note: The application of encryption is completely transparent for user1.

__8. Logout

__9. Login to data-node-1, ID = root

__10. Open each of the files in /vipdata2

__11. Note: The behavior of root is different than user1. Root has read ability for the data files but without the apply_key for the rule effect all the reads are not unencrypted.

Vormetric Software


5.2.4 Encrypt the data using data transform

__1. Close all open applications and logout of any session on data-node-1





__5. Click Hosts


__7. Click Guard FS

__8. Click Guard

__9. Select the dx-AES256-2014 policy


__11. From the Remote File Browser, select the /vipdata directory, click Ok

Vormetric Software

Page 89


Vormetric Software



__14. Login to data-node-1, ID = root, Password = password


__16. Note: To run the data transform utility you must be root.

__17. Run the data transform utility on the /vipdata guard point

dataxform --rekey --gp /vipdata


__19. Run cleanup when data transform is complete

dataxform --cleanup --gp /vipdata


__21. Note: The data files are now encrypted.

Vormetric Software

Page 91

5.2.5 Establish the new guardpoint





__4. Click Hosts


__6. Click Guard FS

__7. Select the /vipdata guard point and click Unguard > Click OK

__8. Click Refresh until the guard point is unguarded

__9. Click Guard

__10. Select the test-linux-policy

Vormetric Software



__12. From the Remote File Browser, select the /vipdata directory, click Ok



__15. Note: The basic benefit of the data transform method of encrypting data is that there is no need to create copies of the data files and is highly advantageous on large data sets.

__16. Test file access as user1 and root and note the difference in application and user data availability.

Vormetric Software

Page 93

Additional Tasks and Questions

The following additional tasks are self-directed and are designed to exercise the lab objectives. .

Tasks:

1) Work with users and groups

- Create a new user and group on data-node-1

- Edit the test-linux-policy to grant access to just the user’s group

- Edit the test-windows-policy to add a rule allowing full access to the domain group

‘Guests’

2) Work with keys

- Create a new key

- Create a new data transform policy for the new key

- Create a directory of your choice, place some data in directory, use you new

transform policy to encrypt the data

- Create a data transform policy to unencrypt the data

- Use the policy to unencrypt the guard poing

3) Work with encryption

- Create a directory /vipdata3 on data-node-1

- Unencrypt the data by copying the data from /vipdata2 or /vipdata2 whichever is still

encrypted.

Questions:

4) What kind of keys can a security administrator with key role create?

5) What would happen to the agent and guardpoints if you changed the hostname of data

server?

6) What would happen if you changed the IP of the data server?

7) What is the purpose of agent registration?

8) Is it possible to use domain users and group in a policy?

Vormetric Software


Documents

Getting Started with Transparent Encryption Vormetric ...€¦ · Getting Started with Transparent Encryption Vormetric Training 5.2.1 Lab Exercises: Vormetric Software ... Encryption