Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

id202684107

...

id202684119
Section
background-color$lightGrayColor
id202684106

Topics Discussed

Table of Contents
maxLevel3
minLevel3

...

id202684109

This article explains how to encrypt data using the in-place data transformation, which is also known as dataxform.

At a high level, you will:

  • Shut down the database software
  • Place a transformation policy in the directory
  • Implement encryption
  • Remove the transformation policy
  • Add the operational policy
  • Restart the database software
Note

During this process, the database software will shut down, which means access to the files in the database will be prevented.

Note

Armor recommends that you use the Copy Method for encryption because this method:

  • Reduces the amount of time spent setting the customized Dataxform policy on the GuardPoints on the DSM
  • Prevents any user error when you enter the text command to rekey the data
  • Ensures that the encrypted files are accessible before you remove the non-encrypted / original files


Prerequisites

...

Before you begin, you must have:

  • General understanding of the Vormetric product
  • Strong understanding of how to create GuardPoints in DSM
  • Strong undrestanding of how to create policies in DSM
  • A production key available to use


Encrypt with Data Transform

...

  1. Log into your DSM as a Security Administrator.
  2. In the top menu bar, click Policies.
  3. Click Add Online Policies.
  4. For Name, enter DataXform_Policy.
  5. (Optional) For Description, enter In Place Data Transformation Policy.
  6. Under Security Rules, click Add.

    Image ModifiedImage Modified

    1. Next to Action, click Select.
    2. At the bottom of the table, next to the kep_op entry, mark the box.
    3. Click Select Actions. This step will populate the Action field with key_op.

      Image Modified

  7. Locate the Effect field.
    1. Click Select.
    2. Mark the box for Apply Key and Audit.
    3. Click Select Effect.

      Image Modified

    4. This will populate the Effect field.
    5. Click Ok to add the rule to the policy.

      Image Modified

  8. In the Add Online Policy screen, click Add to add a second rule.

    Image Modified

    1. This action will take you to the Add Security Rule screen.
    2. Next to Effect, click Select.
    3. Mark the box for Deny and Audit.
    4. Click Select Effect.
    5. Click Ok.

      Image Modified

  9. Under Key Section Rules, click Add.
    1. This action will take you to the Add Key Rule screen.

      Image Modified

    2. Next to Key, click Select.
    3. Mark the box for clear_key.
    4. Click Select Key.

      Image Modified

    5. In the Add Key Rule screen, click Ok.

      Image Modified

  10. Locate the Data Transformation Rules section.
    1. Click Add.
    2. Next to Key, click Select.

      Image Modified

    3. Mark the box for the production key.
    4. Click Select Key. This action will populate the Key field.

      Image Modified

    5. Click Ok. This action will display two rules.

      Image Modified
      Image Modified

  11. In the top menu bar, click Hosts.
  12. Under Host Name, select the host you want to encrypt.
    • Verify that no services or users are trying to access the intended GuardPoint. You can accomplish this by shutting down the database service, and then confirming that there are no users in the working directory.

      Image Modified

  13. Click the Guard FS tab.

    Image Modified

  14. Click the Guard button.

    Image Modified

  15. In the Guard File System screen, click the Policy drop-down menu.
    1. Select DataXform_Policy.

      Image Modified

    2. Do not modify the Type field. This field should display Directory (Auto Guard).

      Image Modified

    3. Click Browse.

      Image Modified

  16. In the window that appears, expand the folder directory.
    Image Modified
  17. Locate and select the desired path that you want to protect.
  18. In the image below, the sample GuardPoint is: C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\
    1. Select the desired GuardPoint.
    2. Click Ok.

      Image Modified

  19. The GuardPoint you selected will populate the Path field.
    1. Confirm the intended path.
    2. Click Ok.

      Image Modified

  20. Under Status, click the refresh button for the newly created GuardPoint.
    1. You may need refresh several times.

      Image Modified

  21. Confirm the status turns green.

    Image Modified

  22. On the Windows server where you are going to apply the GuardPoint, right-click on the PowerShell icon, and then select Run as Administrator.

    Image Modified

  23. Before you can run the encryption command, you must change into the directory where the Vormetric dataXform utility is located (C:\Program Files\).
  24. Change the directory path where the utility is located (C:\Program Files\Vometric\DataSecurityExpert\agent\vmd\bin).
    • The utility has a feature that allows you to scan the indended GuardPoint before you run the DataXform command, which can be useful to verify that the GuardPoint can be encrypted and also to offer an estimate on how long the encryption configuration will take.
    • The DataXform data command function is: .\dataxform ••--deep_scan ••--gp <guard point path>

      Image Modified

  25. When you are in the DataXform utility path, you can run the DataXform command with various added arguments. The standard command is: .\dataxform --rekey --gp <directory path>
    1. You can add the .\dataxform --rekey flag to read data with the clear key and write back in with the production key (encrypting the data in place).
    2. You can add --print_state to retrieve a printout of how many files are going to be encrypted and periodic updates of how much data has been encrypted so far.
      1. The command would be .\dataxform --rekey --print_stat --gp <directory path>
    3. You can add the --cleanup_on_success flag to clean up the temporary files created during the DataXform process and are not necessarily needed in the future.
      1. The command would be: .\dataxform --rekey --print_stat --cleanup_on_success —gp <direcotry path>
    4. You can add the --preserve_modified_time flag to preserve the current time stamp of the files being encrypted, instead of changing the time stamp to when DataXform ran.
      1. The command would be: .\dataxform ••--rekey ••--print_stat --cleanup_on_success --preserve_modified_time --gp <directory>
  26. After you enter the command, press Enter.
    • If successful, you will see a text output similar to the screenshot below.
    • If unsuccessful, make sure there are two dashes before each flag and that the words are spelled correctly.
  27. Assuming your data is already backed up, then press y to continue.
  28. To remove the data transformation status files created earlier, press y, and then press Enter.

    Image Modified

  29. Return to the DSM console, and mark the box for the GuardPoint that contains the DataXform policy.
    1. If you are logged out of the DSM console, after you login, click the Hosts tab, select the desired Host Name, and then click Guard FS.
  30. Mark the box next to DataXForm_Policy.
  31. Select the Unguard button.

    Image Modified

  32. Click OK.

    Image Modified

  33. Click the Refresh button.

    Image Modified

  34. You may need to click Refresh several times before the GuardPoint disappears.
    1. When the GuardPoint disappears, click Guard.
    2. In the pop-up window, in the Policy drop-down menu, select your operational policy in learn mode. (In the screenshots below, the example is R1_Testing_VMW12.
    3. Expand the directory to the path, and then highlight the path you previously encrypted. (In the screenshots below, the example is C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQ\Log.
    4. Click Ok.

      Image Modified

  35. Click the Refresh button.
    1. You may need to click Refresh several times before the GuardPoint turns green.

      Image Modified
      Image Modified

  36. Restart your database.

    Image Modified




Was this helpful?



Topics Discussed

Table of Contents
maxLevel3
minLevel3