HyTrust DataControl Architecture and Features

This chapter describes support for encryption within individual Virtual Machines (VMs) or physical servers wherever they reside (data center, private, public or hybrid clouds). For virtual machines, the HyTrust DataControl Policy Agent has been validated on Windows and Linux VMs on VMware vSphere, Amazon Web Services (AWS), Microsoft Azure and IBM SoftLayer.

The following figure provides a high-level view of the main architectural components of HyTrust DataControl:

HyTrust provides encryption and key management for virtual and physical machines. The major components are:

HyTrust KeyControl — supporting an active-active cluster, the KeyControl cluster stores keys, policies and configuration for any number of virtual machines with the HyTrust DataControl Policy Agent installed. Administration is through a web-browser-based GUI or through a set of REST-based APIs. Communication between the browser and the KeyControl cluster is over HTTPS. Because this is an active-active cluster, the browser can point at any KeyControl node in the cluster and any changes made are immediately reflected on all cluster nodes.
HyTrust DataControl Policy Agent (the Policy Agent) — a software module that runs inside Windows and most Linux operating systems in a VM or on a physical server, in a private, public or hybrid cloud, providing encryption of virtual disks and individual files. All VMs that have the Policy Agent installed can also securely share encrypted files. Encryption keys (KeyIDs) can be used by selected VMs to encrypt and decrypt files. Encrypted files can be placed in cloud storage such as Amazon S3 and only accessed by the selected VMs where the Policy Agent is installed.

KeyControl nodes contain FreeBSD as the core operating system, described in more detail below.

HyTrust Hardened OS

The base of every KeyControl node is the HyTrust-hardened version of FreeBSD, a light-weight, locked-down operating system that has no run-time login/SSH access to the system, to prevent tampering or attempts to access clear-text data and/or encryption keys. Each KeyControl node can be installed as a virtual machine or can be installed on physical (x86-based) hardware.

The main features:

An ISO, OVA or AMI image that supports installation of a KeyControl node, from which the Policy Agent can be downloaded.
Mirrored root partitions, to provide high availability for physical KeyControl servers, preventing downtime from disk failures.
Encryption of the HyTrust software on the installation media, to prevent tampering.
All major system software protected from tampering by whitelisting.
No general login/SSH access to KeyControl, preventing key snooping or clear-text data snooping.
Minimal OS software installed with industry standard lock-down capabilities built in.
Ability to extract debug information through secure login. Login access does not give access to the main running system, so that there is no access to any sensitive data or encryption keys.
GUI-based extraction of log / support information.
Built-in VMtools.

HyTrust KeyControl Nodes and Clusters

At the heart of every DataControl deployment is an active-active cluster of KeyControl nodes that manage encryption keys for virtual/physical machines. All administration takes place from a standard web browser to any node in the KeyControl cluster or from a set of REST-based APIs.

Arch KeyControl

KeyControl features include:

Active-active cluster.
Clustered object store protecting keys, policies and configuration data. All objects are encrypted and ultimately wrapped with an Admin Key.
Admin Key protection utilizing a software-based "n of m" backup. The Admin Key utilizes a hardware-based signature. This prevents KeyControl backups from being stolen and installed on new hardware.
Nodes can join / leave without affecting the ability to deliver encryption keys.
A KeyControl node moves into degraded mode (read only) on network disconnect or failure. While in degraded mode, any KeyControl node can still serve requests for keys and policies from VMs where the Policy Agent is installed.
Each Policy Agent can communicate with any KeyControl node, switching between them if they detect a non-responsive KeyControl node.
Support for admin authentication via local accounts with strict password controls, or via RADIUS.
Support for Alerts in environments with and without email access.
Rich RESTful API.

KeyControl webGUI Administrative Interface

Administration of the system takes place through the KeyControl webGUI, an administration console accessible through a standard web browser.

Access to the webGUI is over HTTPS and works with the latest version of standard browsers (tested with Safari 9 and above, Internet Explorer 10 and above, Chrome 47 and above, and Firefox 42 and above). The full online help includes all guides, and is accessible by clicking Help, found in a drop-down menu under the user’s login name at the top right of the screen.

Application Programming Interface

HyTrust provides a remote CLI (hicli), REST API, and Python API. This enables you to programmatically manage users and groups within the KeyControl cluster and also to manage encryption within virtual machines. For details, see:

Administration Model

HyTrust KeyControl provides a rich administrative framework that can be leveraged by multiple organizations of different sizes. This approach is useful for organizations ranging from the single-administrator IT shop to a large, multi-tenant cloud service provider who needs to support secure customer environments.

Arch Admins

The administration model provides for:

Multi-tenancy: administrative roles allow for need-to-know and separation of duties. There are three distinct administrative roles (Security, Domain, and Cloud). Roles can be combined and there are no limits to the number of administrators. Administrators can be placed in administrative groups to provide peer oversight. All objects in the system are owned by administrative groups, and not by administrators.
Support for multiple administrative roles per admin.
Alerts are presented through the webGUI and sent through email.
Audit records that can be displayed in the webGUI, downloaded, or exported through syslog to an external log server.

Administrative Roles

There are three major roles that can be assigned to a user. One user can have one, two, or all of these roles.

Security Admin

Can create / delete users / groups, assign users to groups. Groups allow for multiple-admin knowledge (no single person can cause havoc by withholding information).
Does master key management.
Cannot view any storage, policies, virtual machines or modify any associated settings.
Can view all audit records. These records can be exported to an external syslog server.

Domain Admin

Can set up HyTrust KeyControl nodes. KeyControl is typically set up as an active-active cluster to protect against system failure.
Can set up HyTrust KeyControl nodes. KeyControl is typically set up as an active-active cluster to protect against system failure.

Cloud Admin

Manages sets of virtual machines that have the HyTrust DataControl Policy Agent installed, providing encrypted devices.
Can create and manages multiple "Cloud VM Sets," for example, "VMs running in AWS" or "VMs running in Datacenter UK."
Can create certificates for VMs, and specify how long keys will be delivered for.
Can specify key expiration dates.
Can revoke access to individual encrypted disks/filesystems, or the whole VM. When access to disks is revoked, filesystems are forcibly unmounted, thus removing access to clear-text data.
Can create encryption keys to securely move encrypted data between specified VMs.
Can view audit records based on his or her group actions.

Key Management Capabilities

Managing encryption keys can be painful and makes encryption difficult to deploy and manage for many organizations. HyTrust KeyControl provides strong encryption technology without the need for users to be experts on key management. Wherever possible, the internals of key management are taken care of in the background.

Encryption Key Sizes and Algorithms

Ciphers must be specified when disks are encrypted, or keyIDs and FSIDs are created. Otherwise, AES-XTS-512 is the default cipher that is used by the Policy Agent.

For Policy Management encryption keys:

AES 128/256/512-bit encryption support (CBC and XTS cipher modes). Specifically:

Algorithm	Mode	Key size	Notes
AES-128	CBC	128-bit	Not available on Windows boot drives
AES-256	CBC	256-bit
AES-XTS-256	XTS	128-bit	Not available on Windows boot drives
AES-XTS-512	XTS	256-bit	Not available on Windows boot drives

Automatic detection and use of hardware crypto — AES-NI on Intel and AMD processors.
Set an expiration date for keys — one key per device is generated.
Secure encrypted communication between KeyControl clusters and Policy Agents.
Ability to cache keys in the VM (encrypted with a passphrase).
Ability to clone VMs and authenticate cloned VMs (for backup, restore, autoscaling and DR purposes).
Share encryption keys between VMs in the same Cloud VM Set, which allows these VMs to encrypt, securely transport, and decrypt data and disks.
On-line key rotation on Windows and off-line rekey on Linux.

For details on the processors that support AES-NI, please view this Wikipedia summary. For details on AES-NI, see this Intel site.

Checking For the Presence of AES-NI

To determine whether your particular computer supports AES-NI, open a command-line window and issue the following command on Windows:

Note: in the command-line interface, your input appears in bold monospaced type.

# hccmd aesni-check

Your system responds with an explicit statement:

AES-NI detected. or AES-NI not detected.

On Linux, issue the command:

# grep aes /proc/cpuinfo

If AES-NI is not available, nothing is returned. If it is available, an "aes" flag displays:

# grep aes /proc/cpuinfo
flags : ... ssse3 cx16 sse4_1 sse4_2 popcnt aes ... dts

Secure Authentication of New Nodes

Any new nodes (KeyControl node or VMs using DataControl) must be authenticated. As part of install, a passphrase is required on the new node, which must also be provided to a KeyControl node within the cluster. This one-time passphrase allows the nodes to establish a secure channel over which certificates are exchanged allowing for secure subsequent communications.

Secure Protocol Support Between Nodes

The HyTrust KeyControl Cluster provides secure communications among all nodes:

Secure REST-based protocol over HTTPS
Used for all KeyControl-KeyControl and KeyControl-DataControl interactions
All sensitive information (keys, policies) wrapped for additional security

VM In-Guest Encryption Using HyTrust DataControl Policy Agent

The HyTrust DataControl Policy Agent provides for encryption of disks, filesystems and files within a virtual machine.

There are a number of features provided in the Policy Agent including:

Full encrypted path from the VM, through the hypervisor to the storage.
Support for cloning and replication.
Dynamic rekey on Windows, allowing initial encryption or rekey without taking the VM or applications offline.
Filesystem resize for encrypted devices.
Encryption of files and support for Amazon S3 storage.
Linux file-level and folder-level encryption.
Migration of encrypted disks between VMs.
Support for Windows failover clusters.
Root and swap encryption.

Platforms Supported for Device Encryption

HyTrust has currently tested on the following Linux and Windows platforms for encryption of devices. We do not support 32-bit versions. Note that all Windows operating systems listed below are supported on AWS and Azure.

Platform	Data Encryption	Root/System Drive Encryption
CentOS 5.10-5.11	Yes	No
CentOS 6.2-6.8	Yes	Yes
CentOS 7.0-1406, 7-1503, 7-1511	Yes	Yes
RHEL 5.10-5.11	Yes	No
RHEL 6.2-6.8	Yes	Yes
RHEL 7.0-7.2	Yes	Yes
Ubuntu 12.04.05	Yes	Yes
Ubuntu 14.04	Yes	Yes
Ubuntu 15.04	Yes	Yes
Ubuntu 16.04	Yes	Yes
AWS Amazon Linux 2015 (PV and HVM)	Yes	Yes
Microsoft Windows 7	Yes	Yes (boot drive encryption)
Microsoft Windows 8, 8.1	Yes	Yes (boot drive encryption)
Microsoft Windows 10	Yes	Yes (boot drive encryption)
Microsoft Windows Server 2008 R2	Yes	Yes (boot drive encryption)
Microsoft Windows Server 2012	Yes	Yes (boot drive encryption)
Microsoft Windows Server 2012 R2	Yes	Yes (boot drive encryption)

If the version of Linux you are running is not listed above, please contact us at info@hytrust.com and provide us with information about the version of Linux and the problems seen.

Secure Data Migration

In VMs with the Policy Agent installed, we support the ability to share KeyIDs (encryption keys referenced by a symbolic name) between VMs within the same Cloud VM Set. This allows you to encrypt data and move it securely between these VMs. Only the VMs within the same Cloud VM Set as the KeyIDs are able to decrypt the data. Encryption is on a file-by-file basis, so movement of larger amounts of data can be achieved by zipping/tarring groups of files and then encrypting them.

These mechanisms can also be used to encrypt data and move it to cloud storage knowing that only you will be able to decrypt the data on return.

As an extension to the KeyID notion, we also provide interfaces for migrating encrypted data between VMs and through Amazon S3 storage.

Next Steps

Now you are ready to begin.

To review the user interface and start adding new users, go to Overview of the WebGUI User Interface.
To begin installing KeyControl nodes, go to Installing KeyControl Nodes.

Open topic with navigation