Encryption: Configure KMIP Server and Encrypt Session Data

Storage :: Encryption

The Encryption section allows you to encrypt session data stored on your BeyondTrust Appliance. To use the data at rest encryption feature to encrypt your session data, a Key Management Interoperability Protocol (KMIP) server must be available within your environment to store the encryption keys needed to encrypt and decrypt the disks on your BeyondTrust Appliance. When first encrypting your data, you are limited to 4GB or less of data; however, after the initial encryption, this 4GB limit no longer applies.

If you have more than 4GB of data to initially encrypt, please contact BeyondTrust Technical Support at beyondtrust.com/docs/index.htm#support.

Storage :: Encryption

In the Storage :: KMIP Server section, enter the hostname for your external KMIP server and the port through which the server must be accessed. Upload a valid, CA-signed certificate which is presented by the KMIP server to verify its identity to the BeyondTrust Appliance, as well as a client certificate private key which is used to authenticate the BeyondTrust Appliance to the KMIP server.

Enter a passphrase, username, and password to assist with authentication to the KMIP server. Click Save and Test Changes to save and verify the connection between the BeyondTrust Appliance and the KMIP server.

If a connection is established between the KMIP server and the appliance, the Encrypt button becomes available in the Storage :: Encryption section. If the KMIP server is not configured appropriately or if the data has not been previously encrypted, the Encrypt option is not available and instead reads as Not Encrypted.

When the Encrypt button is clicked, the appliance starts the process of backing up the session data and generating an encryption key to store on the KMIP server. Once the encryption key is stored, the data is encrypted and a backup is restored.