OpenInsight Data Encryption at Rest (RTIDER)

Transcription

OpenInsight Data Encryption at Rest (RTIDER)
OpenInsight Data Encryption at Rest
(RTIDER)
Version 1.1
A Division of Revelation Technologies, Inc.
COPYRIGHT NOTICE
© 1996-2014
Revelation Technologies, Inc. All rights reserved.
No part of this publication may be reproduced by any means, be it transmitted, transcribed, photocopied, stored in a
retrieval system, or translated into any language in any form, without the written permission of Revelation
Technologies, Inc.
SOFTWARE COPYRIGHT NOTICE
Your license agreement with Revelation Technologies, Inc. authorizes the conditions under which copies of the
software can be made and the restrictions imposed on the computer system(s) on which they may be used. Any
unauthorized duplication or use of any software product produced by Revelation Technologies, Inc., in whole or in
part, in any manner, in print or an electronic storage-and-retrieval system, is strictly forbidden.
TRADEMARK NOTICE
OpenInsight is a registered trademark of Revelation Technologies, Inc.
Windows 2000®, Windows XP Professional®, Windows Vista Business®, Windows 7®, Windows 8®, Windows
Server 2003®, Windows Server 2008®, Windows Server 2012® and above are registered trademarks of Microsoft,
Inc.
Part No. 314-983
Printed in the United States of America.
2
Table of Contents
SECTION I: INTRODUCTION TO RTIDER ....................................................................................... 4 DIFFERENT TYPES OF ENCRYPTED VOLUMES - SITE-SPECIFIC AND PASS .................................................................... 4 SECTION II: CONFIGURATION OF RTIDER SYSTEM .................................................................. 5 RTIDERSERVER INSTALL, SETUP, AND CONFIGURATION ........................................................................................... 5 RTIDERCLIENT INSTALL, SETUP, AND CONFIGURATION .......................................................................................... 13 SECTION III: CONFIGURE ENCRYPTION SERVER .................................................................... 17 SECTION IV: CREATING VOLUMES ............................................................................................... 28 CREATING A RTIDER VOLUME ................................................................................................................................ 28 CREATING A PASS VOLUME ..................................................................................................................................... 31 SECTION IV: CREATING ENCRYPTED TABLES .......................................................................... 35 CREATING A NEW ENCRYPTED TABLE ....................................................................................................................... 36 COPYING AN EXISTING TABLE TO AN ENCRYPTED VOLUME ...................................................................................... 54 CHANGING ENCRYPTION SETTINGS AFTER CREATION ............................................................................................... 65 SECTION V: MOVING DATA BETWEEN NORMAL AND ENCRYPTED VOLUMES ON A
SINGLE SYSTEM ................................................................................................................................... 71 SECTION VI: MOVING DATA BETWEEN RTIDER SYSTEMS ................................................... 72 3
Section I: Introduction to RTIDER
OpenInsight version 9.3 and above incorporates a new encryption service that system administrators can deploy to
encrypt (on a field by field level) data in OpenInsight. The data will be “encrypted at rest” using industry standard
encryption routines. Clients and the encryption service use the Windows Communication Foundation (WCF) to
communicate, thus allowing the data to be encrypted in transit. Through the use of an Encryption Server (normally,
but not necessarily, the same machine as the Universal Driver server), each OpenInsight workstation seamlessly and
securely encrypts data for storage when written into an encrypted volume.
The metadata and actual table contents are stored on the encryption server use AES encryption algorithm with a key
size of 256 and 2 key iterations. For more information on this type of encryption see:
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Different types of encrypted volumes - site-specific and
PASS
There are two different types of encrypted volumes. A normal RTIDER volume uses encryption keys that are
maintained by the Encryption Server; all workstations accessing this Encryption Server can (with proper
permissions) access the data, but the tables contained in these volumes cannot be used by any other system running
its own Encryption Server. Alternatively, a volume can be defined as an RTIDER PASS (Password Authenticated
Single Session) volume; to access tables in a PASS volume, the user must enter the required passphrases during
table attachment. The PASS volume can be moved among different Encryption Server systems, and is thus suitable
for transporting data either temporarily (for example, when copying tables between fixed systems) or permanently
(for example, putting such tables on a pen drive).
4
Section II: Configuration of RTIDER system
Prior to installing the Encryption Server, system administrators may choose to create a new privileged user on the
Windows PC that will act as the server. This user MUST have permissions to access the registry on the server. If a
new user is not created, an existing user with the proper permissions (NOT the default system user normally
assigned to services) may be used instead.
RTIDERServer install, setup, and configuration
To install the Encryption Server software, system administrators must run the Encryption Server Setup routine.
They will be prompted to enter the address and port number assigned to the Encryption Server, so that this
information can be updated for the subsequent Encryption Client installations. After installation, the system
administrator must change the "Login User" for the Encryption Server service before starting the Encryption Server
software, and must in addition make sure that the specified port number is accessible from all the desired clients.
Administrators will also need to run the "one time configuration" for the Encryption Server, to specify which
Windows groups will be allowed to perform various encryption roles.
5
1. The RTIDERServer setup executable can be found in the DERServer folder under your OpenInsight
directory. Right click on the executable and Run as administrator. 6
7
2. The default location is C:\Revsoft\RTIDERServer. 8
3. If the Service Details are incorrect you will not be able to continue. 9
4. The default TCP port for the Encryption Server is 8188. 10
11
5. Make sure that the RTIDERService is started prior to using the Encryption Server. 12
RTIDERClient install, setup, and configuration
1.
The Encryption Client software is automatically installed during the client setup process (performed by
running the clientsetup.exe contained in the OpenInsight folder).
13
2.
14
Specify the location you want to store the client install files.
3.
Click No to install the .NET 4.0 framework which is required for the Encryption Service.
15
16
Section III: Configure Encryption Server
1.
To configure the Encryption Server open the Database Manager from Application Tools.
17
2.
18
From the Database Manager select Utilitiies, OpenInsight Tables, Data Encryption At Rest, Configure
Server.
19
20
3.
If the Encryption Server has already been configured you will receive the following message. Do NOT
change your Passphrase or Encryption Seed.
4.
Secure your Server Passphrase and Encryption Seed in a secure location. You will need these in the event
of disaster recovery to regain access to your encrypted data.
5.
One or more Windows Groups are assigned to one or more Encryption Server Roles provided with the
Encryption Server.
Members of the groups that are in the Role Manager role are the people who can assign groups to the other
roles.
21
6.
22
The Security Groups can be selected from a popop.
7.
Members of the groups in the Server Manager roles can change the encryption settings on the server.
23
8.
24
Members of the groups that are in the Table Manager role can define or change the encryption settings on
tables.
9.
Members of the groups that are in the Assign Impersonators role can programmatically set which group
they wish to impersonate. This is used when multiple different permissions are required, but all users log
into Windows as the same user (e.g. the O4W user).
25
10. Members of the groups that are in the Data Access roles are allowed to access the encryption system. Any
users who are not members of these groups will not be able to connect to the encryption server.
26
27
Section IV: Creating Volumes
Creating a RTIDER volume
Before encrypted tables can be created, an encrypted volume must first be defined. For a normal RTIDER volume,
the normal CREATE_VOLUME procedure is used, with additional encryption parameters passed in as part of the
"control_location" parameter:
Create_Volume( volume_name , filing_system, location, control_location, status)
The volume_name is the name of the new volume to create; the filing_system must be "RTP57E" for an encrypted
volume; the location is the physical Windows directory for this volume; and the control_location contains the
encryption details, @VM delimited:
server_address : @VM : server_port : @VM : show_protected
Where server_address is the IP address of the Encryption Server, server_port is the port number that the Encryption
Server service is "listening" on, and show_protected is a flag (0 or 1) to indicate whether encrypted fields should be
blanked out (0) or displayed in their encrypted format (1) by users who do not have permissions to decrypt those
fields.
1.
28
To Create a Volume open the Database Manager from Application Tools.
2.
Enter your Volume Name and Location and click the Save button. If Show encrypted is selected then users
with no permissions will see the encrypted value. If Hide encrypted is selected then users with no
permissions will see a blank value for all encrypted data.
29
3.
30
You can add or remove one or more MFS’ to an entire volume instead of individual tables.
Creating a PASS volume
To create a PASS volume, you must use the CREATE_VOLUME_PASS procedure:
Create_Volume_Pass( volume_name, location, control_location, passphrase, initVector, status)
Where volume_name, location, and control_location are defined as above, and passphrase and initVector are the
unique pieces that will be used to encrypt the information in this volume. The passphrase and the initVector are
both user-defined strings or words; they should be unique to each PASS volume, but may be anything that is both
memorable and easy to keep secret.
Note that, since PASS volumes require the passphrase and initVector to be specified each time they are initially
accessed, you should NOT add tables in the PASS volume(s) to your database definition. Instead, you must always
run ATTACH_TABLE_PASS to attach, on a per-session basis, the tables in the PASS volume:
Attach_Table_PASS( volume_pointer_name, tablelist, database, passphrase, initVector, status)
1.
To Create a PASS Volume open the Database Manager from Application Tools.
31
2.
32
Enter your Volume Name and Location. Select PASS and enter the PASS Volume Passphrase and
Encryption Seed. Click the Save button.
1.
To Attach a PASS Volume open the Database Manager from Application Tools.
2.
Select the PASS Volume location and enter the PASS Volume Passphrase and Encryption Seed.
33
34
Section IV: Creating encrypted tables
Tables in the encrypted volume can be created using the CREATE_TABLE procedure, which has now been
extended to include an additional parameter:
Create_Table(locationlist, tablename, dictflag, databaseID, tableattributeslist, protectflag, unused, unused,
encryptInfo)
The encryptInfo parameter defines which fields in the table should be encrypted, which groups should be able to
access the data in the table, and how keys should be processed. This parameter is @FM delimited as follows:
1. list_of_fields
2. list_of_groups
3. error flag
4. key part flag
Field 1 (list_of_fields) contains a list of which fields should be encrypted; this list is comma-delimited, and may
contain 0 (to indicate the key field), 0*<keypart> (for example, 0*1) (to indicate part of the key field), or -1 (to
indicate all fields, including the key field). An example of the list_of_fields may be "0,1,3,4", or "-1".
Field 2 (list_of_groups) defines which Windows groups should have access to each of the encrypted fields; this list
is in the format <fieldnumber>:<groupname>{;<groupname>;<groupname>}{,<fieldnumber>...}. For each field
that may be encrypted (as defined in the list_of_fields), you may specify one or more Windows groups that can
access that fields' information. As above, the field number may contain 0 (for the key field), 0*<keypart> (for a key
part), or -1 (for all fields, including the key field); the group names can also be "*" to indicate "all valid Windows
users in this domain." An example of the list_of_groups may be "0:inventory;acctg,1:*,3:acctg,4:inventory" or "1:*".
If a user attempts to update a record for which he/she does not have full permissions, the Encryption Server can
either "merge" the original record's fields with the updated data, or generate an error. If field 3 (error flag) is set to
1, then an error is returned; if set to 0, then the modified data is merged with the protected fields.
If a key contains multiple parts (separated by the key delimiter "*"), it can be encrypted as a single piece of
information, or each key part can be encrypted separately. If field 4 (key part flag) is set to 1, then each key part is
encrypted separately; if set to 0, the entire key is treated as a single string, and the key delimiters are ignored during
the encryption process).
Please note that it is specifically allowed to create a table with no encryption information in an encrypted volume simply pass in an empty string ("") for the encryptInfo parameter. If instead you wish to create an encrypted table
with the default settings, pass in a parameter with 4 fields, each of which are the empty string ("").
35
Creating a new encrypted table
1.
36
You can create a new encrypted table from Database Manager, Utilities, OpenInsight Tables, Data
Encryption at Rest, Create Table.
2.
You can also create an encrypted table from Database Manager. Choose File, New Table.
37
3.
38
Click the Browse button and select Defined Locations.
4.
Select the location of your Encrypted Volume. Encrypted volumes are denoted with a Filing System of
RTP57E.
39
5.
40
Add your data dictionary columns.
6.
Tables created in encrypted volumes will be prompted with the following form to set the encryption
settings for this table.
41
7.
42
You can set the encryption level at none, all fields or specific fields. For users with no permissions you can
choose to not allow record updates or allow record updates leaving the encrypted field unchanged. Record
keys can be encrypted as a single string or individually by key parts.
8.
Field level encryption can be set by checking the appropriate dictionary name. Access groups are set to
default settings of the Encryption Server.
43
9.
44
Specific Access Groups can be selected on a field level by double clicking on Access Groups.
10. Select the appropriate Access Groups for this field from the popup provided.
45
46
11. The Encryption Attributes can be altered on a table as long as no data has been added to that table. Field
Level encryption settings can only be altered on empty tables. From the Table Builder menu choose File,
Encryption Attributes.
47
12. If a table contains data the only encryption parameter that can be modified is Update rows with restricted
access.
48
13. In this example we will add data rows to our newly created table from Database Manager.
49
14. Right click on the table and choose Table Browser.
50
15. From Table Browser add several data rows and Save.
51
16. The data location of this encrypted table can be seen in line 6 of the SYSTABLES*CONTACTS record.
52
17. If we open this file in Notepad you can see that the fields we selected are encrypted.
53
Copying an existing table to an encrypted volume
1.
54
You can copy an existing table to an encrypted volume by selecting Copy Table wizard from the Database
Manager, Utilities, OpenInsight Tables, Data Encryption at Rest, Copy Table Wizard.
2.
You can also copy an existing table to an encrypted volume from Database Manager. Choose File,
Encrypted Copy Table Wizard.
55
3.
56
Select the table that you want to copy to an encrypted volume.
4.
Tables that contain indexes cannot be copied to an encrypted volume. The indexes must be removed prior
to copying the table.
57
58
5.
Once the indexes have been removed you can select your source table to copy.
6.
Select the location an encrypted volume that you want to copy your table into.
59
60
7.
Choose the application for the copied table.
8.
By default the copied table name is the same as your source table name. You can change the table name.
9.
Choose your level of encryption for this table.
10. Select the columns which will be encrypted.
61
11. You have the option to delete the source unencrypted table (not recommended) upon completion of the
Wizard.
62
12. Upon completion of the Wizard, the table has been copied to the encrypted volume and removed from the
unencrypted volume.
63
13. Table Browser will display the copied data rows.
64
Changing encryption settings after creation
1.
It is possible to change the encryption settings after the table has been created; this is especially useful if
you wish to use the Table Builder to create the proper dictionary definitions before deciding which fields
should be encrypted. However, you MUST change the encryption settings BEFORE any data has been
stored in the table.
65
66
2.
In this example we are changing the Access Groups for the FAX field.
67
3.
68
Users who are not members of this group cannot see the FAX data.
4.
Here we are setting the Access Group back to the original setting.
69
5.
70
Members of this Access Group can now view the FAX field.
Section V: Moving data between normal and encrypted
volumes on a single system
To encrypt existing tables, or remove encryption from an already-encrypted table, you can use the COPY_TABLE
procedure, which now supports an additional parameter:
Copy_Table(tablename, location, database, newtablename, lockflag, deleteflag, overwriteflag, existflag, status,
removerelationalindexing, encryptInfo)
The encryptInfo parameter contains the same information as specified above in CREATE_TABLE. It is only
required when copying to an encrypted (RTP57E) volume. When copying from an encrypted volume to a normal
volume, or between normal (RTP57) volumes, the encryptInfo parameter can be omitted.
71
Section VI: Moving data between RTIDER systems
Data stored in normal RTIDER volumes can only be read by the Encryption Server on which it was created. To
move data to another RTIDER system, you must create a PASS volume, and then use COPY_TABLE to duplicate
the data in the PASS volume. Once completed, the entire contents of the physical Windows folder where the PASS
volume was defined can be moved to the target RTIDER system, attached (using ATTACH_TABLE_PASS), and
then COPY_TABLE can again be called to move the transported data onto the new RTIDER system.
If you do not wish to transport an entire table's contents, but still wish to protect one or more rows via encryption
during transport, the steps to follow are almost the same - create a PASS volume, create an encrypted table in the
PASS volume, use COPY_ROW to copy data from the source table to this "transport" table, move the Windows
folder to the target system, attach the PASS volume with ATTACH_TABLE_PASS, and then COPY_ROW the data
to the target table.
72
Revelation Software, Inc
99 Kinderkamack Road Ste 109
Westwood, NJ 07675
U.S.A
Toll Free: 800-262-4747
Phone: 201-594-1422
Fax: 201-722-9815
www.revelation.com
Revelation Software Ltd.
Boundary House
Boston Road
London, W7 2QE
U.K.
Phone: +44 0 208 912 1000
Fax: +44 0 208 912 1001
info@revsoft.co.uk
BrightIdeas New Zealand
44 Cockle Bay Rd, Howick
Auckland, 2014
New Zealand
Phone: +64 9 534 9134
info@revelation.asia
Revelation Software is a division of Revelation Technologies, Inc.
Part No. 314-983
73