HyTrust DataControl Architecture and Features
Introduction
In this section we cover the architecture of HyTrust DataControl, describe the main features of the product, and cover terminology that will be used throughout the Administration Guide.
The following figure provides a high-level view of the main architectural components of HyTrust DataControl.
HyTrust provides encryption and key management for virtual and physical machines. The major components are:
- HyTrust KeyControl - supporting an active-active cluster, the KeyControl cluster stores keys, policies and configuration for any number of virtual machines with the HyTrust DataControl Policy Agent installed. Administration is through a web-browser-based GUI or through a set of REST-based APIs. Communication between the browser and the KeyControl cluster is over HTTPS. Since this is an active-active cluster, the browser can point at any KeyControl node in the cluster. Any changes made are immediately reflected on all cluster nodes.
- HyTrust DataControl Policy Agent - HyTrust DataControl Policy Agent (the Policy Agent) is a software module that runs inside Windows and Linux operating system in a VM or on a physical server, in a private, public or hybrid cloud, providing encryption of virtual disks and individual files. All VMs that have the Policy Agent installed can also securely share encrypted files. Encryption keys (KeyIDs) can be used by selected VMs to encrypt and decrypt files. Encrypted files can be placed in cloud storage such as Amazon S3 and only accessed by the selected VMs where the Policy Agent is installed.
KeyControl nodes contain FreeBSD as the core operating system, described in more detail in the next section.
HyTrust KeyControl / DataControl Product Features
This section lists the features of the HyTrust DataControl solution.
HyTrust Hardened OS
The base of every KeyControl node is the HyTrust-hardened version of FreeBSD, a light-weight, locked-down operating system that has no run-time login/SSH access to the system, to prevent tampering or attempts to access clear-text data and/or encryption keys. Each KeyControl node can be installed as a virtual machine or can be installed on physical (x86-based) hardware.
The main features:
- An ISO, OVA or AMI image that supports installation of a KeyControl node, from which the Policy Agent can be downloaded.
- Mirrored root partitions, to provide high availability for physical KeyControl servers, preventing downtime from disk failures.
- Encryption of the HyTrust software on the installation media to prevent tampering.
- All major system software is protected from tampering by whitelisting.
- No general login/SSH access to KeyControl, preventing key snooping or clear-text data snooping.
- Minimal OS software installed with industry standard lock-down capabilities built in.
- Ability to extract debug information through secure login. Login access does not give access to the main running system, so that there is no access to any sensitive data or encryption keys.
- GUI-based extraction of log / support information.
- Built-in VMtools.
HyTrust KeyControl Nodes and Clusters
At the heart of every DataControl deployment is an active-active cluster of KeyControl nodes that manage encryption keys for virtual/physical machines. All administration takes place from a standard web browser to any node in the KeyControl cluster or from a set of REST-based APIs.
KeyControl features include:
- Active-active cluster.
- Clustered object store protecting keys, policies and configuration data. All objects are encrypted and ultimately wrapped with an Admin Key.
- Admin Key protection utilizing a software-based "n of m" backup. The Admin Key utilizes a hardware-based signature. This prevents KeyControl backups from being stolen and installed on new hardware.
- Nodes can join / leave without affecting the ability to deliver encryption keys.
- A KeyControl node moves into degraded mode (read only) on network disconnect or failure. While in degraded mode, any KeyControl node can still serve requests for keys and policies from VMs where the Policy Agent is installed.
- Each Policy Agent communicates with any KeyControl node, switching between them if they detect a non-responsive KeyControl node.
- Support for admin authentication via local accounts with strict password controls or via RADIUS.
- Support for Alerts in environments with and without email access.
- Rich RESTful API.
WebGUI Administrative Interface
Administration of the system takes place through the "webGUI," an administration console accessible through a standard web browser, described in more detail in Overview of the webGUI User Interface
Access to the webGUI is over HTTPS and works with the latest version of the standard browsers (tested with Safari 9 and above, Internet Explorer 10 and above, Chrome 47 and above, and Firefox 42 and above). The full online help includes all guides, and is accessible by clicking Help, found in a drop-down menu under the user’s login name at the top right of the screen.
Application Programming Interface
In addition to the webGUI interface, KeyControl and a remote CLI, a REST API and Python API are provided. This enables you to programmatically manage users and groups within the KeyControl cluster and also manage encryption within virtual machines. For details, see:
Administration Model
HyTrust KeyControl provides a rich administrative framework that spans multiple organizations of different sizes. This approach is useful for organizations ranging from the single-administrator IT shop to a large, multi-tenant cloud service provider who needs to support secure customer environments.
The administration model provides for:
- Multi-tenancy: administrative roles allow for need-to-know and separation of duties. There are three distinct administrators (Security, Domain, and Cloud). Roles can be combined and there are no limits to the number of administrators. Administrators can be placed in administrative groups to provide peer oversight. All objects in the system are owned by administrative groups, and not by administrators.
- Support for multiple roles per admin.
- Alerts are presented through the webGUI and sent through email.
- Audit records that can be displayed in the webGUI, downloaded, or exported through syslog to an external log server.
Administrative Roles
There are three major roles that can be assigned to a user. One user can have one, two, or all of these roles.
- Security Admin:
- Can create / delete users / groups, assign users to groups. Groups allow for dual knowledge (no single person can cause havoc by withholding information).
- Cannot view any storage, policies, virtual machines or modify any associated settings.
- Can view all audit records. These records can be exported to an external syslog server.
- Domain Admin:
- Can set up HyTrust KeyControl nodes. KeyControl is typically set up as an active-active cluster to protect against system failure.
- Can view audit records based on his / her group actions.
- Cloud Admin:
- Manages sets of virtual machines with HyTrust DataControl Policy Agent installed, providing encrypted devices.
- Permissions provided for this role are:
- Can create and manages multiple "Cloud VM Sets," for example, "VMs running in AWS" or "VMs running in Datacenter UK."
-
- Can create certificates for VMs, and specify how long keys will be delivered for.
-
- Can specify key expiration dates.
-
- Can revoke access to individual encrypted disks/filesystems, or the whole VM. When access to disks is revoked, filesystems are forcibly unmounted, thus removing access to clear-text data.
-
- Can create encryption keys to securely move encrypted data between specified VMs.
-
- Can view audit records based on his or her group actions.
Key Management Capabilities
Key management is often referred to as the "Achilles heel of encryption." Managing encryption keys can be painful and makes encryption difficult to deploy and manage for many organizations. HyTrust KeyControl provides strong encryption technology without the need for users to be experts on key management. Wherever possible, the internals of key management are hidden from the user.
Encryption Key Sizes and Algorithms
Ciphers must be specified when disks are encrypted, or keyIDs and FSIDs are created. Otherwise, AES-XTS-512 is the default cipher that is used by the Policy Agent.
For Policy Management encryption keys:
- AES 128/256/512-bit encryption support (CBC and XTS cipher modes). Specifically:
Algorithm Mode Key size Notes AES-128 CBC 128-bit Not available on Windows boot drives AES-256 CBC 256-bit AES-XTS-256 XTS 128-bit Not available on Windows boot drives AES-XTS-512
XTS 256-bit Not available on Windows boot drives - Automatic detection and use of hardware crypto - AES-NI on Intel and AMD processors.
- Set an expiration date for keys - one key per device is generated.
- Secure encrypted communication between KeyControl clusters and Policy Agents.
- Ability to cache keys in the VM (encrypted with a passphrase).
- Ability to clone VMs and authenticate cloned VMs (for backup, restore, autoscaling and DR purposes).
- Share encryption keys between VMs in the same Cloud VM Set, which allows these VMs to encrypt, securely transport, and decrypt data and disks.
- On-line key rotation on Windows and off-line rekey on Linux.
For details on the processors that support AES-NI, please view this website.
Checking For the Presence of AES-NI
To determine whether your particular computer supports AES-NI, open a command-line window and issue the following command on Windows:
Note: in the command-line interface, your input appears in bold monospaced type.
# hccmd aesni-check
Your system responds with an explicit statement:
AES-NI detected. or AES-NI not detected.
On Linux, issue the command:
# grep aes /proc/cpuinfo
If AES-NI is not available, nothing is returned. If it is available, an "aes" flag displays:
# grep aes /proc/cpuinfo
flags : ... ssse3 cx16 sse4_1 sse4_2 popcnt aes ... dts
Secure authentication of new nodes
Any new nodes (KeyControl node or VMs using DataControl) must be authenticated. As part of install, a passphrase is required on the new node, which must also be provided to a KeyControl node within the cluster. This one-time passphrase allows the nodes to establish a secure channel over which certificates are exchanged allowing for secure subsequent communications.
Secure protocol support between nodes
The HyTrust KeyControl Cluster provides secure communications among all nodes:
- Secure REST-based protocol over HTTPS
- Used for all KeyControl-KeyControl and KeyControl-DataControl interactions
- All sensitive information (keys, policies) wrapped for additional security
VM in-guest encryption using HyTrust DataControl Policy Agent
The HyTrust DataControl Policy Agent (Policy Agent) provides for encryption of disks, filesystems and files within a virtual machine.
There are a number of features provided in the Policy Agent including:
- Full encrypted path from the VM, through the hypervisor to the storage.
- Support for cloning and replication.
- Dynamic rekey on Windows, allowing initial encryption or rekey without taking the VM or applications offline.
- Filesystem resize for encrypted devices.
- Encryption of files and support for Amazon S3 storage.
- Linux file-level and folder-level encryption.
- Migration of encrypted disks between VMs.
- Support for Windows failover clusters.
- Root and swap encryption.
Platforms Supported for Device Encryption
We have currently tested on the following Linux and Windows platforms for encryption of devices. We do not support 32-bit versions. Note that all Windows operating systems listed below are supported on AWS and Azure.
| Platform | Data Encryption | Root/System Drive Encryption |
|---|---|---|
| CentOS 5.10-5.11 | Yes | No |
| CentOS 6.2-6.8 | Yes | Yes |
| CentOS 7.0-1406, 7-1503, 7-1511 | Yes | Yes |
| RHEL 5.10-5.11 | Yes | No |
| RHEL 6.2-6.8 | Yes | Yes |
| RHEL 7.0-7.2 | Yes | Yes |
| Ubuntu 12.04.05 | Yes | Yes |
| Ubuntu 14.04 | Yes | Yes |
| Ubuntu 15.04 | Yes | Yes |
| AWS Amazon Linux 2015 (PV and HVM) | Yes | Yes |
| Microsoft Windows 7 | Yes | Yes (boot drive encryption) |
|
Microsoft Windows 8, 8.1 |
Yes |
Yes (boot drive encryption) |
|
Microsoft Windows 10 |
Yes |
Yes (boot drive encryption) |
| Microsoft Windows Server 2008 R2 | Yes | Yes (boot drive encryption) |
| Microsoft Windows Server 2012 | Yes | Yes (boot drive encryption) |
| Microsoft Windows Server 2012 R2 | Yes |
Yes (boot drive encryption) |
"
If the version of Linux you are running is not listed above, please contact us at info@hytrust.com and provide us with information about the version of Linux and the problems seen.
Secure Data Migration
In VMs with the Policy Agent installed, we support the ability to share KeyIDs (encryption keys referenced by a symbolic name) between VMs within the same Cloud VM Set. This allows you to encrypt data and move it securely between these VMs. Only the VMs within the same Cloud VM Set as the KeyIDs are able to decrypt the data. Encryption is on a file-by-file basis, so movement of larger amounts of data can be achieved by zipping/tarring groups of files and then encrypting them.
These mechanisms can also be used to encrypt data and move it to cloud storage knowing that only you will be able to decrypt the data on return.
As an extension to the KeyID notion, we also provide interfaces for migrating encrypted data between VMs and through Amazon S3 storage.
Next Steps
Now you are ready to begin.
- To review the user interface and start adding new users, go to "Overview of the WebGUI User Interface"
- To begin installing KeyControl nodes, go to "Installing and Managing KeyControl Nodes"