VMware Virtual

CentralStore
Quick Start Guide
January 2025
Release 2.5.x

QSG-VM-CentralStore-25-DP-2.5.x-01

0
Proprietary Statement
This material constitutes proprietary and trade secret
information and shall not be disclosed to any third party,
nor used by the recipient except under the terms and
conditions prescribed by Dragos, Inc.

Copyright Statement
Copyright © 2025 Dragos, Inc. All Right Reserved

Dragos Global Headquarters

1745 Dorsey Rd
Suite R
Hanover, Maryland 21076
+1 855-372-4670
www.dragos.com

Customer Support Requests

• https://portal.dragos.com/#/
• [email protected]

0
Table of Contents

VMware Requirements ................................................................................................................................................. 3

Disk Requirements ....................................................................................................................................................................... 3
vSphere Requirements ................................................................................................................................................................ 3
Appliance-Specific Requirements ............................................................................................................................................ 3

Deploying the OVA ........................................................................................................................................................ 4

Download the OVA ...................................................................................................................................................................... 4
Deploy the OVA - ESXi................................................................................................................................................................ 5
Deploy the OVA - vCenter ......................................................................................................................................................... 9

Configure the Dragos CS-VM Network ................................................................................................................. 14

Connecting to the CS-VM SiteStore ..................................................................................................................................... 14
Change the Management Port IP Address of the CS-VM ............................................................................................. 14
Set the gateway (router) address ......................................................................................................................................... 15
Configure the NTP Server ........................................................................................................................................................ 16
Configure the hostname of the CS-VM ................................................................................................................................17
Configuring the CS-VM to use a non-standard port........................................................................................................17
If the Management IP address of the Dragos Appliance is in the 10.42.0.0/24 or 10.43.0.0/24 IP space ......17
Apply network configuration changes and reboot the SiteStore ............................................................................... 18

Uninstall Shell Access ................................................................................................................................................... 19

GPG Decryption ............................................................................................................................................................ 20

GPG Decryption in Linux ......................................................................................................................................................... 20
GPG Decryption in Windows ................................................................................................................................................. 20
Download and Installation ....................................................................................................................................................................... 20
Configuration File ......................................................................................................................................................................................... 21
Decrypting an Artifact ................................................................................................................................................................................ 22

1
2
VMware Requirements

Disk Requirements
The Dragos Virtual Appliance does not utilize software-level encryption to meet Data-At-Rest
encryption requirements. If Data-At-Rest encryption is required in a customer environment, the
requirement must be met using the underlying virtualization infrastructure (disk-level encryption
Dragos CS-VM CentralStore - V2.4.x - Quick Start Guide - version 1.0.docx or hypervisor-level
encryption).
The Dragos Virtual Appliance requires a specific minimum IOs per second (IOPS) to function
properly.
WARNING: Failure to provide the minimum IOPS defined will impact the stability and performance
of the Dragos Virtual Appliance.

vSphere Requirements
hThe Dragos Virtual Appliance has been tested with VMware ESXi 6.7 and above, as well as with
vCenter Server 7.0.

Appliance-Specific Requirements
Each Dragos Virtual Appliance has specific hardware requirements.

Appliance Dedicated Dedicated RAM** Disk Disk Read Disk Write

vCPU* Space Performance Performance

CS-25-VM 24 96GB 10TB 20,000 IOPS 40,000 IOPS

CS-50-VM 48 192GB 10TB 50,000 IOPS 100,000 IOPS

* vCPU performance should equate to dedicated threads of a Xeon E5-2680 v4 or better. It is

expected that VMware CPU reservation will be used to ensure the Dragos Virtual CentralStore
receives the required compute. Failure to implement CPU reservation could lead the Dragos Virtual
CentralStore to have very poor performance during moments of virtual host saturation. Therefore,
CPU reservation is required.

** Dedicated/Reserved RAM means VMware Memory Reservation will be implemented to ensure

the Dragos Virtual CentralStore has guaranteed access to the virtual host’s physical memory.
Failure to implement Memory reservation on the Dragos Virtual CentralStore could lead to packet
loss or the system halting all together. Therefore, Memory Reservation is required.

3
Deploying the OVA

Download the OVA

An OVA file deploys the Dragos Virtual CentralStore, which can be downloaded from the Dragos
Customer Portal. To download the OVA:

1. Go to https://portal.dragos.com.
2. Click the LOGIN button in the top-right corner.
3. Login using your Dragos Customer Portal credentials
4. Once logged in, click on PLATFORM in the top-right corner, select ARTIFACTS, and then
sect the OVA tab.
5. In the search bar, type the name of the Dragos Virtual CentralStore appliance being licensed
• CS-25-VM
• CS-50-VM
6. There are two versions of each CentralStore appliance available. One is signed and gpg
encrypted while the other is not. Download the version to deploy.

NOTE: There may be multiple software versions of the CentralStore appliance

available. Please select the software version of the appliance that is applicable to
your environment.

7. If the unencrypted version of the appliance was downloaded, then continue to the next
section. If the encrypted version of the appliance was downloaded, then decrypt the artifact
before it is deployed.
a. For more information on how to decrypt GPG artifacts, refer to the GPG Decryption
section of this Guide.

4
Deploy the OVA - ESXi
1. From the machine on which the Dragos Virtual CentralStore OVA file was saved, access the
ESXi server.
2. Right-click on the host being deploy to and click Create/Register VM.

3. Select Deploy a virtual machine from an OVF or OVA file and click Next.
4. Name the Virtual Machine and upload the OVA.

5. Select the datastore that will host the VM, keeping in mind the Storage requirements called
out previously, then click Next.

5
6. Select the correct Port Group for the management interface. Select the appropriate Disk
Provisioning strategy for your environment. Uncheck the Power on automatically box and
click Next.
• Thick disk provisioning consumes all the space required for the virtual machine and
provides a slight performance boost over thin provisioning. Dragos recommends
Thick Provisioning.
• Thin disk provisioning uses less space on your disks, but will slightly reduce
performance.

7. Confirm all information looks correct on the summary screen and click Finish.
8. The OVA uploads; track the progress of the upload in the events section.

6
9. Once the upload is complete, right-click on the newly created Virtual Machine and hit edit
settings.
10. Expand the CPU Section and define the CPU Reservation for the Virtual CentralStore
• If deploying the CS-25-VM, the reservation should be 25.2 GHz
• If deploying the CS-50-VM, the reservation should be 50.4 GHz

11. Expand the Memory Section and check the box labeled Reserve all guest memory

12. Click Save.

13. A confirmation that the Virtual Machine settings were successfully changed appears in the
tasks section.

7
14. Click on the Dragos Virtual CentralStore and click Power On.
15. Click on the black box to launch the VMware Virtual Console.

8
Deploy the OVA - vCenter
1. From the machine on which the Dragos Virtual CentralStore OVA file was saved, login to
vCenter.
2. Right-click on the cluster or host to deploy to and click Deploy OVF Template.

3. Select the Local File radio button and click the Upload Files button.
4. Select the OVA to be deployed and click open.
5. Click the Next button.

6. Name the Virtual CentralStore, select the destination of the Virtual CentralStore, and click
Next.

9
7. Select the compute resource and click Next.
8. Review the details and click Next.
9. Select the datastore that will host the VM, keeping in mind the Storage requirements called
out previously. Optionally, select the Virtual Disk format, at the top of the window, then
click Next.
• Thick disk provisioning consumes all the space required for the virtual machine and
provides a slight performance boost over thin provisioning. Dragos recommends
Thick Provision Lazy Zeroed.
• Thin disk provisioning uses less space on your disks, but will slightly reduce
performance.

10. Select the appropriate networks for each interface.

10
11. Confirm all information looks correct on the summary screen and click Finish.

12. The OVA uploads; track the progress of the upload in the events section.

13. Once the upload is complete, right-click on the newly created Virtual Machine and click Edit
Settings.
14. Expand the CPU Section and define the CPU Reservation for the Virtual CentralStore.

11
 • If deploying the CS-25-VM, the reservation should be 25.2 GHz
• If deploying the CS-50-VM, the reservation should be 50.4 GHz

15. Expand the Memory Section and check the box labeled Reserve all guest memory.

16. Click OK at the bottom of the window.

17. Confirm that the Virtual Machine settings were successfully changed in the tasks section.

18. Click on the Dragos Virtual CentralStore and click the Green Triangle to power it on.

12
19. Launch the Web Console or Remote Console, to gain console access to the Virtual
CentralStore.

13
Configure the Dragos CS-VM Network

Connecting to the CS-VM SiteStore

By default, the CS-VM is set to get an IP address via DHCP. Should it not be able to successfully get
a dynamic IP address, it will default to 192.168.1.100.

Change the Management Port IP Address of the CS-VM

To change the Management Port IP Address of the CS-VM CentralStore:

1. Login to the CentralStore CLI with the default credentials (dragos/dragos).

Once logged in, the CLI interface appears.

DragOS Command Line Interface

14
 2. To change the CS-VM’s IP address, type:
[dragos>] config interface address set mgmt1 <your ip address>/<your subnet mask>

Example:

[dragos>] config interface address set mgmt1 10.10.10.25/24

Set the gateway (router) address

• To set the gateway (router) address:

[dragos>] config interface gateway set mgmt1 <your gateway address>

Example:

[dragos>] config interface gateway set mgmt1 10.10.10.1

15
Configure the NTP Server

1. To set and enable the NTP server(s):

Set NTP Server

[dragos>] config ntp server add <NTP_server_IP_address>

Example:
[dragos>] config ntp server add time.nist.gov

2. Force a sync to ensure no errors are present:

[dragos>] system date sync <NTP_server_IP_address>

Example:

NTP Server force sync

Warning:
Setting an NTP server is required to assure the SiteStore operates optimally.
For users of Dragos SiteStores that are “air-gapped”, synchronize the SiteStore with a local NTP
server.
If NTP servers are not used, the certificates between the SiteStore and paired Sensors will become
invalid once the time difference between them becomes significant.

16
Configure the hostname of the CS-VM

• Configure the Hostname for the CS-VM. Avoid using underscores for the hostnames.
[dragos>] config hostname <CentralStore_Hostname>

Configuring the CS-VM to use a non-standard port

• The standard IP port for communications between the Dragos CentralStore and a connected
Dragos SiteStore is TCP/5671

• If necessary, configure the CS-VM to use a non-standard port for communication with a
connected Dragos SiteStore.

[dragos>] config sitestore port <non_standard_port>

Example

[dragos>] config sitestore port 8140

Note: This change to the CS-VM must be made before attempting to pair a Dragos SiteStore
to the CentralStore

If the Management IP address of the Dragos Appliance is in the 10.42.0.0/24

or 10.43.0.0/24 IP space
If the Management IP address of the Dragos Appliance is in the 10.42.0.0/24 or 10.43.0.0/24 IP
space, then the following set of commands must be run. These commands change the internal
networking subnets that are used by Kubernetes.

[dragos>] config k3s set cluster-cidr X.X.X.X/24

[dragos>] config k3s set service-cidr X.X.X.X/24
[dragos>] config interface address set mgmt1 X.X.X.X/24
[dragos>] config interface gateway set mgmt1 X.X.X.X
[dragos>] config apply
[dragos>] reboot

Note the addresses used above in the cluster-cidr and service-cidr commands must be different
and must use “/24”. If the above steps are executed, then the next section can be skipped.

17
Apply network configuration changes and reboot the SiteStore

1. To apply the network configuration changes, type:

[dragos>] config apply

2. Reboot the SiteStore

[dragos>] reboot

3. Hit Y to confirm the reboot

4. After the SiteStore reboots, ssh to it via the IP address just set.

NOTE: Refer to the Dragos Admin Overview Guide for further administrative insight, which can be
found on the Dragos customer portal at (https://portal.dragos.com).

18
Uninstall Shell Access
Unless instructed by Dragos Field Operations not to do so, run the following command to put your Dragos
Appliance into a secure shell mode.

dragos> run ushell

19
GPG Decryption

GPG Decryption in Linux

1. In terminal, cd to the directory where you downloaded the artifact.
2. Decrypt the file
a. # gpg –decrypt-file <filename>
b. Example: # gpg --decrypt-file DragOS2.0-STS-200-VM.ova.gpg
c. When prompted, enter the decryption password (found on the Customer Portal, in
the notes section of the OVA you downloaded)

GPG Decryption in Windows

Download and Installation

1. Login to a windows machine with an account that has local administrative privileges.
2. Download GPG4Win and install it on your laptop.
o This instruction was written using Gpg4win version 3.4.15
o The download is available at https://www.gpg4win.org.
▪ If you get prompted for a donation, simply click the $0 button, then click
download.
3. Go through the install process (all default options are acceptable).
4. Check the box to reboot later and click finish.

20
Configuration File

After the Gpg4win installation, create a configuration file to ensure the files download from the
Dragos Portal are successfully decrypted.

1. Open windows explore and type %APPDATA%\gnupg in the URL bar and hit Enter.

2. Right click in the window and Go to New → Text Document

3. Name the document gpg.conf

a.

b.
c. If a prompt appears, click yes to change it.

21
 4. Right-click on the newly created file and click Open with.

5. Select Notepad from the list and click OK.

6. Once Notepad opens, type the following into the document: ignore-mdc-error

7. Hit File → Save.

8. Hit File → Exit.
9. Restart the machine.

Decrypting an Artifact

Once the steps above are completed, decrypt any files downloaded from the Dragos portal.

1. Locate the encrypted file on the machine.

2. Right-click on the file → More GpgEX options → Decrypt.

22
3. A pop-up box appears, prompting for the passphrase. Type in the passphrase and wait for it
to complete.
• The passphrase can be found on the Dragos Customer Portal, in the notes section of
the OVA you downloaded.

4. Once the decrypt completes, a success message appears. Click the Save All button to save
the unencrypted artifact to the same folder on your machine.

23