Network Traffic and File Encryption
EPM-UL can encrypt network traffic, event logs, I/O logs, policy files, and its own settings file. The following table lists the available encryption algorithms. If you are using SSL, then it supersedes the network traffic encryption algorithms after the start-up protocol is complete.
Encryption Algorithms
| Settings String | Block Size (bytes) | Key Size (bytes) | Comments |
|---|---|---|---|
| 3des | 8 | 24 | Old style Triple DES. This algorithm is deprecated in favor of the new style Triple DES and will be removed in a future release. |
|
aes-16-16 (or aes-128) |
16 | 16 | AES |
|
aes-16-24 (or aes-192) |
16 | 24 | " " |
|
aes-16-32 (or aes-256) |
16 | 32 |
" " |
| aes-24-16 | 24 | 16 | " " |
| aes-24-24 | 24 | 24 |
" " |
| aes-24-32 | 24 | 32 | " " |
| aes-32-16 | 32 | 16 | " " |
| aes-32-24 | 32 | 24 | " " |
| aes-32-32 | 32 | 32 |
" " |
| blowfish | 8 | 56 | Blowfish |
| cast128 | 8 | 16 | Cast-128 |
| des | 8 | 8 | DES |
| gost | 8 | 32 | Gost |
| loki97 | 16 | 32 | Loki97 |
| none | 0 | 0 | No encryption. |
| old | stream | 1024 |
A proprietary algorithm, maintained for backward compatibility only. This algorithm is deprecated and will be removed in a future release. |
| saferplus-16 | 16 | 16 | SaferPlus |
| saferplus-24 | 16 | 24 | " " |
| saferplus-32 | 16 | 32 | " " |
| serpent-16 | 16 | 16 | Serpent |
| serpent-24 | 16 | 24 | " " |
| serpent-32 | 16 | 32 | " " |
| threeway | 12 | 12 | Threeway |
| tiny | 8 | 16 | Tiny |
| tripledes | 8 | 16 | New style Triple DES |
| twofish-16 | 16 | 16 | Twofish |
| twofish-24 | 16 | 24 | " " |
| twofish-32 | 16 | 32 | " " |
Enhanced Encryption
To enable compliance with US government regulations, and specifically FIPS 140-2, encryption has been updated. Many of the older less secure encryption algorithms have been deprecated, and when high security is enforced, they are disabled completely.
When new clients are installed, enforcehighsecurity and ssl are both enabled in pb.settings. This switches EPM-UL into FIPS 140-2 mode. All encryption algorithms are FIPS 140-2 compliant, and it does not communicate, encrypt, or decrypt any data that isn't encrypted in AES-128, AES-192, AES-256 or TripleDes (3DES).
If a customer is installing version 9 of EPM-UL from scratch, high security mode is recommended.
For existing customers who are upgrading their enterprise to version 9, the upgrade script automatically adds the AES-256 encryption algorithm onto the I/O log and event log encryption configuration, leaving the existing encryption algorithms at the end of the configuration. This ensures that new I/O logs and event logs are encrypted using modern secure algorithms, but allows existing I/O logs and event logs that are encrypted in less secure algorithms to be decrypted and retrieved. Although existing network encryption can continue to use deprecated encryption algorithms, because the data is transient, more permanent data such as I/O logs and event logs can only be encrypted in FIPS 140-2 compatible algorithms.
To accomplish this task, you can use the new Client Registration feature to copy new pb.settings configuration, keys and certificates, or you can configure each installation by hand and copy the files manually.
Use Client Registration
- Follow the upgrade guide to update the primary policy server to the latest version.
- Create a new-style encryption key to be used across the enterprise:
pbkey -F /etc/pbfips.key
- Create a suitable client pb.settings file, for example /etc/pb-client.settings, and configure the new encryption settings.
enforcehighsecurity yes ssl yes ssloptions requiressl sslfirst sslverbose sslservercertfile /etc/pbmasterhost.crt sslserverkeyfile /etc/pbmasterhost.pem networkencryption aes-256:keyfile=/etc/pbfips.key iologencryption aes-256:keyfile=/etc/pbfips.key eventlogencryption aes-256:keyfile=/etc/pbfips.key submitmasters pbmasterhost.org.com logservers pbloghost.org.com
- Follow the Client Registration guide to enable the service and configure an appropriate client profile.
pbdbutil --reg -n
pbdbutil --reg -u '{"name":"client-prof","data":
[{"type":"settings","fname":"/etc/pb-client.settings"},
{"type":"certificate","to":"/etc/${prefix}pbrest.pem${suffix}"},
{"type":"save","sname":"networkencryption"},
{"type":"save","sname":"iologencryption"},
{"type":"save","sname":"eventlogencryption"},
{"type":"save","sname":"restkeyencryption"},
{"type":"save","sname":"sslservercertfile"},
{"type":"save","sname":"sslserverkeyfile"}]}'- Create similar profiles for your secondary policy servers, log servers, etc.
- Create a REST application ID and Key to authenticate your Client Registration requests.
pbdbutil --rest -g clientreg
{"appkey":"cbbc1aab-6f2b-40d0-b611-060bff0aaafa"}- Now follow the upgrade guide to upgrade each client and server, using Client Registration when prompted. Run the normal pbinstall on the client and when asked whether to use Client Registration, answer yes, and provide responses to the Client Registration configuration questions.
Do you wish to utilize Client Registration? [yes]? Enter the Application ID generated on the Primary License Server: clientreg Enter the Application Key generated on the Primary License Server: cbbc1aab- 6f2b-40d0-b611-060bff0aaafa Enter the Primary License Server address/domain name for registering clients: pbmasterhost.org.com Enter the Primary License Server REST TCP/IP port [24351]: 24351 Enter the Registration Client Profile name [default]: client-prof
Using the profile appropriate to the installation type. All the necessary pb.settings, keys, and certificates are automatically copied to the upgrade installation, making upgrade simple.
Alternatively, these Client Registrations options can be specified on the pbinstall command line for automation.
pbinstall -A clientreg -K cbbc1aab-6f2b-40d0-b611-060bff0aaafa -D pbmasterhost.org.com -N client-prof
Without Using Client Registration
- Follow the upgrade guide to update the primary policy server to the latest version.
- Create a new-style encryption key to be used across the enterprise:
pbkey -F /etc/pbfips.key
- For each upgrade you need to copy the new key, the primary policy manger certificate and the primary policy server key to each host.
- During upgrade you need to change settings to enable high security mode:
Enforce High Security Encryption? yes Use SSL? yes SSL Configuration? requiresslsslfirst sslverbose SSLServer Certificate File? <path to Primary Policy Server certificate file> SSL Server Private Key File? <path to Primary Policy Server key file> PowerBroker network encryption options aes-256:keyfile=/etc/pbfips.key PowerBroker event log encryption options aes-256:keyfile=/etc/pbfips.key PowerBroker I/O log encryption options aes-256:keyfile=/etc/pbfips.key
To configure a dedicated host to read older I/O logs and event logs encrypted with deprecated encryption algorithms, the following configuration is required to ensure that it can communicate with the new FIPS 140-2 compliant installations, but allowing it to read the older logs. Follow the above installation procedures, but change the pb.setting configuration:
enforcehighsecurity no ssl yes ssloptions requiressl sslfirst sslverbose sslservercertfile /etc/pbmasterhost.crt sslserverkeyfile /etc/pbmasterhost.pem networkencryption aes-256:keyfile=/etc/pbfips.key iologencryption aes-256:keyfile=/etc/pbfips.key des:keyfile=/etc/oldpb.key eventlogencryption aes-256:keyfile=/etc/pbfips.key des:keyfile=/etc/oldpb.key
High security mode is not enabled, allowing the installation to read deprecated logs. SSL is enabled, with the correct configuration to allow the installation to communicate with the policy servers. The iolog and event log encryption must have FIPS 140-2 compatible algorithm specified if new logs are to written. However this can be left out if the sole purpose of the installation is to read older logs. Appended to the end of the iolog and event log encryption configuration are the details of the customers' existing encryption used when the logs were encrypted. EPM-UL selects the relevant algorithm when the logs are replayed.
