Open topic with navigation

Product Architecture, Features, and Technology

Contents

Introduction

In this section we cover the architecture of the HyTrust DataControl solution, describe the main features of the product and cover terminology that will be used throughout the Administration Guide.

Architecture Overview

HyTrust provides encryption and key management for virtual and physical machines. The major components of the HyTrust solution are:

  • HyTrust KeyControl Nodes and clusters - supporting an active-active cluster, the KeyControl cluster stores keys, policies and configuration data related to the cluster, or any number of virtual machines where the HyTrust DataControl Policy Agent is installed. Administration of the system is through a web-browser-based GUI or through a set of REST-based APIs. Communication between the browser and the KeyControl cluster is over HTTPS. Since this is a full active-active cluster, the browser can point at any KeyControl node in the cluster. Any changes made are immediately reflected on all cluster nodes.
  • HyTrust DataControl Policy Agent - the HyTrust DataControl Policy Agent (the Policy Agent) is a software module that runs inside Windows and Linux virtual machines, either local or in a private, public or hybrid cloud, providing encryption of virtual disks and individual files. The Policy Agent is typically used to provide encryption of virtual machines (or physical servers) in the data center. All VMs that have the Policy Agent installed can also securely share encrypted files. Encryption keys (KeyIDs) can be used by selected VMs to encrypt and decrypt files. Encrypted files can also be sent to cloud storage such as Amazon S3 and only accessed by the selected VMs where the Policy Agent is installed.

The KeyControl nodes contain HyTrust FreeBSD as the core operating system, described in more detail in the next section.

HyTrust KeyControl / DataControl Product Features

This section lists the features of the HyTrust DataControl solutions.

HyTrust Hardened FreeBSD OS

The base of every KeyControl node is the HyTrust-hardened version of FreeBSD, a light-weight, locked-down operating system that has no run-time login/SSH access to the system, to prevent tampering or attempts to access clear-text data and/or encryption keys. Each KeyControl node can be installed as a virtual machine or can be installed on physical (x86-based) hardware.

The main features of HyTrust FreeBSD are:

  • A locked-down, hardened operating system.
  • An ISO, OVA or AMI image that supports installation of a KeyControl node, from which the HyTrust DataControl Policy Agent can be downloaded.
  • Mirrored root partitions for KeyControl software, to provide high availability, preventing downtime from disk failures.
  • Encryption of the HyTrust software on the installation media to prevent tampering.
  • No general login/SSH access to KeyControl, preventing key snooping or clear-text data snooping.
  • Minimal OS software installed with industry standard lock-down capabilities built in.
  • Ability to extract debug information through secure login. Login access does not give access to the main running system, so that there is no access to any sensitive data or encryption keys.
  • GUI-based extraction of log / support information.
  • Built-in VMtools supporting the management tools and vmxnet2 adapter.

HyTrust KeyControl Nodes and Clusters

At the heart of every DataControl deployment is an active-active cluster of KeyControl nodes that manage encryption keys for virtual/physical machines. All administration takes place from a standard web browser to any node in the KeyControl cluster or from a set of REST-based APIs. KeyControl nodes typically reside in your data center but could be run out of the public cloud as well.

Arch KeyControl

KeyControl features include:

  • Full active-active cluster.
  • Clustered object store protecting keys, policies and configuration data. All objects are encrypted and ultimately wrapped with an Admin Key.
  • Admin Key protection utilizing a software-based "n of m" backup. The Admin Key utilizes a hardware-based signature. This prevents KeyControl backups from being stolen and installed on new hardware.
  • Mirrored system drives to protect against disk failure.
  • Node join / leave without affecting the ability to deliver encryption keys.
  • The system moves into degraded mode (read only) on network disconnect or KeyControl failure. While in degraded mode, any KeyControl node can still serve requests for keys and policies from VMs where the Policy Agent is installed.
  • Each Policy Agent talks to any KeyControl node, switching between them if they detect a KeyControl node to be down.
  • Support for local authentication or RADIUS.
  • Support for environments with and without email access.
  • Strict password controls / checking.
  • Rich RESTful API.

WebGUI Administrative Interface

Administration of the system takes place through the "webGUI," an administration console accessible through a standard web browser, described in more detail in Overview of the webGUI User Interface in HyTrust DataControl v3.0.

 

Access to the webGUI is over HTTPS and works with the standard browsers (tested with Safari, Internet Explorer, Chrome and Firefox). The full Administration Guide is accessible by clicking Help, found in a drop-down menu under the user’s login name at the top right of the screen, as shown in the screenshot above.

Application Programming Interface

In addition to the webGUI interface, we also provide a set of REST-based APIs and a Python script (that wraps the API calls and talks to the VMs for provisioning). This enables you to programmatically manage users and groups within the KeyControl cluster and also manage encryption within virtual machines. For details, see:

Administration model

The HyTrust solution provides a rich administrative framework that spans multiple organizations of different sizes. This approach is useful for organizations ranging from the single-administrator IT shop to a large, multi-tenant cloud service provider who needs to support secure customer environments.

Arch Admins

The administration model provides for:

  • Multi-tenancy: administrative roles allow for need-to-know and separation of duties. There are three distinct administrators (Security, Domain, and Cloud). Roles can be combined and there are no limits to the number of administrators. Administrators can be placed in administrative groups to provide peer oversight. All objects in the system are owned by administrative groups, and not by administrators.
  • Support for multiple roles per admin.
  • Keys are never exposed through the webGUI or any other mechanism.
  • Alerts through the webGUI and through email.
  • Audit records that can be displayed in the webGUI, saved to local disk or exported through syslog to an external log server.

Administrative roles

There are three major roles that can be assigned to a user. One user can have one, two, or all of these roles. You must decide based on your own security needs.

  • Security Admin:
    • Can create / delete users / groups, assign users to groups. Groups allow for dual knowledge (no single person can cause havoc by withholding information).
    • Cannot see any storage, policies, virtual machines or modify anything.
    • Sees all audit records. These records can be exported to an external syslog server.
  • Domain Admin:
    • Sets up HyTrust KeyControl nodes, usually configured in a cluster. KeyControl is typically set up as an active-active cluster to protect against system failure.
    • Only sees audit records based on his / her group actions.
  • Cloud Admin:
    • Manages sets of virtual machines where the HyTrust DataControl Policy Agent is located, providing encrypted devices. Capabilities provided for this role are:
    • Creates and manages multiple "Cloud VM Sets," logical groupings of virtual machines, for example, "VMs running in AWS" or "VMs running in ENKI."
    • Creates certificates for VMs that specify how long keys will be delivered for.
    • Specifies key expiration dates.
    • Revokes access to individual encrypted devices or the whole VM. When devices are revoked, filesystems are forcibly unmounted, thus removing access to clear-text data.
    • Creates encryption keys to securely move encrypted data between specified VMs.
    • Only sees audit records based on his or her group actions.

Key management capabilities

Key management is often referred to as the "Achilles heel of encryption." Managing encryption keys can be painful and makes encryption difficult to deploy and fearful for many organizations. HyTrust KeyControl provides strong encryption technology without the need for users to be experts on key management. Wherever possible, the internals of key management are hidden from the user. Ciphers must be specified on the hcl encrypt command line in order to be used. Otherwise, AES-XTS-512 is the default cipher that is used by the Policy Agent.

For a KeyControl/DataControl combination:

  • AES 128/256/512-bit encryption support (CBC and XTS cipher modes). Specifically:
    • AES-128 in CBC mode, using 128-bit keys. Not available on Windows boot drives.
    • AES-256 in CBC mode, using 256-bit keys
    • AES-XTS-256 in XTS mode, using two 128-bit keys. Not available on Windows boot drives.
    • AES-XTS-512 in XTS mode, using two 256-bit keys. Not available on Windows boot drives.
  • Automatic detection and use of hardware crypto - AES-NI on Intel and AMD processors.
  • Set an expiration date for keys - we generate one key per device.
  • Secure encrypted communication between KeyControl clusters and Policy Agents.
  • Ability to cache keys on the client VM (encrypted with a passphrase).
  • Ability to clone VMs and authenticate cloned VMs (for backup, restore, autoscaling and DR purposes).
  • Share encryption keys between VMs in the same Cloud VM Set, which allows these VMs to encrypt, securely transport, and decrypt data.
  • On-line key rotation on Windows and off-line rekey on Linux.

For details on the processors that support AES-NI, please view this website.

Secure authentication of new nodes

Any new nodes (KeyControl node or VMs using DataControl) added to the system must be authenticated. As part of install, a passphrase is required on the node to be added and then on a KeyControl node within the cluster. This one-time passphrase allows the system to establish a secure channel over which certificates are exchanged allowing for secure subsequent communications.

Secure protocol support between nodes

The HyTrust solution provides secure communications between all nodes in the system:

  • Secure REST-based protocol over HTTPS
  • Used for all KeyControl-KeyControl and KeyControl-DataControl interactions
  • All sensitive information (keys, policies) wrapped for additional security

Support for VM in-guest encryption using the HyTrust DataControl Policy Agent

The HyTrust DataControl Policy Agent (the Policy Agent) provides for encryption within a virtual machine.

Arch HTDC VME

There are a number of features provided in the Policy Agent including:

  • Full encrypted path from the VM, through the hypervisor to the storage.
  • Support for cloning and replication.
  • Dynamic rekey on Windows, allowing initial encryption or rekey without taking the VM or applications offline.
  • Filesystem resize for encrypted devices.
  • Encryption of files and support for Amazon S3 storage.
  • Migration of encrypted disks between VMs.
  • Support for Windows failover clusters.
  • Root and swap encryption.

Secure data migration

In VMs where the Policy Agent is installed, we support the ability to share KeyIDs (encryption keys referenced by a symbolic name) between VMs within the same Cloud VM Set. This allows you to encrypt data and move it between these VMs. Only the VMs within the same Cloud VM Set as the KeyIDs are able to decrypt the data. Encryption is on a file-by-file basis, so movement of larger amounts of data can be achieved by zipping/tarring groups of files and then encrypting them.

These mechanisms can also be used to encrypt data and move it to cloud storage knowing that only you will be able to decrypt the data on return.

As an extension to the KeyID notion, we also provide interfaces for migrating encrypted data between VMs through Amazon S3 storage.

Arch KeyIDs

Next Steps

Now you are ready to begin.