VDS Quick StartVormV0.4

Vormetric Data Security Platform
VDS Quick-start Guide

Release 5
Version 5.2.1
50-1000000-01
MAY 28, 20 14
ii
Vormetric Data Security

Release 5, Version 5.2.1
May 28, 2014, Doc Document Draft Version 0.4
50-1000010-01
Produced in the United States of America
Copyright (C) 2009 - 2014 Vormetric, Inc. All rights reserved.
NOTICES, LICENSES, AND USE RESTRICTIONS
Vormetric is a registered trademark of Vormetric, Inc. in the United States (U.S.) and certain other countries.
Microsoft, Windows, Windows XP, Windows NT, SQL Server and the Windows logo are trademarks of Microsoft
Corporation in the U.S., other countries, or both.
UNIX is a registered trademark of The Open Group in the U.S. and other countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java and all Java-based trademarks (including Java, JavaServer Pages, Javadoc, JavaMail, and JavaBeans) are logos and
trademarks or registered trademarks of Oracle, Inc., in the U.S. and other countries, and are used under license.
Oracle, Oracle ASM, Solaris, SPARC, Oracle Enterprise Linux and Java are registered trademarks of Oracle Corporation
and/or its affiliates.
IBM, IBM logo, ibm.com, AIX, DB2, PowerPC, DB2 Universal Database and Informix are trademarks of International
Business Machines Corporation in the U.S., other countries, or both.
Intel, Intel logo, Intel Xeon, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in the U.S. and other countries.
HP-UX is registered trademark of Hewlett-Packard Company in the U.S., other countries, or both.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe
Systems Incorporated in the U.S., other countries, or both.
X Window System is a trademark of the Massachusetts Institute of Technology.
Red Hat and Red Hat Enterprise Linux, are trademarks of Red Hat, Inc., registered in the United States and other
countries.
SUSE and SLES are a registered Trademarks of Novell, Inc.All other products described in this document are trademarks
of their respective holders.
The Software and documentation contains confidential and proprietary information that is the property of Vormetric,
Inc. The Software and documentation are furnished under Vormetric's Standard Master License Software Agreement
(Agreement) and may be used only in accordance with the terms of the Agreement. No part of the Software and
documentation may be reproduced, transmitted, translated, or reversed engineered, in any form or by any means,
electronic, mechanical, manual, optical, or otherwise.
Licensee shall comply with all applicable laws and regulations (including local laws of the country where the Software is
being used) pertaining to the Software including, without limitation, restrictions on use of products containing
encryption, import or export laws and regulations, and domestic and international laws and regulations pertaining to
privacy and the protection of financial, medical, or personally identifiable information. Without limiting the generality
of the foregoing, Licensee shall not export or re-export the Software, or allow access to the Software to any third party
including, without limitation, any customer of Licensee, in violation of U.S. laws and regulations, including, without
limitation, the Export Administration Act of 1979, as amended, and successor legislation, and the Export
Administration Regulations issued by the Department of Commerce.
Any provision of any Software to the U.S. Government is with "Restricted Rights" as follows: Use, duplication, or
disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical
Data and Computer Software clause at DFARS 252.277.7013, and in subparagraphs (a) through (d) of the Commercial
Computer-Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR Supplement, when
applicable. The Software is a "commercial item" as that term is defined at 48 CFR 2.101, consisting of "commercial
computer software" and "commercial computer software documentation", as such terms are used in 48 CFR 12.212
and is provided to the U.S. Government and all of its agencies only as a commercial end item. Consistent with 48 CFR
12.212 and DFARS 227.7202-1 through 227.7202-4, all U.S. Government end users acquire the Software with only
those rights set forth herein. Any provision of Software to the U.S. Government is with Limited Rights. Vormetric is
Vormetric, Inc. at 2545 N 1st St., San Jose, CA, 95131-1003, (408) 433-6000.
VORMETRIC, INC., PROVIDES THIS SOFTWARE AND DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, AND ANY WARRANTIES
Vormetric Data Security User Guide
iii
ARISING OUT OF CONDUCT OR INDUSTRY PRACTICE. ACCORDINGLY, VORMETRIC DISCLAIMS ANY LIABILITY, AND SHALL
HAVE NO RESPONSIBILITY, ARISING OUT OF ANY FAILURE OF THE SOFTWARE TO OPERATE IN ANY ENVIRONMENT OR IN
CONNECTION WITH ANY HARDWARE OR TECHNOLOGY, INCLUDING, WITHOUT LIMITATION, ANY FAILURE OF DATA TO
BE PROPERLY PROCESSED OR TRANSFERRED TO, IN OR THROUGH LICENSEE'S COMPUTER ENVIRONMENT OR ANY
FAILURE OF ANY TRANSMISSION HARDWARE, TECHNOLOGY, OR SYSTEM USED BY LICENSEE OR ANY LICENSEE
CUSTOMER. VORMETRIC SHALL HAVE NO LIABILITY FOR, AND LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD
VORMETRIC HARMLESS FROM AND AGAINST, ANY SHORTFALL IN PERFORMANCE OF THE SOFTWARE, OTHER
HARDWARE OR TECHNOLOGY, OR FOR ANY INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AS A
RESULT OF THE USE OF THE SOFTWARE IN ANY ENVIRONMENT. LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD
VORMETRIC HARMLESS FROM AND AGAINST ANY COSTS, CLAIMS, OR LIABILITIES ARISING OUT OF ANY AGREEMENT
BETWEEN LICENSEE AND ANY THIRD PARTY. NO PROVISION OF ANY AGREEMENT BETWEEN LICENSEE AND ANY THIRD
PARTY SHALL BE BINDING ON VORMETRIC.
Protected by U.S. patents:
6,678,828
6,931,530
7,143,288
7,283,538
7,334,124
Vormetric Data Security includes a restricted license to the embedded IBM DB2 database. That license stipulates that
the database may only be used in conjunction with the Vormetric Security Server. The license for the embedded DB2
database may not be transferred and does not authorize the use of IBM or 3rd party tools to access the database
directly.
iv
.....
|v
.....
Contents
...................................
1 VDS Platform Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What the VDS Platform does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What the VDS Platform is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VDS Installation and Configuration Road Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prerequisites: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VDS Installation, Configuration and Operations Roadmap . . . . . . . . . . . . . . .
Management Console Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Allocate licenses and hours to a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set system log preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1
1
1
2
2
3
3
4
5
5
6
2 VDS Administrators and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

VDS Administrator and Domain Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VDS administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To create VDS Platform administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a VDS administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a VDS Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to create a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
8
11
11
13
13
3 Host Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Protected Host Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Add the protected host names to the DSM database . . . . . . . . . . . . . . . . . . . . . . . . 15
Switch to the domain where you want to create the access policy . . . . . . . . 16
Document Draft Version 0.4
Contents
Adding host names to DSM database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Install the Agent on the Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4 VDS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating the Basic Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add an encryption key to the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating the initial operational policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Name Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create Rule 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create Rule 2 for the initial operational policy . . . . . . . . . . . . . . . . . . . . . . . . .
Creating GuardPoints: Applying policies to directories . . . . . . . . . . . . . . . . . . . . . . .
Apply a policy to folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
21
23
23
24
26
27
29
31
31
33
36
38
39
39
5 Data Encryption and Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Data Protection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Steps for protecting data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determine encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restore encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Copy encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dataxform encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to decide what method to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Copy or Restore encryption method on file systems . . . . . . . . . . . . . . . .
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Apply the Initial Operational Policy to folders . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Copy or Restore encryption method on block devices . . . . . . . . . . . . . . .
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other information for block devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Apply Initial Operational Policy to block device . . . . . . . . . . . . . . . . . . . . . . . .
43
43
43
44
44
45
46
46
46
47
47
48
48
48
49
Contents
.....
|vii
Using dataxform to encrypt your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

dataxform encryption method prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . .
Create dataxform policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Apply the dataxform policy to the GuardPoints . . . . . . . . . . . . . . . . . . . . . . . .
Execute dataxform to start data encryptionin the GuardPoint . . . . . . . . . . . .
Remove the dataxform policy and apply Initial Operational Policy . . . . . . . .
Viewing the audit logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View and Analyze Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Search audit records by keyword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tune the Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy tuning process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create Rule 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Rule 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Rule 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Rule 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
52
52
53
56
59
60
62
62
64
64
64
65
66
70
71
72
73
6 DSM Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DSM Backup and Restore Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a Backup Encryption Wrapper Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To create the wrapper key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Backup the DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To backup the DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restore the DSM from a Backup Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To restore the DSM from a backup configuration . . . . . . . . . . . . . . . . . . . . . .
Automatic Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Automatic DSM Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
75
75
76
76
79
79
79
80
80
81
A Clustering the DSM for High Availability . . . . . . . . . . . . . . . . . . . . . . . . .

HA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a DSM for Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the DSM to resolve hostnames . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Failover DSM to Primary DSM cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . .
83
83
83
84
84
Contents
Convert Failover DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configure Replication from Primary DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Contents
.....
|v
PREFACE
.....................................................................
This guide describes:
1
How to set up and configure the Vormetric Data Security Platform (VDS Installation and
Configuration Road Map on page 4).
The essential features, concepts and high-level architecture of the VDS Platform.
Instructions for how to protect your data on a cloud or on-site host machine. (Data Encryption
and Protection on page 28).
How to set up automatic DSM backup (DSM Backup and Restore on page 52).
How to set up an HA cluster for DSM (Clustering the DSM for High Availability on page 60).
This book is intended to teach your how to quickly use the Vormetric Data Security Platform
(VDS Platform) to secure sensitive data. More detailed information is available in the Vormetric
Data Security User Guide.
SCOPE
This document describes the basic steps to get your VDS Platform up and running.
INTENDED AUDIENCE
The VDS Quick-start Guide is intended for security teams who are setting up the VDS Platform
for the first time.
Assumptions
This document assumes that you have the following:
Vormetric Data Security Manager (DSM)
Linux, UNIX or Windows hosts on which you wish install the Vormetric Transparent Encryption
Agent to protect your data
VDS documentation (see Related documents on page vi)
This documentation assumes knowledge of network configuration.
Preface
.....
|vi
RELATED DOCUMENTS
Vormetric Data Security Platform User Guide
Vormetric Data Security Manager Installation Guide
Vormetric Transparent Encryption Agent Installation and Configuration Guide
Vormetric Data Security Release Notes
TYPOGRAPHICAL CONVENTIONS
This section lists the common typographical conventions for Vormetric technical publications.
Typographical Conventions
Convention
Usage
Example
bold, Times New Roman

font
GUI labels, and options.
Click the System tab and select General

Preferences.
bold, fixed width

(courier new)
commands
arguments
switches
options
variables
elements
properties, objects, parameters, events
session set
appname=
regular fixed width

(courier new)
Command and code examples

XML examples
Example:
session start
iptarget=192.168.253.102
Preface
.....
|vii
Typographical Conventions
Convention
italic regular font
quotes
Usage
Example
GUI dialog box titles
The General Preferences window

opens.
Non-literal symbols
myport, Failover.Port
File names, paths, and directories
/usr/bin/
URLs and names of protocols
http://server.domain.com:90/
Text to be replaced
<hostname>
Emphasis
Do not resize the page.
New terminology
CDF (Carousel Definition Format)
File extensions
Attribute values
Terms used in special senses
.js, .ext
true false, 0
1+1 hot standby failover
SERVICE UPDATES AND SUPPORT INFORMATION

Vormetric's Master Software License and Hardware Purchase Agreement (MSLA) defines
software updates and upgrades, support and services, and governs the terms under which they
are provided. Any statements made in this guide or collateral documents that conflict with the
definitions or terms in Vormetric's MSLA, shall be superseded by the definitions and terms of
the MSLA. Any references made to upgrades in this guide or collateral documentation can
apply either to a software update or upgrade.
SALES AND SUPPORT

For support and troubleshooting issues:
help.vormetric.com
Email questions to support@vormetric.com or call 877-267-3247
Preface
.....
|viii
For Vormetric Sales:

http://enterprise-encryption.vormetric.com/contact-sales.html
(888) 267-3732
sales@vormetric.com
Preface
VDS P LATFORM O VERVIEW
.....
...................................
This chapter describes the features, components and high-level architecture of the Vormetric
Data Security Platform (VDS Platform). It also describes how to log on to the VDS Management
Console. This chapter consists of the following sections:
VDS Installation and Configuration Road Map on page 2
Product Overview on page 1
Management Console Overview on page 3
PRODUCT OVERVIEW
.....................................................................
What the VDS Platform does

The VDS Platform combines encryption, context-aware access control, and fine-grained audit
trails to create a data protection and encryption solution which is transparent to end users and
applications. With no changes to the existing infrastructure, the VDS Platform supports
separation of duties between data owners, server administrators and security administrators.
The VDS Platform protects data at rest. The VDS Platform can protect data residing on locally
attached storage (DAS), Network area storage (NAS) or Storage area networks (SAN). This can
be a mapped drive or mounted disk as well as through UNC paths.
VDS Platform supports FIPS 140-2.
What the VDS Platform is

VDS consists of a Data Security Manager (DSM) and one or more Vormetric Transparent
Encryption (VTE) agents residing on your protected hosts. Protected hosts contain your
sensitive data, or, if connected to a NAS or SAN, have access to your sensitive data. Protected
hosts can be on-site, in the cloud, or a hybrid of both.
The DSM is the central component of VDS, storing and managing data encryption keys, data
access policies, administrative domains, and administrator profiles. The DSM can be either a
security-hardened hardware appliance or a virtual appliance. The agents communicate with the
DSM and implement the security policies on their protected host systems.
VDS Platform Overview
.....
V D S I N S T A L L A T I O N A N D C O N F I G U R A T I O N R O A D M A P |2
The architecture of VDS is shown below.
Figure 1: Vormetric Data Security Architecture

The circled Vs represent the Vormetric Transparent Encryption agents on protected hosts. VM is
virtual machines. Communication between agents and the DSM is encrypted and secure. The
VDS Administrators establish access and encryption policies through the Management Console,
a browser-based interface to the DSM.
The VDS Platform achieves security with complete transparency to end users and no sacrifice of
application performance. It requires no changes to your existing infrastructure and supports
separation of duties between data owners, system administrators and security administrators.
VDS INSTALLATION AND CONFIGURATION ROAD MAP
.....................................................................
Use the following road map to install and configure your VDS system.
Prerequisites:
You have received from Vormetric:
DSM device(s)
.....
M A N A G E M E N T C O N S O L E O V E R V I E W |3
Agent licenses. A default number of licenses are installed on the DSM devices. If you run out or
the licenses expire, contact Vormetric Customer Support to get more.
VDS documentation (DSM Installation Guide, VDS Users Guide, this VDS Quick-start Guide and
the Windows, UNIX and Linux Release Notes).
You have installed:
UNIX, Linux, or Windows hosts on which you would like to protect data. These hosts conform to
the support matrices in the VDS UNIX, Linux or Windows Release Notes, and they have network
connectivity to the DSM.
VDS Installation, Configuration and Operations Roadmap

To set up the VDS Platform to protect your hosts, the following steps are required:
1 Install and configure your DSM. See the DSM Installation Guide.
2 Configure log preferences (see Management Console Overview on page 3).
3 Create VDS administrators and domains in the DSM. See VDS Administrators and Domains on
page 5.
4 Add your protected host names or IP addresses to the DSM database. See Add the protected
host names to the DSM database on page 11.
5 Install VTE agents on your protected hosts and register them to the DSM. See Vormetric
Transparent Encryption Agent Installation and Configuration Guide. If you have obtained your
host from a third party, they will install the VTE agents and provide you with the host names.
6 If you are setting up a high availability configuration, add additional DSMs as necessary. See
Clustering the DSM for High Availability on page 60.
7 Backup your DSM (DSM Backup and Restore on page 52)
8 Optional: Setup your DSM for HA (Clustering the DSM for High Availability on page 60)
9 Set up GuardPoints (VDS protected directories) on your protected hosts and encrypted your
data.See VDS Policies on page 15 and Data Encryption and Protection on page 28.
MANAGEMENT CONSOLE OVERVIEW
.....................................................................
The VDS Management Console is the primary interface to the security features of the VDS
Platform. VDS administrators perform almost all security work through the Management
Console. You can access the Management Console as soon as the DSM has been installed and
configured (see the Data Security Manager Installation Guide). In this section you will do the
following:
.....
Access the Management Console

Logging into the Management Console is the most common operation you will perform as a
VDS Platform administrator. Heres how to do it:
1 Open a browser and enter either the DSM URL. (This is either the hostname if configured in DNS,
or its IP over HTTPS of the DSM.) Example URL: https://dsm.vormetric.com
The Login window displays.
2 Enter the default login and password. The default login is admin. The default password is
admin123.
Note: You will be asked to change the default password upon first log in. Remember this new
password or you will not be able to log in again!
The Dashboard window displays.
.....
Install licenses
Upload a license file
1 Get the license file from Vormetric.
2 Log on to the Management Console on the primary server as an administrator of type System
Administrator or All.
3 Select System > License in the menu bar. The License window opens.
4 Click Upload License File. The Upload License File window opens.
Note: If you are in a domain, the Upload License File button is disabled. Click Domain > Exit
Domain.
5 In the License File box, enter the full path of the license file or click Browse to locate and select
the license file.
6 Click Ok.
Allocate licenses and hours to a domain

Use these procedures to control how many licenses (Term) or license hours (Hourly) can be
used in a domain under the License tab in the Edit Domain window.
1 Click Domains >Manage Domains. The Domains window lists all the domains available to the
current administrator.
2 Click the domain link in the Name column. The Edit Domain window opens to the General tab.
3 Click the License tab. The fields under the License tab operate as follows:
Leave a field blank agents can be registered in the domain according to the number of
licenses available on the system.
Enter a zero no agents can be registered in this domain.
Enter a number in an Agent (Term) or Agent (Perpetual) field the domain is restricted to that
number of hosts registered with that type of license.
Enter a date in the Expiration Date (Term) field new hosts cannot register after the expiration
date. Active hosts continue to function until they are unregistered or rebooted.
Enter a number in the Core Hours (Hourly) field the domain is restricted to that number of
core CPU hours with that agent. Active hosts continue to function until they are unregistered or
rebooted.
.....
Set system log preferences

1 Click System > Log Preferences > FS Agent Log. The File System Log Preferences window opens.
2 If not already done, make the following log preference changes:
Change Policy Evaluation/Level to INFO, and check the Policy Evaluation/Log to File/Level
checkbox.
Click Apply and Ok. This is a more useful log preference setting.
VDS A DMINISTRATORS AND D OMAINS
.....
...................................
Once your DSM is installed and configured, you must 1) create VDS administrator accounts for
the administrators who will be responsible for data security, and 2) create VDS domains
containing the hosts that VDS administrators will protect. Once hosts are added to the
domains, VDS administrators can create encryption keys and policies, assign them to sensitive
data, and perform other data security operations through the Management Console.
This chapter describes Vormetric Data Security (VDS) administrators and domains--what they
are and how to create them. It contains the following sections:
VDS Administrator and Domain Overview on page 7
To create VDS Platform administrators on page 11
Create a VDS Domain on page 13
VDS ADMINISTRATOR AND DOMAIN OVERVIEW
.....................................................................
VDS Platform administrators (or simply VDS administrators) manage VDS infrastructure and perform
various security operations to protect sensitive data on hosts. Vormetric recommends not to assign this role
to system administrators of protected hosts. System administrators generally have access to all the
data on all the machines that they administer. A VDS administrator should have no access to
data or user accounts on any protected host to enforce separation of duties. The VDS
administrators sole responsibility is to provide data access to those who need it and block data
access to those who don't need it--including system administrators.
The VDS platform allows to group one or more protected hosts and its associated encryption
keys and policies in a container called VDS domain. VDS domains allow horizontal separation
of DSM where different business units, application teams or geographical locations can share
DSM without having access to each others security configuration. The domain is a logical
entity that separates administrators and the data they access from other administrators.
Administrative tasks are performed in each domain based upon each administrators assigned
type. The benefits of administrative domains are:
Segregation of data for increased security
Separation of responsibilities
VDS Administrators and Domains
.....
V D S A D M I N I S T R A T O R A N D D O M A I N O V E R V I E W |8
No one administrator has complete control over Vormetric Data Security and the data it
protects
Figure 2: Vormetric Data Security Domains
VDS administrators
VDS administrators protect data by establishing data access policies, encrypting data, and
auditing data access attempts. VDS administrators are assigned to domains, which are a group
of one or more VDS-protected hosts sharing the same administrators and data security policies.
After initial DSM configuration, you can login with default VDS System Administrator account
admin. It is highly recommended that you use this account to log into DSM web console and
create other Administrator accounts. After this operation, you should not use admin account
and use these newly created accounts for any further configuration.
Five types of administrators are provided, each is allowed to perform specific administrative
tasks. The administrator types are:
.....
Role
Permissions
System Administrator
Add and delete all administrators

Reset passwords for all administrators
Add and delete all domains
Assign one Domain Administrator to each domain
Configure HA
Configure syslog server for system-level messages
Upgrade DSM software
Backup and restore DSM database
Install license file
Import 3.x configuration
Configure preferences
View logs
Domain Administrator
Add and remove administrators (Domain, Security, All) to and from domains Configure
Security Administrator roles (Audit, Key, Policy, Host, Challenge & Response)
Configure syslog server for application-level messages
View preferences
View logs
Security Administrator
Configure signature sets

Configure keys and key groups
Configure online and offline policies
Configure hosts and host groups
Assign host passwords (manually or generated)
Apply GuardPoints
Share a host with another domain
Export the DSM public key
Import symmetric keys
View preferences
View logs
Domain and Security

Administrator
Domain Administrator and Security Administrators combined. Administrators of this type

are deleted from the DSM database upon switching from relaxed to strict domain mode.
All
System, Domain, and Security Administrators combined. Administrators of type All are
deleted from the DSM database upon switching from relaxed to strict domain mode.
By default, an administrator is assigned one administrative type and is allowed to perform the
tasks for that one administrative type only. This approach requires at least three administrators,
.....
each assigned to a different type. Administrator type assignment can also be configured where
one administrator can perform the tasks of all three administrative types--System, Domain, and
Security administrators. This approach provides less control because one administrator can
administer the entire DSM. Also, a single administrator can be configured to perform the tasks
of a Domain Administrator and Security Administrator combined. The Domain and Security
Administrator can perform every task that is allowed a user from inside a domain. For example,
the Domain and Security Administrator can add users to the domains of which it is a member,
but it cannot create new users.
System Administrator type
The System Administrator type operates outside of domains. It creates domains and assigns
administrators of type Domain Administrator to the domains. Administrators of types Domain
Administrator and Security Administrator operate within those domains. Administrators of type
All can operate both inside and outside of domains. When an administrator of type All enters a
domain, the administrator can perform Domain Administrator and Security Administrator
tasks. When an administrator of type All exits the domain, the administrator can perform
System Administrator tasks.
The default DSM administrator, admin, has a System Administrator type. In this type, the
admin administrator creates additional administrators and domains, and then it assigns one
administrator of type Domain Administrator to each domain.
Domain Administrator type
The Domain Administrator adds additional Domain Administrators to each domain. One
Domain Administrator can be a member of multiple domains. If a Domain Administrator is a
member of multiple domains, it can easily switch between the domains. The Domain
Administrator also adds Security Administrators to a domain and assigns them roles (for
example, Audit, Key, Policy, Host, and/or Challenge & Response) that are applied only within
that domain.
The System Administrator creates domains but does not operate within them; however, all
tasks performed by the Domain Administrator and Security Administrator occur within
domains. The Domain Administrator and Security Administrator must always know what
domain they are in before performing any task. If you log in as a Domain Administrator or a
Security Administrator, and you notice that the administrator, host, or log data is wrong, you
are most likely in the wrong domain.
.....
TO C R E A T E V D S P L A T F O R M A D M I N I S T R A T O R S |11
Security Administrator type

One Security Administrator can be assigned to multiple domains; however, the Security
Administrator has only the roles that were assigned when it was made a member of that
domain. That is, the same administrator can have different roles in different domains.
Roles are assigned by Domain Administrators when they assign a Security Administrator to a
domain. A brief description of the roles is described below. For detailed information see the
VDS Users Guide.
Audit. Allows the Security Administrator to view log data.
Key. Allows the Security Administrator to create, edit, and delete local key-pairs, public keys
only, and key groups. Can also view log data.
Policy. Allows the Security Administrator to create, edit, and delete policies. (A policy is a set of
rules that specify who can access which files with what executable during what times. Policies
are described in more detail later.) Can also view log data.
Host. Allows the Security Administrator to configure, modify, and delete hosts and host groups.
Can also view log data. The Challenge & Response role is automatically selected when the Host
role is selected.
Challenge & Response. Allows a VDS Security Administrator to generate a temporary password
to give to a system user to decrypt cached on host encryption keys when there is no connection
to the DSM.
TO CREATE VDS PLATFORM ADMINISTRATORS
.....................................................................
This section describes how to create VDS administrators. A default VDS Administrator called
admin is already created. Additional administrators are required to perform duties that admin
cannot.
Create a VDS administrator

1 Login to the Management Console as the DSM System Administrator admin.
.....
TO C R E A T E V D S P L A T F O R M A D M I N I S T R A T O R S |12
2 Click Administrators.
The Administrators window opens listing all the administrators for this DSM.
admin is created by default and cannot be deleted.

3 Click Add. The Add Administrator window appears.
4 Enter your information into the corresponding text fields. Example:

Login:
Description:
Password:
Confirm Password:
User Type:
<Choose a name, for example, alladmin>

Admin of type All
Temp123!
Temp123!
All
.....
C R E A T E A V D S D O M A I N |13
Note: The first time you log in to the Management Console on a newly created VDS
Administrator account, you will be prompted to change its password. You will not be allowed to
use the same password that you enter here. If you have a specific password you want to use, do
not enter it here as you will have to change it at first login.
5 Click Ok. A new Vormetric Administrator is created.
CREATE A VDS DOMAIN
.....................................................................
A VDS domain is a group of one or more VDS-protected hosts under the control of an assigned
VDS administrator. Before a protected host can be administered, it must placed in a domain.
How to create a domain

1 If you are already logged into the Management Console, log out and log in again as the DSM
System Administrator admin. Otherwise, just login as admin.
.....
C R E A T E A V D S D O M A I N |14
2 On the menu bar click Domains > Manage Domains to bring up Manage Domains window.
3 Click Add to bring up the Add Domain Window.
4 Under the General tab, fill in a Domain Name. For example, Marketing_Domain. The next two
fields are optional. Description identifies the domain. Help Desk Information is the phone
number to call to get the response string for challenge-response authentication. If you leave this
box empty, the default message is Please contact a Security Server administrator for a
response.
5 Click Ok to create the new domain.
6 Click the Assign Admin tab to assign a VDS administrator. You can assign an administrator
anytime after the domain is created. Note that you will not be able to switch to, or access, the
domain until you assign an administrator.
7 After the domain is created and has an administrator, you can add hosts to it. See Add the
protected host names to the DSM database on page 11 and Install the Agent on the Host on
page 14.
H OST P ROTECTION
.....
...................................
A host is a machine that stores your sensitive data. A protected host contains a VTE agent that
downloads the data protection policies and encryption keys from the DSM. The agent enforces
those policies and encrypts data as specified.
This chapter describes how to create protected hosts. It consists of the following sections:
Protected Host Overview on page 15
Add the protected host names to the DSM database on page 15
Install the Agent on the Host on page 19
PROTECTED HOST OVERVIEW
.....................................................................
Before you can create protected hosts, you must have a working DSM and your hosts must have
network connectivity to the DSM. The steps for creating protected hosts are:
Add the protected host names to the DSM database (Add the protected host names to the DSM
database on page 15).
Install the VTE Agent on the host and register them with the DSM. See Vormetric Transparent
Encryption Agent Installation and Configuration Guide.
Add encryption and access policies to specific directories on the host (VDS Policies on page 15).
ADD THE PROTECTED HOST NAMES TO THE DSM DATABASE
.....................................................................
Your host names must be added to the DSM database before the VTE agent can be installed and
data is protected on them. This section describes how to do this. To add the host to the DSM
database, you will need the hosts name, Fully Qualified Domain Name (FQDN--54 character
max) or IP address.
Host Protection
.....
A D D T H E P R O T E C T E D H O S T N A M E S T O T H E D S M D A T A B A S E |16
Switch to the domain where you want to create the access policy
1 Log on to the Management Console as a Security Administrator with Key and Policy roles or as an
administrator of type All.
2 Switch to the domain containing the host you wish to protect. Click Domains > Switch Domains
The Switch Domains window opens.
3 Select the domain that will contain the protected host and click Switch to domain. The domain
in which you are working is displayed in the upper right corner of the Management Console. A
domain was created in Create a VDS Domain on page 13.
Host Protection
.....
Adding host names to DSM database

1 Select Hosts->Hosts in the menu bar. An empty Hosts window opens.
2 Click Add. The Add Host window opens.
3 Enter the following information:

Host Name: Enter the IP address, host name or FQDN. Host names cannot contain an
underscore.
Select a Password Creation Method. This is the password that a host user can use to unlock a
GuardPoint when the connection to the DSM is broken. For example, if a host user cannot
access a GuardPoint because connection to the DSM is down, the user can execute a VDS
password command on the host. The command will provide the phone number of the Security
Administrator, who will provide the user with a password to access the GuardPoint. If the
method selected is Manual, then this password is static. If the method selected is Generate,
Host Protection
.....
then the user will be given a challenge string to provide to the Security Administrator who will
use the string a generate a dynamic password. Select Generate.
Description: Optional. Enter text to identify the host or its function. Limited to 256 characters.
Registration Allowed Agents: Select the agents that will run on the host system. Depending on
your license, your choices are FS (file system), Key (for Oracle database or Microsoft SQL TDE)
and DB2 (backup). You must select the agents here before you can register that agent with the
DSM.
License Type: Choose the type of license that will run on this host. Options are Perpetual,
Term, and Hourly, depending on the system license.
4 Click Ok. You are returned to the Hosts window.
5 Click the hostname link that you just added to the DSM database. This brings up the General tab
of the Edit Host window. Make sure the Communication Enabled checkbox is checked for all
agent types registered.
6 Your host is added to the DSM database.

7 Repeat for all your protected hosts.
Host Protection
.....
I N S T A L L T H E A G E N T O N T H E H O S T |19
INSTALL THE AGENT ON THE HOST
.....................................................................
Once your hostnames are added to the DSM database, you can install the VTE agent on the
host and register it with the DSM. See the Agent Installation and Configuration Guide. After
installing and registering your VTE agent on your host, you can create policies to protect its
data. See VDS Policies on page 15.
The Hosts window with protected hosts is shown below.
Host Protection
.....
I N S T A L L T H E A G E N T O N T H E H O S T |20
Host Protection
VDS P OLICIES
.....
...................................
This chapter describes data security policies and how to create them. You will create a policy
that will be used in subsequent chapters. This chapter contains the following sections:
Policy Overview on page 21
Creating encryption keys on page 23
Creating the Basic Encryption Policy on page 26
Creating the initial operational policy on page 31
Creating GuardPoints: Applying policies to directories on page 39
POLICY OVERVIEW
.....................................................................
The VDS Security Administrator creates policies to protect data. Policies employ two
mechanisms to do this:
Data encryption. Policies can specify that data written to a particular directory (called a
GuardPoint) is encrypted. That data can only be decrypted by specified users. Anyone else who
tries to access it will only get useless unecrypted data.
Access control. Policies can specify which users can access which files and directories in a
GuardPoint. Policies can furthermore specify which executables, and actions can be used and at
what times.
Thus, policies govern access to, and encryption of, the files in Vormetric-protected directories
called GuardPoints. Furthermore, policies can enable auditing such that each time a user
accesses a GuardPoint, a log message is created with all the details.
VDS Policies
.....
P O L I C Y O V E R V I E W |22
A VDS policy itself consists of a set of rules that control how GuardPoint data can be accessed
by users and processes. Each rules consist of five criteria and an effect:
Criteria
Action
Resource
Specifies which files and/or directories in a GuardPoint are to be protected.

Example: /secure_dir/financials. Default is All.
User
Specifies which user(s) or groups can access protected data. Default is All.
Process
Specifies which executables can access protected data. Default is All.
When
Specifies the time range when protected data can be accessed. Default is All.
Action
Specifies the allowed action(s) on the protected data. Example: read, write, remove,
rename, make directory. Default is All.
Every time a user or application attempts to access a GuardPoint file, the access attempt passes
through each rule of the policy until it finds a rule where all the criteria are met. When a rule
matches, the Effect associated with that rule is enforced. Effect can have the following values:
Permit or Deny - Specifies whether access to protected data permitted or denied.
VDS Policies
.....
C R E A T I N G E N C R Y P T I O N K E Y S |23
Apply Key - Specifies that data going in or coming out of a GuardPoint be encrypted.
Audit - Specifies that data access attempts be recorded and logged.
A criteria field that is left blank specifies a value of All. Thus, if User is blank, the rule applies to
all users; if When is blank, the rule applies to all times; if Process is blank, the rules applies to all
executables, and so on. Effect can never be blank. It must have at least a permit (allow access)
or deny (deny access).
Rules are evaluated much like firewall rules; they are evaluated in order, from first to last, and
evaluation stops when a match is made on a given rule. Therefore, it is important to carefully
order a policy's rules to achieve the desired result.
Note: We recommend creating policies that follow the model of PERMIT ALL EXCEPT, as it is
generally easy to create, understand, and accommodates most circumstances.
Policy creation
The rest of this chapter will describe how to create policies. Two specific policies will be
described: the Basic Encryption Policy and the Initial Operational Policy.
The Basic Encryption Policy simply encrypts data written to a GuardPoint, and decrypt it when
it is accessed from the GuardPoint directory by an authorized user (a user with directory-read
permissions). Anyone else who obtains the GuardPoint data will only get encrypted unsuable
data. This is described in Creating the Basic Encryption Policy on page 26.
The initial operational policy is designed to encrypt the data and also control user access. The
initial operational policy audits all GuardPoint activity and provides a detailed log of access and
usage. By studying the audit log, the Security Administrator can tune the policies to limit which
users have access to the decrypted data, as well as what executables and actions they can use.
See Creating the initial operational policy on page 31.
Before either of these policies a created, you must create encryption keys. See Creating
encryption keys on page 23.
CREATING ENCRYPTION KEYS
.....................................................................
Encryption keys encrypt and decrypt data. Once encryption is applied, you must keep track of
the encryption keys that you are using. Encrypted data is unusable without the proper keys.
A keys attributes and the policies you apply to a host determine if a constant connection is
required between the DSM and File System Agent. Hosts with their keys Stored on DSM Server
require a constant connection to the DSM. As long the DSM and host are connected, the
VDS Policies
.....
policies stay in effect. When the network connection is interrupted, users cannot access
encrypted data. Users can resume access after the network connection is re-established.
Hosts with the keys Cached on Host are a different matter. The policies stay in effect as long the
DSM and host are connected. When the network connection is interrupted, data access is
interrupted, however users can still access encrypted data by requesting a temporary password
from a security administrator.
See the VDS Users Guide for more details.
Encryption key management

Establishing encryption key strategy
You can create a single data encryption key for each GuardPoint, for each server, for all the
servers in your company, or anything in between. Additionally, there can be one key for each of
the major environments, for example, your production and non-production environments.
You want to choose an approach that strikes the balance between maximizing security and
minimizing the administrative overhead of the periodic key rotations. Basically more keys can
create more security at the cost of more complexity and overhead.
Encryption Key Naming convention
Define a naming convention for creating data encryption keys. This allows administrators to
know where the key will be applied to encrypt/decrypt data. The following is an example of a
simple self-documenting key naming convention:
[BU]_[Environment]_KEY_[Strength]_[date]_[n]
Where:
BU is the name of the business unit.
Environment indicates whether the environment for this key. For example: production or nonproduction.
Key is a literal labeling this file as a key file.
Strength is the algorithm used to create the key and the key length.
date indicates the date (year and month) this key was created.
n indicates this is the nth copy of the key.
Below is an example of a key name using this convention:
SALES_PROD_KEY_AES256_2014-04_2
VDS Policies
.....
Creating a data encryption key

1 Go to Keys > Agent Keys > Keys in the Management Console to bring up the Agent Keys window.
2 Click Add to bring up the Add Agent Key window.
3 Enter a key name, description and security algorithm.

Name: Name of key. 64 character limit.
Description: Optional key description. 265 character limit.
Template : A key template with a set of pre-defined attributes. To create a Microsoft SQL Server
TDE agent asymmetric key, choose Default_SQL_Asymmetric_Key_Template and do not change
any of the custom attribute values.
Algorithm: Algorithm used to create the key.
Key Type: Location for the encryption key. Stored on Server keys are downloaded to nonpersistent memory on the host. Each time the key is needed, the host retrieves the key from
the DSM. Cached on Host downloads and stores (in an encrypted form) the key in persistent
memory on the host. The cached keys are used when there is no network connection between
VDS Policies
.....
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |26
the host and DSM. All hosts using the same encryption key can access encrypted data on other
hosts that use the same key. The Unique to Host checkbox is displayed when Cached on Host is
selected.
Unique to Host: When enabled with Cached on Host, makes the encryption key unique. The
key is downloaded to the host, encrypted using the host password, and stored. These keys are
used for locally attached devices, as files encrypted by them can only be read by one machine.
Do not enable this checkbox for cloned systems, RAID configurations, clustered environments,
or any environment that utilizes host mirroring. Requires that Key Creation Method is set to
Generate.
Key Creation Method: Select to generate a key using a random seed (Generate) or by Manual
Input.
Expiry Date: Date the key expires.
Key Refreshing Period (minutes): Used only with the Oracle Database TDE and Microsoft SQL
Server TDE Key Agent. Minutes you want the key in the local key cache before it is refreshed.
Example:
Name:
Description:
Algorithm:
SALES_PROD_KEY_AES256_2014-04_2
Key for Sales Dept.
AES256
All other values are the default.

4 Click OK. Your new key is created and displayed in the Agent Keys window.
5 Create as many keys as desired.
CREATING THE BASIC ENCRYPTION POLICY
.....................................................................
The Basic Encryption Policy encrypts data written to a GuardPoint and decrypt it when it is
accessed from the GuardPoint directory by an authorized user (a user with directory-read
permissions). Anyone else who obtains the GuardPoint data will only get encrypted unsuable
data. This is described in Creating the Basic Encryption Policy on page 26.
The Basic Encryption Policy consists of a single rule:
Rule 1 specifies that data written to a GuardPoint is encrypted, and that any user with access to
the GuardPoint directory can access the decrypted data.
VDS Policies
.....
The rest of this section describes how to create the initial operational policy.
Create policy
1 Log on to the Management Console as an administrator of type All, or as a Security
Administrator with Key and Policy roles. Switch to the domain containing the host you wish to
protect (see Switch to the domain where you want to create the access policy on page 17).
2 Create a data encryption key for the Basic Encryption Policy. See Creating encryption keys on
page 23.
3 Click Policies > Manage Policies to list the policies available to this domain. In this example,
there are two policies.
VDS Policies
.....
4 Click Add Online Policy to create a new policy. The Add Online Policy window opens. Enter a
name and optional description for your policy. In our example we use the name basicencryption-policy.
5 Click Add in the Security Rules panel. The Add Security Rule window opens.
VDS Policies
.....
6 Click Effect. The Select Effect window opens. Select Permit (permit user access) and Apply Key
(encrypt data written into the GuardPoint).
7 Click Select Effect. The Edit Security Rule window opens with Effect defined. Click Ok. The Edit
Online Policy window opens with Rule 1 added.
Add an encryption key to the policy

Whenever you specify Apply Key in an effect, you must add an encryption key to the policy.
VDS Policies
.....
1 Click Add in the Key Selection Rules panel.
2 The Add Key Rule window opens.
3 Select Key. The Agent Keys window opens. Select the key you created earlier (our example:
SALES_PROD_KEY_AES256_2014-04_2) and click Select Key. The Add Key Rule window returns.
Resource field is optional. It opens the Resource Set List window from which you can select or
create the resource set whose members are to be encrypted. See VDS Users Guide for details.
4 Click Ok. The Edit Online Policy window opens with the new key added to the Key Selection Rules
panel.
5 Click Ok. The basic-encryption-policy is created. When you apply this policy to a
directory, that directory becomes a GuardPoint, and any data written to that directory is
encrypted. encrypts data copied in and decrypts data accessed from the GuardPoint.
VDS Policies
.....
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |31
CREATING THE INITIAL OPERATIONAL POLICY
.....................................................................
An initial operational policy is often the first data security policy applied to a GuardPoint. The
initial operational policy described here:
Encrypts all data written into the GuardPoint.
Decrypts the GuardPoint data for any user who attempts access.
Audits and creates log messages for every GuardPoint access.
Reduces log message noise so you can analyze the messages that are important to you for
tuning this policy.
In a common VDS deployment you apply the initial operational policy to a GuardPoint, write
your sensitive information into the GuardPoint directory so that its encrypted, and direct data
users to this new directory. Over time you analyze the audit messages to assess who accesses
protected data and how. You then tune the initial operational policy to limit access and
decryption to only those who need it, using only appropriate executables, exercising only the
appropriate actions (read, write, modify and so on) and at the appropriate times.
The initial operational policy described here consists of two rules:
Rule 1 specifies that all users can read the attributes and properties of any file and directory in
a GuardPoint. The purpose of this rule is to reduce excessive log messages so you can analyze
log files without excess noise.
Rule 2 specifies that files written in the GuardPoint are encrypted, that all users have unlimited
access to the decrypted files, and that every operation is audited.
The rest of this section describes how to create the initial operational policy.
Name Policy
2 Create a data encryption key for the initial operational policy. See Creating encryption keys on
page 23.
VDS Policies
.....
3 Click Policies > Manage Policies to list the policies available to this domain. In this example,
there are two policies.
4 Click Add Online Policy. The Add Online Policy window opens.
5 Enter a name and optional description for your policy. In our example we use the name basicaccess-policy. Select Learn Mode.
Learn Mode permits a policy to be tested without actually denying access to resources. In Learn
Mode, all actions that would have been denied are instead permitted. These actions are logged
to assist in tuning and troubleshooting policies. The Learn Mode is highly recommended for
policies that restrict by application (process), as many applications use multiple binaries that
may not be known to the creator of the policy at time of creation. See the Vormetric Data
Security Platform Users Guide for details.
VDS Policies
.....
Enabling the Learn Mode will disable the policy, but track each attempt that matches any
security rule in the policy. A deny statement in Effect must include apply_key when Learn Mode
is enabled. This option generates a warning each time an access attempt is made that matches
any security rule in the policy. This warning is sent as a log message and it can be viewed in the
Management Console (if its configured to accept Warnings).
6 Click Add in the Security Rules panel.
Create Rule 1
The purpose of this rule is to reduce excessive log messages so you can analyze log files without
excess noise.
1 Select Action in the Add Security Rule window.
VDS Policies
.....
2 The Select Action window opens. Select f_rd_att, f_chg_sec, d_rd_tt and d_rd_sec.
The selected attributes have the following meanings:

d_rd_att - Can read the attributes of a directory (example: ls -la).
d_rd_sec - Can view the security properties of a Windows folder, such as on the Security tab of
the Properties window.
f_rd_att - Can read the attributes of a file (example: ls -l).
f_rd_sec - Can view the security properties of a Windows file, such as on the Security tab of the
Properties window.
See the VDS Users Guide for a full description of the Actions.
VDS Policies
.....
3 Click Select Action. The Add Security Rule window opens with Action defined.
4 Click Effect. The Select Effect window opens.
VDS Policies
.....
5 Select Permit (permit GuardPoint access) and then Select Effect. The Edit Security Rule window
opens with Effect defined. Click Ok. The Edit Online Policy window opens with Rule 1 added.
Create Rule 2 for the initial operational policy

This rule specifies that files written in the GuardPoint are encrypted, that all users have
unlimited access to the decrypted files, and that every operation is audited.
1 Click Add in the Security Rules panel. The Add Security Rule window opens
2 Select Action. The Select Action window opens.
3 Select all_ops. all_ops allows any operation to be performed in the GuardPoint. Click Select
Action. The Add Security Rule window opens with Action defined.
VDS Policies
.....
5 Select Deny (deny access to GuardPoint), Apply Key (see below) and Audit (create a log entry for
access attempts). Then click Select Effect. The Add Security Rule window opens with Effect
defined.
Apply Key - Applies an encryption key to data in a GuardPoint. Data copied into the GuardPoint
is encrypted with the key specified in the Key Selection Rules tab. Data accessed from the
GuardPoint is decrypted using the same key.
6 Click Ok. The Edit Online Policy window opens with Rule 2 added.
VDS Policies
.....

1 Click Add in the Key Selection Rules panel.
3 Select Key. The Agent Keys window opens. Select the key you created earlier (our example:
SALES_PROD_KEY_AES256_2014-04_2) and click Select Key. The Add Key Rule window returns.
panel.
5 Click Ok. basic-access-policy encrypts data copied in and decrypts data accessed from the
GuardPoint.
VDS Policies
.....
C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I E S |39
CREATING GUARDPOINTS: APPLYING POLICIES TO DIRECTORIES
.....................................................................
When a policy is applied to a directory, that directory is called a GuardPoint. This section
describes how to create GuardPoints.
Apply a policy to folders

protect (see Switch to the domain where you want to create the access policy on page 17.
2 Click Hosts > Hosts in the Management Console. The Hosts window opens.
VDS Policies
.....
3 Click on the protected host name in blue where you will create the GuardPoints. The Edit Host
screen opens.
4 Click the Guard FS (File System) tab. The hosts GuardPoints, if any, are displayed. Click Guard to
create a new GuardPoint.
VDS Policies
.....
5 The Guard File System panel opens.
For Policy, choose the policy name you want to apply to the directory. For example, basicencryption-policy or basic-access-policy.
For Type, use Directory (Auto Guard) for directories.
For Path, enter the GuardPoint directory. For example, /vipdata for Linux and UNIX hosts or
c:\Users\Marketing1\vipdata for Windows hosts.
Optionally, click Browse to browse and highlight the GuardPoint directory. Note that Browse
will not work if the host was registered with One-way Communication.
6 Click Ok to apply the policy to the GuardPoint. The Edit Host panel opens with the new
GuardPoint.
VDS Policies
.....
Repeat this process for each folder you wish to protect.
A red status indicator means that the policy hasn't taken effect. Click Refresh until the Status
turns green. This may take up to 30 seconds. The policy is now activated and the GuardPoint is
protected.
VDS Policies
D ATA E NCRYPTION AND P ROTECTION
.....
...................................
By now, you have set up your DSM, created VDS administrators, installed agents on your
protected hosts, and created an initial operational policy. This chapter describes how to encrypt
your sensitive data and tune your data protection policy to prevent unwanted access. This
chapter contains these sections:
Data Protection Overview on page 43
Determine encryption method on page 44
Using the Copy or Restore encryption method on file systems on page 46
Using the Copy or Restore encryption method on block devices on page 48
Using dataxform to encrypt your data on page 52
Viewing the audit logs on page 62
Tune the Policies on page 64
DATA PROTECTION OVERVIEW
.....................................................................
Steps for protecting data

The basic steps for protecting your data are:
1 Determine optimal data encryption method for your environment: Copy, Restore or dataxform.
2 Verify that your data is backed up.
3 Stop all services and access to the directories or block devices that will be encrypted.
4 Create GuardPoint with initial operational policy on protected directories or block devices. For
the dataxform encryption method, create a dataxform policy. For the Copy or Restore method,
use the initial operational policy described in Creating the initial operational policy on page 31.
5 For the dataxform method, run dataxform on each GuardPoint. For Copy and Restore methods,
copy files into GuardPoint.
6 After verifying that encryption was successful, start services and restore access to the data now
encrypted.
Data Encryption and Protection
.....
D E T E R M I N E E N C R Y P T I O N M E T H O D |44
7 Test and monitor access to the encrypted data.

8 Tune the policies to increase and refine security.
DETERMINE ENCRYPTION METHOD
.....................................................................
VDS provides three encryption methods: the Copy, Restore, and dataxform methods. The
optimal method depends on three things: 1) Whether you are encrypting data on a block
device or directory; 2) the amount of disk space you have; 3) speed of your backup devices.
Note: Whichever method you select, it is essential that you have a good backup of the data
before your encrypt it.
Restore encryption method

In this method, your sensitive data is backed up on some device, for example, a tape drive or
disk drive. To encrypt the data, you will:
1 Block access to all directories and block devices that are to be encrypted.
2 Create a GuardPoint on these directories and block devices .
3 Restore the data from the backup device into the GuardPoint. As data is written into the
GuardPoint, it is encrypted.
An example is shown below.
In this example, users access a number of databases on the protected host. To protect
\database-3, first block user access to it, create a GuardPoint on \database-3 and then
restore the backup data from the backup media into \database-3. This method requires no
.....
D E T E R M I N E E N C R Y P T I O N M E T H O D |45
extra disk space, and the speed of encryption depends on the speed of the restore. Slower
backup media, like tape drives, will result in a slower encryption speed.
Copy encryption method

In this method, you copy sensitive data into a GuardPointwith an encryption policy. This
method is generally faster than the restore encryption method. If the data you copy to the
GuardPoint is on the same drive and volume as the GuardPoint, this method is comparable in
speed to dataxform, approximately 2-4 Gigabytes per minute. If the data to be encrypted is
accessed from a slow disk or a different volume, the encryption will be slightly slower.
Heres an example of how the Copy encryption method works:
1 Block all access to the directory containing the sensitive source data. Rename that directory
(example: from \mssql\data\3 to \mssql\data\3-OLD).
2 Create a new directory for your sensitive data with the original directory path. Block access to it.
3 Create a GuardPoint on that directory.
4 Copy the sensitive data into the GuardPoint. Data in the GuardPoint is encrypted.
5 Open access to the new directory.
An example is shown the graphic below.
Block access
In this example, users access a number of SQL databases on the protected host. To protect
\mssql\data\3 you block access to the directory, rename it to \mssql\data\3-OLD, create
a new \mssql\data\3 directory, block access to it, create a GuardPoint on it, copy the data in
\mssql\data\3-OLD to \mssql\data\3, open access to \mssql\data\3. This method
requires additional disk space at least as large as \mssql\data\5. The speed of the backup
depends on the speed of the copy.
.....
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N F I L E S Y S T E M S |46
dataxform encryption method

In this method, you encrypt data in place using the dataxform tool. In general, this method is
quite fast. You can use the following utility to estimate the time for encryption:
dataxform --deep_scan --print_stat --gp <path>
Note: Completing this process can take considerable time, and if you have less than 10GB of
data, it may be better to simply encrypt with dataxform rather than estimate the time.
Heres an overview of the dataxform method:
1 Block all access to the directory containing the sensitive data.
2 Create a dataxform policy for the GuardPoint on this directory.
3 Run dataxform on the directory. After completion, the data in the GuardPoint is encrypted.
4 Remove the dataxform policy on the GuardPoint and replace it with an operational policy.
5 Open access to the directory.
How to decide what method to use

Some general rules:
1 If the data you are encrypting is in a block device, you have to use the Copy or Restore
encryption method.
2 Run dataxform --deepscan --print_stat --gp <path> to estimate how long it will take
dataxform to encrypt the data. The dataxform method is generally the fastest method.
3 If the data can be copied into an encrypting GuardPoint on the same disk and same volume, the
Copy method will be as fast as the dataxform method.
4 If the data can be copied into an encrypting GuardPoint on the same disk, but different volume,
or SAN or NAS, the Copy method can be used, but will be slightly slower. The Copy method also
requires disk space that is twice the size of the data you are encrypting.
5 If the data you are encrypting comes from a backup device that is not a disk, for example, a tape
drive, you can use the Restore Method. However, if your tapes are slow, this method can take a
long time.
USING THE COPY OR RESTORE ENCRYPTION METHOD ON FILE SYSTEMS
.....................................................................
The process for using the Copy or Restore encryption method on file systems is as follows:
.....
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N F I L E S Y S T E M S |47
Create an operational encryption policy.

Apply the policy to an empty folder on the protected host. The folder is then called a GuardPoint
and will contain your protected data.
Copy the files to be encrypted into GuardPoint.
Test, monitor and tune the policy.
Note: If you apply an encryption GuardPoint to a folder with files in them, those files remain
unencrypted. However, if you try to access those files, they will be encrypted. The only way to
access those files in an unencrypted state is to disable or remove the GuardPoint.
Prerequisites
1 Verify that there is a good backup of the data to be encrypted. This step is vital.
2 Stop ALL access and services to the data to be encrypted. Make sure no processes, services or
users are currently accessing the data.
3 Make sure you have enough empty storage space to copy the data.
Apply the Initial Operational Policy to folders

protect (see Switch to the domain where you want to create the access policy on page 17.
2 Apply the Initial Operational Policy to the GuardPoint directories. See Creating GuardPoints:
Applying policies to directories on page 39.
3 Copy or restore the files into the newly created Guard Points. Each file is encrypted.
4 Start all services and restore access to the data that is now fully encrypted. The initial
operational policy allows all users to decrypt the data.
5 Start application testing and inform application teams that systems are ready for use.
Theoretically everything should work exactly as before, however, monitor the situation with your
users.
6 Monitor and analyze systems. Monitor DSM Logs for messages. Check for LEARN_MODE or
ALARM messages in the DSM log files.
7 Tune policies as required. (See Viewing the audit logs on page 62.)
.....
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N B L O C K D E V I C E S |48
USING THE COPY OR RESTORE ENCRYPTION METHOD ON BLOCK DEVICES
.....................................................................
The process for using the Copy or Restore encryption method on block devices and raw disks is
much the same as with file systems. The basic procedures is as follows:
Create an encryption policy.
Apply the initial operation policy to a block device on the protected host.
Copy the files to be encrypted into GuardPoint.
Test, monitor and tune the policy.
Note: If you apply an encryption GuardPoint to a folder with files in them, those files remain
unencrypted. However, if you try to access those files, they will be encrypted. The only way to
access those files in an unencrypted state is to disable or remove the GuardPoint.
For detailed information see the VDS Users Guide.
Prerequisites
1 Verify that there is a good backup of the data.
2 The block device must be new or clean as all existing data will be unusable.
3 Stop ALL services and access to the block device to be encrypted.
Other information for block devices

The Oracle DBA defines a disk group with secvm disks/devices. secvm communicates with the
Security Server and updates the disk group information. Oracle ASM provides the mapping of
secvm devices to physical disks/devices.
All databases (table space) in a disk group must be encrypted. Do not mix encrypted and nonencrypted database in a single disk group. Non-encrypted databases must be kept in separate disk
groups that are not protected by a File System Agent.
You can configure the same GuardPoints in both the Edit Host window and the Edit Host Group
window, and different policies can be applied to those GuardPoints. This can result in a
configuration conflict. Anticipate whether or not you are going to add the host to a host group. If
you intend to configure the host in a host group, do not configure GuardPoints in the Edit Host
window. Configure the GuardPoints in the Edit Host Group window. Otherwise, you can specify
two different configurations: one for the host and one for the host group. The configuration that
is already applied has precedence. The new GuardPoint is applied but not enabled. It is
recommended that if you configure a host as a member of a host group, that you do not configure
.....
GuardPoints to the individual host. It defeats the purpose of a host group when you add
GuardPoints to an individual host. If you want to apply GuardPoints globally to a set of hosts,
configure the GuardPoints in a host group.
Partitions are identified by their device name. Device names for partitions vary between
platforms.
Apply Initial Operational Policy to block device

Administrator with Key and Policy roles. Afterward, switch to the domain containing the host you
wish to protect. See Switch to the domain where you want to create the access policy on page
17 for details.
.....
3 Click on the protected host name (block device) in blue where you will create the GuardPoints.
The Edit Host screen opens.
4 Click the Guard FS tab. The hosts GuardPoints, if any, are displayed. Click Guard.
.....
For Policy, choose the name of the initial operational policy you created in Creating the Initial
Operational Policy (IOP) on page 17. In our example, the name of the initial operational policy
is basic-access-policy.
For Type, choose the device type that fits the OS and Storage system. For Windows choose Raw
or Block Device (Auto Guard). For Linux/UNIX choose Raw or Block Device (Auto Guard) or
Raw or Block Device (Manual Guard). (Select Raw or Block Device (Manual Guard) for raw
devices that are to be manually guarded and unguarded in order to failover to a different node
in a cluster. See the VDS Users Guide for more information.)
For Path, enter the GuardPoint folder. For example, /dev/sda1
You can browse, but it should show block devices. Click the plus symbol (+) next to a folder to
display the next level of the partition hierarchy. Click the minus symbol (-) to collapse the
hierarchy. Click a partition name.
Inactive partitions are displayed. Open partitions are not displayed, nor are currently guarded
partitions.
Note that third-party applications can open raw devices in obscure ways; causing the Remote
File Browser to ignore, and not display, supposedly inactive devices. For example, inactive raw
devices in the Oracle dbca disk discovery path are not displayed in the Remote File Browser,
even when the devices are not assigned to a disk group. If /dev/sd* is configured in the dbca
disk discovery path, and dbca is running, inactive /dev/sd* devices are not displayed in the
browser. This is because the devices are kept open by the oracle process. To get around the
problem in this example, close dbca and open the browser again. The devices are free,
displayed in the browser, and available for selection
6 Click Ok to apply the policy to the GuardPoint. The Edit Host panel opens.
A red status indicator means that the policy hasn't taken effect. Click Refresh until the Status
turns green. This may take up to 30 seconds. The policy is then activated and the GuardPoint is
protected.
7 Repeat this process for each block device you wish to protect.
8 Make sure that the applications and services access the newly created Vormetric device.
Vormetric encrypted raw or block devices are accessed using the directory:
/dev/secvm/dev/xxxxx where xxxxx is the original device name.
.....
U S I N G D A T A X F O R M T O E N C R Y P T Y O U R D A T A |52
9 Copy or restore the data into the newly created devices. Use the appropriate method to copy or
restore the data into the encrypted device.
users.
12 Test and monitor systems. Monitor DSM Logs for messages. Check for LEARN_MODE or ALARM
messages in the DSM log files.
13 Tune policies as required. (See Viewing the audit logs on page 62.)
USING DATAXFORM TO ENCRYPT YOUR DATA
.....................................................................
dataxform is used to encrypt files in place. It does not work on block devices. The process for
using dataxform is as follows:
Create a dataxform policy.
Create GuardPoints by applying the dataxform policy to folders containing the files to be
encrypted.
Run dataxform --rekey to encrypt the data in the folder
After a successful completion of dataxform key step, run dataxform --cleanup to cleanup the
dataxform process.
Remove dataxform policy and apply initial operational policy.
Test, monitor and tune the initial operational policy.
Note: The dataxform instructions here only touch on its full usage. For detailed information
see the VDS Users Guide.
dataxform encryption method prerequisites

1 Verify that there is a good backup of the data to be encrypted. This step is vital.
2 Stop ALL services and access to the data to be encrypted. Make sure no processes, services or
users are currently accessing the data.
.....
Create dataxform policy

Frank: Please verify this policy and procedure.
The dataxform policy is required when you run the dataxform executable on a GuardPoint
folder. After dataxform encrypts the files, you remove the dataxform policy and add an
operational policy to the GuardPoint. You will use the operational policy described in Creating
the Initial Operational Policy (IOP) on page 17.
1 Log on to the Management Console as a Security Administrator with Key and Policy roles or as an
administrator of type All. Switch to the domain containing the host you wish to protect. See
Switch to the domain where you want to create the access policy on page 17 details and
snapshots.
2 Click Policies > Manage Policies to bring up the Policies window. The Policies window lists
policies available to this domain.
3 Click Add Online Policy. The Add Online Policy window opens. Enter a name and optional
description for your policy. In this example we used dataxform1.
6 Select key_op and click Selection Action. The Add Security Rule window returns with key_op in
the Action field.
7 Select Effect to bring up the Select Effect window.
.....
8 Select Permit and Apply Key, then click Select Effect.. The Add Security Rule window opens.
9 Click Ok. The Add Online Policy window opens with the Security Rule added. Also, the Key
Selections Rules panel and the Data Transformation Rules Panel are displayed.
.....
10 Click Add in the Key Selection Rules panel. The Add Key Rule window opens.
11 Click Key. The Select Symmetric Key window opens. Select clear_key and click Select Key.
12 The Add Key Rule window opens select clear_key and click Ok. The Add Online Policy window
opens with the Security Rule added.
13 Click Add in the Data Transformation Rules panel. The Add Key Rule window opens.
14 Click Key. The Select Symmetric Key window opens. Select the key you created in Create a data
encryption key on page 18, and click Select Key.
15 The Add Key Rule window opens with the Key name entered. Click Ok.
.....
16 The Add Online Policy window opens with the Data Transformation Rule added.
17 Click Ok. The dataxform policy is added to the Policies window.
Apply the dataxform policy to the GuardPoints

Frank: Please verify this policy and procedure.
Once the dataxform policy is created, it needs to be applied to all the directories containing
data to be encrypted. When a policy is applied to a directory, the directory is called a
GuardPoint. A GuardPoint is a directory on which a policy is applied.
In the instructions below, you will apply dataxform1 policy to a directory on one of your
protected hosts. We will use an example directory called /vipdata2 to demonstrate the
procedure.
.....
2 Click on the protected host name in blue that contains the directory with the files to encrypt.
The Edit Host screen opens.
.....
3 Click the Guard FS tab., The hosts GuardPoints, if any, are displayed. Click Guard.
4 The Guard File System panel opens. For Policy, choose dataxform1. For Type, select Directory
(Auto Guard). For Path, enter the directory with the files to be encrypted. In this example we use
/vipdata for Linux/UNIX hosts or c:\vipdata for Windows hosts.
.....
5 Click Ok to apply the policy to the GuardPoint. The Edit Host panel opens. A red status indicator
means that the policy hasn't taken effect. Click Refresh until the Status turns green. This may
take up to 30 seconds. The policy is now activated and the GuardPoint is ready to run the
dataxform executable.
Execute dataxform to start data encryptionin the GuardPoint

1 Encrypt the data. For each Guard Point run:
dataxform --rekey --print_stat --gp <directory>
Note the dataxform command line messages as it encrypts files. Specifically note messages
that list files or folders that are skipped and the reasons why. If a dataxform fails during
transformation, you can usually rerun it and it will resume transformation beginning with the
next file. The only risk is that the file that was in progress during the transformation may have
been corrupted (meaning not completely transformed at the point of failure). The dataxform
log file will contain this information and should be used to identify failed transformations. This
is covered in the VDS Users Guide.
.....
2 If the encryption is successful, run the dataxform --cleanup. If not successful, do not run this
process.
dataxform --cleanup --gp <directory>
Remove the dataxform policy and apply Initial Operational Policy

After running dataxform --rekey, the data is encrypted in the desire folder, however, all
access is blocked by the dataxform policy. To open access to the files, remove the dataxform
GuardPoint and apply the initial operational policy GuardPoint you created in Creating the
Initial Operational Policy (IOP) on page 17 to the folder.
1 In the Management Console Click Hosts > Host Name > Guard FS.
2 Select dataxform1 and click Unguard.
3 Now click Guard to apply operational GuardPoints for each folder that was recently encrypted.
.....
For Policy, choose the initial operation policy name you created in Creating the Initial
Operational Policy (IOP) on page 17. In our example, the name of the initial operational policy
is basic-access-policy.
For Type, use Directory (Auto Guard).
For Path, enter the GuardPoint folder. For example, /vipdata for Linux/UNIX hosts or c:\vipdata
for Windows hosts.
5 Click Ok to apply the policy to the GuardPoint. The Edit Host panel opens.
A red status indicator means that the policy hasn't taken effect (it may take a few seconds).
Click Refresh until the Status turns green. This may take up to 30 seconds. The policy is now
activated and the GuardPoint is protected.
.....
V I E W I N G T H E A U D I T L O G S |62
users.
8 Test and monitor systems. Monitor DSM Logs for messages. Check for LEARN_MODE or ALARM
messages in the DSM log files.
9 Tune policies as required.
VIEWING THE AUDIT LOGS
.....................................................................
Once the audit keyword is added to the rules of a policy, VDS audits data access in the
GuardPoint. This section shows how to read the audit records.
Note: To generate the log messages in this section, we have created a different environment.
We have create a policy that allows a user called demo-user3 to access a GuardPoint file,
/vipdata2/helloworld.txt, and allows access with the more command, but blocks access
with the cat command.
View and Analyze Audit Logs

1 Here we login to the protected host as demo-user3 with an SSH terminal ad execute the
following commands:
[demo-user3@ip-10-0-5-86 ~]$ more /vipdata2/helloworld.txt
This is a demo. Hello beautiful world!
[demo-user3@ip-10-0-5-86 ~]$ cat !$
cat /vipdata2/helloworld.txt
cat: /vipdata2/helloworld.txt: Permission denied
[demo-user3@ip-10-0-5-86 ~]$
2 We then click Log > Logs in the Management Console.
.....
V I E W I N G T H E A U D I T L O G S |63
The Logs page opens.
vormetric
vormetric
3 Examine the audit records. Audit records contain the following fields:
ID
Time
Severity
Source
Message
Audit record number.

When the audit record was generated.
The severity level of the audit record.
Where the audit was generated.
The body of the audit record.
Example audit message:

CGP2604E: [SecFS, 0] PID[2945] [ALARM] Policy[basic-access-policy] User[demouser3,uid=503,gid=503\demo-user3\] Process[/bin/cat] Action[read_attr]
Res[/vipdata2/helloworld.txt] Effect[DENIED Code (1U,2P,3M)]
Audit Fragment
Meaning
CGP2604E
Internal message number.
SecFS
The Vormetric module responsible for policy enforcement. SecFS is

the secure file system agent.
ALARM
Type of message.
Policy[basic-access-policy]
The policy being enforced on the GuardPoint.
demo-user3,uid=503,
gid=503\demo-user3\
The user/group that attempted access.
.....
T U N E T H E P O L I C I E S |64
Audit Fragment
Meaning
Process[/bin/cat]
The process executed in the GuardPoint.
Action[read_file]
The I/O action type.
Res[/vipdata2/hello.txt]
File being accessed.
Key[AES256-Demo1] (example)
The key used to decrypt the file.
Effect[DENIED
The outcome of the IO action.
Code (1U,2P,3M)]
The policy rule that governed the action. Code (1U,2P,3M) means
that rule 1 was not met because it was the wrong User, rule 2 was not
met because it was the wrong Process, and rule 3 was Met.
Search audit records by keyword

Audit records can be filtered by keyword. In the Search panel of the Logs window, add the
search word WARNING to the Message Contains: field and click Go.
TUNE THE POLICIES
.....................................................................
At this point, your data is encrypted, but the current operational policy allows full access to
decrypted data by any user on the host. Securing the data is a matter of monitoring the DSM
logs to see who needs access to the data and what type of access they need, then, tuning the
policies to allow the appropriate level of access.
Policy tuning process

Analyze your log files and compile the following:
1 A list of users who require access to the decrypted GuardPoint data.
2 A list of users who require access to the encrypted data for system administrative purposes.
3 A list of processes that groups of users require.
4 A list of file and directory actions (examples: read, write, rename, file appending, and so on) that
groups of users require.
5 File and directory resources that groups of users may require.
.....
6 Time periods when users can access the data.

In general the first four items will be mostly used to define your policies.
Example: There are seven users named User-1 through User-7 working on a database. User-1 is
the system administrator who needs read/write permissions in order to do backup and restore
operations. User-1 should not have decryption privileges. User-2 and User-3 work on the
database and require the ability to perform all operations on the data. Users-4 through 7
require ability to view the data but not modify or add to it.
The policy for this situation requires four rules:
Rule 1: User-1 can perform read and write operations on any files or directories in the
GuardPoint, but cannot access the data in a decrypted state.
Rule 2: User-2 and User-3 can perform all operations on any files or directories in the
GuardPoint. All data is decrypted.
Rule 3: Users-4 through 7 can only read decrypted data, but cannot perform any write
operations.
Rule 4: All other users are denied access.
Creating the policy

2 Create a data encryption key for the new policy or use an existing key. See Creating encryption
keys on page 23.
3 Click Policies > Manage Policies to list the policies available to this domain. Then click Add
Online Policy. The Add Online Policy window opens.
4 Enter a name and optional description for your policy. In our example we use the same name,
basic-access-policy.
.....
5 Click Add in the Security Rules panel.
6 The Add Security Rule window opens.
Create Rule 1
The purpose of this rule is to allow User-1 to perform read and write operations on any files or
directories in the GuardPoint, but not access the data in a decrypted state.
1 Select User in the Add Security Rule window. The Select User Set window opens.
.....
2 Click Add. The Add User Set window opens. A User Set is a group of users with similar access
permissions. This group of users will have system administration access permissions. Add the
name SysAdmins to this User Set.
3 Click Add. The Add User window opens. Enter User-1.
uname is the login name.

uid (UNIX only) is the user identification number.
gid (UNIX only) is the user group number. Enter only the primary group ID number of the user.
gnames are a comma-separated list of group names.
osDomain (Windows only) is the network domain of the user. Multiple domain names,
separated by commas, may be entered. Enter the string localhost to configure a generic
domain.
.....
4 Click Ok. The Add User Set window for SysAdmin opens with User-1 added.
5 Click Ok. The Select User Set window opens with SysAdmins added.
6 Select SysAdmins and click Select User Set. The Add Security Rule window opens with the User
field set to SysAdmins.

8 Select read and write, then click Select Action. The Add Security Rule window opens with the
Action field set to read, write.
.....
Click Effect. The Select Effect window opens.
9 Select Permit (permit GuardPoint access) and Audit (audit accesses), then click Select Effect. The
Add Security Rule opens with the Effect set to Permit, Audit.
10 Click Ok. The Add Security Rule window opens with Effect defined.
11 Click Ok. The Edit Online Policy window opens with Rule 1 added.
.....
Add Rule 2
In this rule User-2 and User-3 can perform all operations on any files or directories in the
GuardPoint, and all data is decrypted.
2 Select User in the Add Security Rule panel. The Select User Set window opens.
3 Click Add. The Add User Set window opens. This group of users will have full operation access
permissions. Add the name FullOps to this User Set.
4 Click Add. The Add User window opens.
5 Enter User-2 and click Ok. The Add User Set window opens.
6 Click Add again. The Add User window opens. Enter User-3 and click Ok. The Add User Set
window opens with User-2 and User3 added to the User Set.
7 Click Ok. The Select User Set window opens with FullsOps added.
8 Select FullsOps and click Select User Set. The Add Security Rule window opens with the User field
set to FullOps.
10 Select all_ops, then click Select Action. The Add Security Rule window opens with the Action
field set to all_ops.
12 Select Permit (permit GuardPoint access), Audit (audit accesses) and Apply Key (apply key to
decrypt data). Then click Select Effect. The Add Security Rule opens with the Effect set to
Permit, Apply Key, and Audit.
.....
13 Click Ok. The Add Online Policy window opens with Rule 2 added.
Add Rule 3
Rule 3 specifies that Users-4 through 7 can only read decrypted data, but cannot perform any
write operations.
2 Select User in the Add Security Rule panel. The Select User Set window opens.
3 Click Add. The Add User Set window opens. This group of users will have read-only access
permissions to GuardPoint data. Add the name ReadOnly to this User Set.
4 Click Add. The Add User window opens.
5 Enter User-4 and click Ok. The Add User Set window opens.
6 Click Add again. The Add User window opens. Enter User-5 and click Ok. The Add User Set
window opens with User-4 and User-5 added to the User Set.
7 Repeat this process for User-6 and User-7.
8 Click Ok. The Select User Set window opens with ReadOnly added.
9 Select ReadOnly and click Select User Set. The Add Security Rule window opens with the User
field set to ReadOnly.
.....
11 Select read, then click Select Action. The Add Security Rule window opens with the Action field
set to read.
13 Select Permit (permit GuardPoint access), Audit (audit accesses) and Apply Key (apply key to
decrypt data). Then click Select Effect. The Add Security Rule opens with the Effect set to
Permit, Apply Key, and Audit.
Add Rule 4
Rule 4 specifies that all other users are denied access.
3 Select Deny (deny GuardPoint access) and Audit (audit accesses). Then click Select Effect. The
Add Security Rule opens with the Effect set to Deny and Audit.
.....

1 Click Add in the Key Selection Rules panel of the he Add Online Policy window.
.....
3 Select Key. The Seleect Symmetric Key window opens. Select the key you created earlier and click
Select Key. The Add Key Rule window returns.
panel.
5 Click Ok. basic-access-policy is add to the Policies Window and is ready to be applied to a
GuardPoint.
DSM B ACKUP AND R ESTORE
.....
...................................
This chapter describes how to backup and restore the DSM databases. This backup can be used
to restore the hosts, encryption keys, and policies of a DSM for software crash recovery or
system changes. This chapter consists of the following sections:
DSM Backup and Restore Overview on page 75
Create a Backup Encryption Wrapper Key on page 76
Backup the DSM on page 79
Restore the DSM from a Backup Image on page 79
Automatic Backups on page 80
This chapter describes the basic elements of DSM backup and restore. For detailed information,
see the Vormetric Data Security Platform User Guide.
DSM BACKUP AND RESTORE OVERVIEW
.....................................................................
Vormetric System Administrators can create DSM backups using the Management Console.
Included in a backup are:
Embedded databases
Agent/server certificates
Encryption keys and key groups
Hosts and host groups
Domains
High Availability configuration
Administrators
Policies
Log settings
System-level configuration is not backed up. A system-level configuration includes features like
network and timezone settings. You will have to reconfigure these yourself.
DSM Backup and Restore
.....
C R E A T E A B A C K U P E N C R Y P T I O N W R A P P E R K E Y |76
Each backup is encrypted with a wrapping key. You cant take a backup before you create the
backup wrapping key. Also, you will need the wrapping key to restore the backup onto another
server.
CREATE A BACKUP ENCRYPTION WRAPPER KEY
.....................................................................
DSM backup files are encrypted with a wrapper key to keep them secure. This wrapper key
must be created or imported from a previous create operation before running a backup or
restore. This key is required to restore DSM backups during a recovery or restore operation.
Wrapper keys are broken up into key shares, which are pieces of a wrapper key. Key shares are
divided amongst two or more custodians such that each custodian must contribute their key
share in order to assemble a complete wrapper key. This is also referred to as split key
knowledge or M of N configuration.
To create the wrapper key

1 Log on to the Management Console as an administrator of type System Administrator or All.
2 Select System >Wrapper Keys from the menu bar. The Wrapper Keys window opens.
.....
3 From the Operation pull-down select Create, and on the next page, click on Apply to create the
wrapper key. You should see a confirmation message that reads The operation is successful.
4 Select System > Backup and Restore from the menu bar. A green confirmation message appears.
This means that you can proceed.
5 Return to the System > Wrapper Keys menu option and select Export from the Operation pulldown to export key shares.
6 Set a number for both the Minimum Custodians Needed and the Total Number of Custodians
(there should be at least two custodians). This setting will encrypt the backup files and split its
wrapper key value among multiple custodians.
.....
7 Select the checkbox next to the administrators (custodians) who will control the backup key.
Administrators of type System Administrator and All are listed. Any of these administrators, with
the exception of admin, can be selected as a custodian. The selected administrators will be given
a share of the password. The password is displayed in their Dashboard window the next time
they log into the Management Console.
8 Click the Apply key in the bottom right hand corner.
9 Ask each selected administrator to login to the Management Console and view the Dashboard
page. Each will see a unique backup encryption key displayed on the dashboard beneath the
fingerprint for the CA.
The backup key share displayed in the Dashboard window is a toggle. Click the string Backup
Key Share to display the backup key share value. Click the backup key share value to display the
string Backup Key Share.
10 Ask each administrator to securely store a copy of this key share. They will need to provide this
during their role in a DSM restore operation.
.....
B A C K U P T H E D S M |79
BACKUP THE DSM
.....................................................................
A backup is a snapshot of a DSM configuration at one point in time. When restored, the DSM
Management Console will contain and display the same information captured at the time the
backup was originally made.
To backup the DSM

2 Select the System > Backup and Restore menu option. The Backup and Restore window opens to
the Encryption Key tab.
3 Click the Backup tab and then select the OK button. The File Download window is displayed.
4 Click Save. Save the file to a secure location that you are sure would still be accessible if the
server fails. By default, the file name will be in the Backup_yyyy_mm_dd_hhmm.tar format
5 Save backup to a secure location. Access to the backup should be limited to only a few
employees and be audited.
RESTORE THE DSM FROM A BACKUP IMAGE
.....................................................................
Important:
Following a restore operation, the DSM configuration in the Management Console is replaced by
the configuration stored in the backup copy.
Any new encryption keys, policies, hosts or guard points added since backup will be overwritten
and lost.
.....
A U T O M A T I C B A C K U P S |80
Unless this is a disaster recovery scenario where all appliances were lost, always backup the
current configuration before running a restore operation.
To restore the DSM from a backup configuration

1 Locate the backup that is to be restored
NOTE: If you already have the proper Wrapper Key imported, skip to Step 9.
3 Import wrapper keys. Select System > Wrapper Keys from the menu bar.
4 Select Import from the Operation pull-down.
5 Click the Add button.
6 Paste a Key Share value from a previously stored custodian into the Key Share text field and click
Ok.
7 Repeat steps 5 and 6 for each administrator who was selected as a key custodian. A key share
must be imported for at least as many that were specified by the Minimum Number of
Custodians value when the wrapper key was exported.
8 Click Apply to finish importing the wrapper key.
9 Restore the Backup File. Select System > Backup and Restore from the menu bar.
10 Select the Restore tab.
11 Click the Choose File button.
12 Locate and select the backup file to restore.
13 If this is a disaster recovery, enable the Include User(s) checkbox.
14 Click the Ok button. The restore file will be uploaded and the DSM will disconnect the
Management Console.
15 Log back into the Management Console as an administrator of type Security or All. Verify that
the configuration is restored correctly.
AUTOMATIC BACKUPS
.....................................................................
Set up the Automatic Backup feature to protect the configuration settings as well the
encryption keys and policies. To do this, you will need access to a File Server (a Unix or
Windows host) that is network accessible by the DSM to store the backup files.
.....
Setting Automatic DSM Backups

Automatic DSM database backup is configured in the Automatic Backup window. An outline of
the process is shown below, but use the detailed instructions in the VDS Users Guide.
1 To open the Automatic Backup window, select System > Backup and Restore > Automatic
Backup in the Management Console.
Configured Automatic Backup window for UNIX
Configured Automatic Backup window for Windows

2 Fill in the settings for Automatic Backup Schedule and the External File Server where the
backup files will be stored.
3 Click on the Backup Now button
.....
4 After a successful backup, look in the specified Target Directory on the Target Host to see the
backup files. Example:
backup_config_primary_v4.4.1.0_20120308_2347.data
backup_config_primary_v4.4.1.0_20120308_2347.txt
C LUSTERING THE DSM FOR H IGH

A VAILABILITY
.....
...................................
This chapter describes the steps required to create a High Availability (HA) Cluster between two
or more DSMs. It assumes that there is already a primary server in operation and a failover
server needs to be brought into the cluster (see the Vormetric Data Security Manager
Installation Guide). This chapter consists of the following sections:
HA Overview on page 83.
Configuring a DSM for Failover on page 83.
HA OVERVIEW
.....................................................................
Clusters are a staple of any HA environment. DSM appliances are configured as primary
appliances by default. This is not an issue in a standalone environment. However, in a clustered
DSM environment, there can be only one primary DSM at a time. Additional DSMs added to
that environment have to be configured as failover appliances and receive their configuration
from the primary. To make changes to the configuration, a Vormetric System Administrator
connects to the primary server and edits the configuration. The changes then get replicated to
the failover servers.
Replication occurs from the primary to the failover server(s) only. It consists of the latest
configuration database running on the primary server. The configuration database contains all
the policies, host configurations, and keys that are used in the VDS Management Console. Log
files are not a part of the information replicated.
To configure HA, you must be a VDS administrator of type System Administrator or All.
CONFIGURING A DSM FOR FAILOVER
.....................................................................
An HA Cluster consists of at least two DSM appliances. The first appliance added to the cluster
is the primary. After installing another DSM (see the DSM Installation Guide), ensure that there
is network connectivity between the existing primary and the failover appliance before
configuration.
Clustering the DSM for High Availability
.....
C O N F I G U R I N G A D S M F O R F A I L O V E R |84
Configuring a DSM for failover consists of the following processes:

Configure the DSM to resolve hostnames on page 84.
Add Failover DSM to Primary DSM cluster on page 84.
Convert Failover DSM on page 85.
Configure Replication from Primary DSM on page 86.
The same steps can be followed to add more Failover DSMs to the HA Cluster.
Configure the DSM to resolve hostnames

The DSM can be configured to resolve hostnames using either local DNS or the servers own
hosts file. The process of adding a DNS server to the configuration was described in the DSM
Installation Guide.
Note: Perform the following step only if you need to resolve the DSM host names without a
DNS server.
To add a host name to the DSM, you do not edit the hosts file directly; instead log onto the
DSM as cliadmin (see DSM Installation Guide) and for each DSM use the CLI to add the host
names.
Using the CLI, switch to the network context and add the host name and ip-address of each
DSM host to be used in the cluster. Repeat this for each DSM:
#network
#host add <hostname> xxx.xxx.xxx.xxx
Add Failover DSM to Primary DSM cluster

1 Log into the Management Console as an administrator of type System Administrator or All
.....
2 Select High Availability from the menu bar.
3 Click the Add button

4 Enter the Server Name for the new failover DSM and click Ok
The failover server is shown below the primary and the Role column entry will read Failover.
The Registered and Configured checkboxes will be unchecked.
Convert Failover DSM

1 Use an ssh utility to connect to the IP address of the failover DSM. See the DSM Installation
Guide for details.
2 Enter the following commands:
# ha
(navigate to the High Availability submenu)

# convert2failover
(converts the DSM to a failover DSM)

You will see the following:
Warning: We will now convert this server to a failover server.
Please make sure the primary server is running and has this server on
its failover server list.
This will take several minutes.
Continue? (yes|no) [no]:
Type yes and press Enter.

3 Answer the following prompts:
Primary Security Server system administrator name: <Sysadmin or All Admin
user>
Primary Security Server system administrator password:
This computer may have multiple IP addresses. All the agents will have
.....
to connect to Security Server using same IP.

Enter the host name of this computer. This will be used by Agents to
talk to this Security Server.
This Security Server host name[<failover_name>]:
Please enter the following information for key and certificate
generation.
What
What
What
What
What
is
is
is
is
is
the name of your organizational unit? []:

the name of your organization? []:
the name of your City or Locality? []:
the name of your State or Province? []:
your two-letter country code? [US]:
Warning: This will overwrite all keystores on this failover server!

Primary_Server=<primary_name>
CAs_Fingerprint=<finger_print>
Ensure the fingerprint listed above matches the one on the primary
Security Server web console dashboard.
SUCCESS: convert server to failover server. The server is started. Please verify the fingerprint
4 Compare the CA Fingerprint value you see on the screen with the value displayed in the
Dashboard window of the primary server. They should match.
Configure Replication from Primary DSM

1 Log into the Management Console as an administrator of type System Administrator or All.
2 Select High Availability from the menu bar.
The failover DSMs will now have the Registered checkbox enabled, indicating that the
failover and primary DSM servers have mutually authenticated.
3 Click on the radio button in the Selected column for the failover server.
4 Click on the Config Replication button.
.....
It will take several minutes to completely replicate the primary DSM configuration to the new
failover. Once replication completes, the checkbox should have an entry indicating successful
replication of the configuration (see below).
5 Repeat for each DSM to be added to the HA cluster.
.....

VDS Quick StartVormV0.4

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

VDS Quick StartVormV0.4

Enviado por

Direitos autorais:

Formatos disponíveis

Vormetric Data Security Platform

VDS Quick-start Guide

Vormetric Data Security

Vormetric Data Security User Guide

1 VDS Platform Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2 VDS Administrators and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

VDS Quick-start Guide

Adding host names to DSM database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 Data Encryption and Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Document Draft Version 0.4

VDS Quick-start Guide

Using dataxform to encrypt your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6 DSM Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

A Clustering the DSM for High Availability . . . . . . . . . . . . . . . . . . . . . . . . .

Document Draft Version 0.4

VDS Quick-start Guide

Convert Failover DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Document Draft Version 0.4

VDS Quick-start Guide

Document Draft Version 0.4

VDS Quick-start Guide

bold, Times New Roman

GUI labels, and options.

Click the System tab and select General

bold, fixed width

regular fixed width

Command and code examples

Document Draft Version 0.4

VDS Quick-start Guide

italic regular font

GUI dialog box titles

The General Preferences window

File names, paths, and directories

URLs and names of protocols

Do not resize the page.

CDF (Carousel Definition Format)

SERVICE UPDATES AND SUPPORT INFORMATION

SALES AND SUPPORT

Document Draft Version 0.4

VDS Quick-start Guide

For Vormetric Sales:

Document Draft Version 0.4

VDS Quick-start Guide

VDS P LATFORM O VERVIEW

What the VDS Platform does

What the VDS Platform is

VDS Quick-start Guide

VDS Platform Overview

The architecture of VDS is shown below.

Figure 1: Vormetric Data Security Architecture

VDS INSTALLATION AND CONFIGURATION ROAD MAP

Document Draft Version 0.4

VDS Quick-start Guide

VDS Platform Overview

VDS Installation, Configuration and Operations Roadmap

MANAGEMENT CONSOLE OVERVIEW

Document Draft Version 0.4

VDS Quick-start Guide

VDS Platform Overview

Access the Management Console

Document Draft Version 0.4

VDS Quick-start Guide

VDS Platform Overview

Allocate licenses and hours to a domain