CipherTrust Manager Professional Certification Course

HANDS-ON: TRANSPARENT ENCRYPTION (CTE) - LINUX

CPL Technical Training

Revision History

Revision Date Reason

B 9 February 2023 Updated Content

Trademarks, Copyrights, and Third-Party Software

Copyright © 2023 Thales Group. All rights reserved. Thales and the Thales logo are trademarks and
service marks of Thales and/or its subsidiaries and affiliates and are registered in certain countries. All
other trademarks and service marks, whether registered or not in specific countries, are the properties
of their respective owners.
CPL Technical Training Documentation
The information contained in this document is intended solely for your personal reference and for
learning purposes and is provided AS IS and with no warranties. Such information is subject to
change without notice, its accuracy is not guaranteed, and it may not contain all material/information
concerning Thales (the ‘Company’). The Company makes no representation regarding, and assumes
no responsibility or liability for, the accuracy or completeness of, or any errors or omissions in, any
information contained herein. The Company may update or supplement the information at any time.
In addition, the information contains projections and forward-looking statements that may reflect the
Company’s current views with respect to future events. These views are based on current
assumptions which are subject to various risks and which may change over time.
Disclaimer
All information herein is either public information or is the property of and owned solely by Thales DIS
France S.A. and/or its subsidiaries or affiliates who shall have and keep the sole right to file patent
applications or any other kind of intellectual property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or
otherwise, under any intellectual and/or industrial property rights of or concerning any of Thales DIS
France S.A. and any of its subsidiaries and affiliates (collectively referred to herein after as “Thales”)
information.
This document to be solely used for informational, non-commercial, internal and personal use only
provided that: (a) The copyright notice below, the confidentiality and proprietary legend and this full
warning notice appear in all copies; (b) document shall not be posted on any network computer or
broadcast in any media and no modification of any part of this document shall be made; and (c) is not
relied upon for any other reason other than use described above. Use for any other purpose is
expressly prohibited and may result in severe civil and criminal liabilities.
Thales hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-
infringement. In no event shall Thales be liable, whether in contract, tort or otherwise, for any indirect,
special or consequential damages or any damages whatsoever including but not limited to damages
resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with
the use or performance of information contained in this document.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 2
Copyright © 2023 Thales Group. All rights reserved.
 Contents

Contents

Part 1: Overview .................................................................................................................... 4

Prerequisites ...................................................................................................................................................... 4
Duration .............................................................................................................................................................. 4
Objectives .......................................................................................................................................................... 4

Part 2: Installing & Configuring CTE Client on Linux ............................................................. 5

Section 1: Logging into the Domain ................................................................................................................... 5
Section 2: Creating a Registration Token .......................................................................................................... 6
Section 3: Installing the CTE Client ................................................................................................................... 8
Section 4: Verifying the Creation of Linux Client ............................................................................................. 10

Part 3: Creating CTE Policies & Encrypting Data ................................................................ 11

Section 1: Creating CTE Policies ..................................................................................................................... 11
Section 2: Creating a Deny Policy ................................................................................................................... 18
Section 3: Creating a GuardPoint .................................................................................................................... 19
Section 4: Testing the Configuration ................................................................................................................ 21

Part 4: Troubleshooting CTE ............................................................................................... 23

Section 1: Inspecting the logs .......................................................................................................................... 23

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 3
Copyright © 2023 Thales Group. All rights reserved.
 Part 1: Overview

Part 1: Overview

Prerequisites
For this exercise, you will need:
 Access to the training portals

Duration
This training course will take approximately 2 hours.

Objectives
In this exercise, you will:
 Install and configure the CTE Client for Linux
 Configure CipherTrust to encrypt a directory in Linux

By the end of this exercise, you should be able to:

 Install and configure the CTE Linux client

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 4
Copyright © 2023 Thales Group. All rights reserved.
 Part 2: Installing & Configuring CTE Client on Linux

Part 2: Installing & Configuring CTE Client

on Linux

In part two, you will use the same domain that was created in the following hands-on document:
CipherTrust - Hands-On CTE - Windows.docx

Domain Name Test Domain

User domainadmin

Password Thales123!

Section 1: Logging into the Domain

1. Log in to the CM Web UI with the following credentials:

User domainadmin

Password Thales123!

2. In the right-corner, select user domainadmin>Switch Domain>Test Domain.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 5
Copyright © 2023 Thales Group. All rights reserved.
 Part 2: Installing & Configuring CTE Client on Linux

Section 2: Creating a Registration Token

In this section, you will install and configure the CTE Client so that it will part of the Domain that was
created. The Domain will be configured by the Registration key that was previously created in the domain.
If the CTE Client needs to be installed without the Domain, you can use the Registration Key from the main
console.

1. Navigate to Keys & Access Management and then click on Registration Tokens on the left panel.

2. Click New Registration Token and follow the interactive prompts.

3. Click Begin.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 6
Copyright © 2023 Thales Group. All rights reserved.
 Part 2: Installing & Configuring CTE Client on Linux

4. Enter name under Name Prefix tab and click Next.

5. Select the default CA and click Create Token.

6. Click Done.
7. Select the ASCII option, click Copy on the created token and paste it in Notepad, save the file to the
Desktop.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 7
Copyright © 2023 Thales Group. All rights reserved.
 Part 2: Installing & Configuring CTE Client on Linux

Section 3: Installing the CTE Client

The registration process starts automatically after the agent has been installed. If for whatever reason the
registration fails, it is not necessary to reinstall the agent. The registration can be attempted via a separate
registration utility in the /opt/vormetric/DataSecurityExpert/agent/vmd/bin/ directory.

1. From the training platform, log in to the Linux CentOS 7 virtual machine:
Enter the following:

User root

Password Thales123!

2. Open the Terminal application by clicking Application>System Tools>Terminal.

The CTE Client installation file is located in:
/root/CTE client/vee-fs-7.x.x-xx-rh7-x86_64.bin.
3. From the Terminal, open the installation directory: cd /root/CTE client.
4. Change the permissions of the CTE CM Agent by typing the following in the Terminal:
chmod 777 vee-fs-7.x.x-xx-rh7-x86_64.bin

5. Install the CM CTE Agent.

./vee-fs-7.x.x-xx-rh7-x86_64.bin
6. Press the space bar multiple times to skip to the License Agreement (or enter q to go immediately to
the license agreement page).
7. When prompted to accept the License, type y and press Enter.

8. When the message: Do you want to continue with agent registration? appears, type y and press
Enter.

9. When the message: Please enter the primary key manager host name appears, type CipherTrust and
press Enter.

10. When the message: Is this host name correct? appears, type y and press Enter.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 8
Copyright © 2023 Thales Group. All rights reserved.
 Part 2: Installing & Configuring CTE Client on Linux

11. When the message: Please enter the host name of this machine, or select from the following list
appears, select number 2 (IP 10.160.10.20) and then press Enter.

12. Paste the token that was created in Section 2 above and press Enter.

13. In the profile name, press Enter.

14. In the host group name, press Enter.

15. In the description, press Enter.

16. Approve the above settings - type y and then press Enter.

17. When asked if it is possible to associate this installation with the hardware of this machine, type N and
press Enter.

18. Enable LDT support - type y and press Enter.

19. When the following message appears: Please enter the LDT Communication Group name, Press
Enter .

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 9
Copyright © 2023 Thales Group. All rights reserved.
 Part 2: Installing & Configuring CTE Client on Linux

20. In the support for Cloud Object Store option type n and press Enter.

The message: Installation success appears.

Section 4: Verifying the Creation of Linux Client

1. Log in to Windows Server.
2. Log in to the CM Web UI:

User domainadmin

Password Thales123!

3. Click the CTE application, and on the left pane, click Clients.
4. Verify that the Linux client is created.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 10
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

Part 3: Creating CTE Policies & Encrypting

Data

The policy below performs the following:

 Rule 1: Allows the user ‘training’ the ability to encrypt / decrypt files in the Test folder
 Rule 2: Prohibits access to the Test folder

Section 1: Creating CTE Policies

1. Log in to the CM Web UI.
2. Click the Transparent Encryption application.

3. On the left pane, click Polices and then click .

The Create Policy window opens.

4. Enter the following:

Name Policy name (linux_cte_policy)

Policy Type Standard

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 11
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

5. Click Next.

Note:

Data Transformation
Add data transformation rules to specify the Resources to be protected and the
encryption keys that are to be used for rekeying.
When selecting Data Transformation, the encryption is performed manually using the
dataxform tool to encrypt/decrypt the data

6. Click .

7. Under Action, click .

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 12
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

8. In the Select Action(s) window, select the all_ops check box, and then click .

9. Under Effect, click .

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 13
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

10. In the Select Effect window, verify that the Permit and ApplyKey options are selected
and then click Select.

11. Click Select in the User Set option:

12. Click .
13. In the Name field, type a Name for the user set. Enter linux_set_allow.

14. Click Next.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 14
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

15. Select the Agents option and click Select.

16. Select the Linux Client and then click Select.

17. Click Select, a list of users from the Active Directory Users and Computers will be presented, select
the user: training, and then click Next.

18. Click Save.

19. Select the User Set that was set and click Select.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 15
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

20. Under the Resource Set click Select.

21. Click Save.
The Edit Security Rule window opens.

22. Click Next.

23. Click .
Under Resource Set, do not change the default settings.
24. Under Key Name click Select.

25. Click .
26. Enter a key name - type linux_cte_policy.
27. Click Create.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 16
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

28. Select the linux_cte_policy key.

29. Click Select.

The Create Key Rule window opens.

30. Click Add.

31. Click Next and Save.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 17
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

Section 2: Creating a Deny Policy

1. Click the Transparent Encryption application.
2. On the left pane, click Polices and then click Create Policy.
The Create Policy window opens.
3. Enter a policy name, and under Policy Type, select Standard and then click Next.
4. Click Create Security Rule.
5. Under the Affect option, click Select, (select only the deny and audit options).
6. Click Select and then click Add.
7. Click Next>Next and Save.

Note: The Deny policy is the last policy. The reason being that if a resource is accessed
and the user who tries to gain access is not permitted, the deny role will block the
access.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 18
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

Section 3: Creating a GuardPoint

1. Log in to the CM Web UI.
2. Click the CTE application.
3. On the left pane, click Clients and then click on the Linux Client name.

4. Click Create GuardPoint.

5. Under Policy, click Select.

6. Select the previously created linux_cte_policy radio button, and then click Select.

7. Under Type, leave the default option Auto Directory.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 19
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

8. Under Path, type /home/training/ and click Refresh.

9. Select Test directory, and then click Add.

The Create GuardPoint window opens.

10. Click Create.

An additional window opens.
11. Click No not to create an additional GuardPoint.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 20
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

Section 4: Testing the Configuration

In this section, you will learn how to encrypt the directory allowing only users that were set in the CM Policy
to perform operations.
1. On Windows Server, click the Putty application (located in the Training folder on the desktop).
2. Under the Host Name IP address, type the Linux IP (10.160.10.20), and then click Open.
A Putty Terminal window opens.
3. In the login as option, type root, press Enter and then type the password: Thales123!
and press Enter again.
4. Type: cd /home/training/Test/
Press Enter (you will be taken to the Test directory).
5. Press Enter.
6. Type ls –la and press Enter, the message: Permission denied appears.

7. Try to create a text file by typing: cat > sample.txt

8. Press Enter and you will be denied access.

9. Open the Putty application again.

10. In the Host Name IP address type the Linux IP (10.160.10.20), click Open.
11. In the login as option, type training, press Enter and then type the password: Thales123!
and press Enter again.
12. Type: cd /home/training/Test/
Press Enter (you will be taken to the Test directory).
13. Press Enter.
14. Type ls –la and press Enter (you will be granted permission to browse the directory).

15. Try to create a text file by typing: cat > sample.txt

16. Type any text and click CTRL and D to save the file.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 21
Copyright © 2023 Thales Group. All rights reserved.
 Part 3: Creating CTE Policies & Encrypting Data

17. Type ls –la and press Enter again (you will see that the file is created).

Note: When GurdPoint is created no user will gain access to resource by default.
User Set needs to be created in order to allow access to users.
If there are files that exist in the directory before the encryption proses the files will not
be encrypted.
In order to encrypt existent files with CTE the dataxform command need to be run.

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 22
Copyright © 2023 Thales Group. All rights reserved.
 Part 4: Troubleshooting CTE

Part 4: Troubleshooting CTE

You can troubleshoot CTE Client via SSH.

In the section below, you will learn how to inspect CTE Linux Client logs.

Section 1: Inspecting the Logs

1. On Windows Server, open the Putty application.
2. In the IP address type the Linux IP address (10.160.10.20).
3. Enter the following:

User root

Password Thales123!

4. Open the Linux Terminal, type cd /var/log/vormetric , and then press Enter.
5. To inspect the GuardPoints that apply to Linux type: secfsd -status guard

6. To restart the CTE service, type: systemctl restart vmd.service

7. To inspect the installed version of the CTE Client, type: vmsec version

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 23
Copyright © 2023 Thales Group. All rights reserved.
 Part 4: Troubleshooting CTE

8. To inspect log directory content, type: ls –a

(if you type ls –la, the list is presented with the file permission that apply to the file).

9. Inspect the vmd log file, by typing the command: tail –f vmd.log

10. The secfsd log presents the tracked connections and operations of the client with the CM.
tail –f secfsd.log

11. The CTE installation directory has some tools that can help with the debugging, type:
cd /opt/vormetric/DataSecurityExpert/agent/vmd/bin
12. Type ls –la and press Enter.
13. To check the CTE agent health and status type: /agenthealth

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 24
Copyright © 2023 Thales Group. All rights reserved.
 Part 4: Troubleshooting CTE

14. To present the CTE Agent info type: /agentinfo

15. To pull (update) the policy from the CipherTrust Server type: /polgen

Note: In the /opt/vormetric/DataSecurityExpert/agent/vmd/bin directory there are some more

applications that allows the debug of the CTE client,

CPL Technical Training Documentation

CipherTrust Manager Professional Certification Course - Hands-On: Transparent Encryption (CTE) - Linux Rev. B 25
Copyright © 2023 Thales Group. All rights reserved.