Configure the BeyondTrust Remote Support Appliance to use Data at Rest Encryption
With BeyondTrust Base 5.0, BeyondTrust administrators can now enable data at rest encryption. This includes block-level encryption using XTS-AES 128-bit encryption for the following content:
- BeyondTrust configuration
- Text-based session audit history
- Session recordings
BeyondTrust's data at rest encryption implementation uses KMIP to generate an encryption key for initial encryption of your content and requests the key when decrypting your content, as well.
KMIP Server Information and Testing
To configure data at rest encryption for your Secure Remote Access Appliance, go to one of the following locations:
- For physical and virtual Secure Remote Access Appliances, go to /appliance > Storage > Encryption.
- For BeyondTrust Cloud, go to /login > Appliance > Storage > Encryption.
Then configure the following details noted below.
KMIP Server Hostname and Port
- KMIP Server Hostname: The hostname of your key management solution.
- Port: The port used to connect to the KMIP Server.
BeyondTrust Cloud instances are static to port 5696. However, for on-premises deployments, the port is configurable but defaults to port 5696.
The KMIP server must be reachable from your BeyondTrust RS site via Transmission Control Protocol (TCP) over the KMIP hostname and port. For on-premises deployments, the KMIP server can be on a local network or accessible via the internet. However, please ensure your firewall allows TCP connections over the specified KMIP TCP port from your Secure Remote Access Appliance.
Server CA Certificate, Client TLS Certificate, Passphrase, Username, and Password
KMIP requires bi-directional authentication. The Secure Remote Access Appliance must trust the KMIP server from which it is requesting encryption keys, and the KMIP server must trust the Secure Remote Access Appliance for which it is storing and granting encryption keys as an authorized service. To create this level of trust, the following information is needed:
- Server CA Certificate: The root CA certificate presented by the KMIP server to verify its authenticity to the Secure Remote Access Appliance.
- Client TLS Certificate: The client TLS certificate with the KMIP user account defined for the KMIP server to verify the authenticity of the Secure Remote Access Appliance.
- Passphrase: The passphrase needed by the Secure Remote Access Appliance to open and read the client TLS certificate.
- Username/ Password: The username and password associated with the KMIP user account being used to verify the authenticity of the Secure Remote Access Appliance. This is the same user account defined in the client TLS certificate.
The Secure Remote Access Appliance authenticates the KMIP server through the root CA certificate, which is uploaded to BeyondTrust /appliance. KMIP requires two-factor authentication to verify authorized services, and in this scenario, the KMIP server uses the username and password for the KMIP user account and the client TLS certificate to authenticate the Secure Remote Access Appliance.
When the Save and Test Changes button is selected, the Secure Remote Access Appliance issues a KMIP command and waits for a response back from the KMIP server, ensuring communication is possible. If successful, the Encrypt button becomes available in BeyondTrust /appliance. If not successful, the Encrypt button remains whited out and unavailable, and you must recheck the KMIP details entered on /appliance to ensure the information is correct.
The length of time needed to initially encrypt your BeyondTrust content depends on the amount of storage consumed by your Secure Remote Access Appliance. For new deployments of BeyondTrust Remote Support, it is recommended to configure data at rest encryption before production use of your Secure Remote Access Appliance. In the event your Secure Remote Access Appliance is consuming 4GB of data or more, please contact BeyondTrust Technical Support at beyondtrust.com/docs/index.htm#support.
The Encryption Process
Once the KMIP server is configured successfully, you can click the Encrypt button. The Secure Remote Access Appliance reaches out to the KMIP server and issues a command to create an encryption key, which is stored on the KMIP server with an associated secret ID. The encryption key and the associated ID are then provided to the Secure Remote Access Appliance for initial encryption of the data, and the Secure Remote Access Appliance starts backing up the session,. The data is then encrypted, and the backup is restored.
During encryption, the Secure Remote Access Appliance stores the secret temporarily in its memory.
At this point, the Secure Remote Access Appliance stores the secret’s associated ID - not the secret itself - in a decrypted portion of the Secure Remote Access Appliance. In the event the Secure Remote Access Appliance is rebooted, it makes a request to the KMIP server, asking for the secret associated ID. This allows the Secure Remote Access Appliance to decrypt your data, while also ensuring the availability of your BeyondTrust site.
For more information on how to configure data at rest encryption, please see Encryption: Configure KMIP Server and Encrypt Session Data.