export_device_encryption_key

Exporting an Encryption Key to Restore an Encrypted Data Storage Device

• Only the Security Administrator has permission to export the device encryption key.

For each encrypted data storage device, you can export the encryption key to a specified location. An exported device encryption key is stored in a zip file. If you select more than one device for encryption key export, all the keys are stored in a single zip file.

An exported device encryption key is retrieved from the database and decrypted using the database encryption key. Each decrypted device encryption key is stored in a text file named <device-id>.xml. All device key files are compressed into a zip file with a name similar to SecureCloudDeviceKeys-<timestamp>.zip. This zip file will be encrypted using the passphrase specified while exporting the device encryption keys. While exporting the key, the zip file is encrypted using the user-specified password

• The exported device encryption key cannot be imported back into SecureCloud. To use the encryption key for data retrieval, you have to apply a LUKS-based utility to the data storage device in question and then use the exported key for decryption.

Basic Steps:

1. Export the device key from the Web Console.

See Exporting the Device Key from the Web Console.

2. Extract the device key files.

See Extracting the Device Key Files.

3. Decrypt the device key files.

See Decrypting the Device Key Files.

4. Use the platform-dependent command to mount the device with the key.

See Mounting the Device with the Device Key.

Exporting the Device Key from the Web Console

Logon to the Web Console using the Security Administrator role.

Procedure:

Location:   Web Console main menu | Inventory > Devices > Devices page

1. Select the desired data storage device for which you want to export the encryption keys.

The desired device must have a status of "Encrypted" or "In-use".

An exported device encryption key is stored in a zip file. If you select more than one device for encryption key export, all the keys are stored in a single zip file.

2. Click Export.

3. Enter the passphrase when prompted.

This passphrase, along with the random salt, is used to cipher/encrypt the device key when it is deciphered from the database. This ensures that the key is extracted securely.

4. Click Save to save the zip file.

Extracting the Device Key Files

• Unzip the exported zip file.

Since the device key will be used in the Runtime Agent, Trend Micro suggests that you unzip the file in the Runtime Agent installation path.

If you select more than one device for encryption key export, this zip file will contain multiple XML files—each one being an encryption key.

• If the key management type of the device is "None", there will be a corresponding .les file for this device.
  
  If the key management type of the device is "LUKS", there will be only one XML file for this device (see Viewing and Changing Encryption Key Information on page 5-12).

Decrypting the Device Key Files

The steps in this section can be done in either Windows or Linux.

1. Copy the extracted XML file to the Runtime Agent installation location.

See Installing the SecureCloud Runtime Agent on page A-6.

2. Execute the following command to decrypt the device encryption key:

key_exporter <extracted key xml>

3. Enter the passphrase when prompted.

The device information appears in the command-line console.

4. Base64 decode the value of the <keyGen> tag.

1. Save the value of <keyGen> into a file.

2. Use openssl to decode the file.

For example, openssl base64 -d -in key.txt -out key.bin

The decoded binary file is the usable device key that you use to mount the encrypted data storage device.

Mounting the Device with the Device Key

IDE/SCSI/iSCSI Device

Windows platform

1. In the VM where the Runtime Agent is installed, make sure the encrypted devices are attached and confirm the disk number.

You can retrieve this information from the "Computer Management" panel.

If Key management type is None:

If the type is None (or there is .les file for this device), use the above command.

• Use the following command to mount the device if there is a .les file for the device key.

freeOTFE.exe /mount /linux /silent /volume "<volume name>" /keyfile "<key file path>" /lesfile "<les file path>"

where <volume name> is in the format of \Device\HarddiskX\PartitionY, where X is the disk number confirmed in previous step, Y is from the partitionNumber attribute of <device> tag in the converted device key file in step 3, <key file path> is the binary file saved after base64 decode, <les file path> is the .les file for the device.

For example:

freeOTFE.exe /mount /linux /silent /volume "\Device\Harddisk1\Partition1" /keyfile "c:\tempKeyFile" /lesfile "trend-6456173aa__scsi0.4.0.les"

If Key management type is LUKS:

This is to say if the key management type is LUKS. it is in contrast with Key Management type is None. So in this section (Windows Platform) there are two sub section, one is Key management type : None and one is Key management type : LUKS

• Use the following command to mount the device if there is no .les file for the device key:

freeOTFE.exe /mount /linux /silent /volume "<volume name>" /keyfile "<key file path>" /drive <mount drive>

where <volume name> is in the format of \Device\Harddiskx\Partitiony, where x is the disk number confirmed in previous step, y is from the partitionNumber attribute of the <device> tag in the converted device key file in step 3, <key file path> is the binary file saved after base64 decode, <mount drive> is the drive to mount for the device.

For example:

freeOTFE.exe /mount /linux /silent /volume "\Device\Harddisk1\Partition1" /keyfile "c:\tempKeyFile" /drive h:

2. To unmount the disk, use the following command:

freeOTFE.exe /dismount <mount drive> /force

Linux platform

1. In the VM, where the Runtime Agent is installed, make sure the encrypted device is attached and confirm the device name by using the following command.

For example, in Amazon EC2

For vCloud, use the following command to ensure the device is attached:

ls -1 /dev/sd*

2. Use the following command to mount the device

/var/lib/securecloud/mount_vol "<key file path>" r <Device Name> c9-crypt1 <Mount Point> readWrite|readOnly start

Where <key file path> is the binary file saved after base64 decode, <Device Name> is the name you attach the device, <Mount Point> can the <MountPoint> tag value in converted device key file, and specify readWrite or readOnly permission.

For example:

/var/lib/securecloud/mount_vol "vol-d9-d.bin" r /dev/sdf c9-crypt1 /mnt/d9ed2eb1_128 readWrite start

3. To unmount device, use the command:

/var/lib/securecloud/mount_vol dummy dummy <Device Name> c9-crypt2 <Mount Point> readWrite|readOnly stop

For example:

/var/lib/securecloud/mount_vol dummy dummy /dev/sdg c9-crypt1 /mnt/ d9ed2eb1_128 readWrite stop

NFS Storage

Windows platform

1. Use the following command to mount the device:

freeOTFE.exe /mount /linux /silent /volume "<SecureCloudEncrypted.disk path>" /keyfile "<key file path>" /lesfile "<les file path>"

where the SecureCloudEncrypted.disk path is in the path to the SecureCloudEncrypted.disk file in the NFS folder, <key file path> is the binary file saved after base64 decode, <les file path> is the .les file for the device.

For example:

freeOTFE.exe /mount /linux /silent /volume "M:\SecureCloudEncryptedDevice.disk" /keyfile "c:\tempKeyFile" /lesfile "freeotfe-volume-2.les"'

2. To unmount the disk, use the command:

freeOTFE.exe /dismount <mount drive> /force

Linux platform

1. In the VM where the agent is installed, make sure the NFS storage is mounted.

2. Attach the encrypted file (SecureCloudEncrypted.disk) in the NFS storage folder to a free loopback device.

Use this command to check for a free loopback device:

losetup -f

/var/lib/securecloud/loopback_attach <SecureCloudEncrypted.disk path> <free loopback device> start

For example:

/var/lib/securecloud/loopback_attach /nfs-test/SecureCloudEncrypted.disk /dev/loop0 start

3. Mount the device using following command:

/var/lib/securecloud/mount_vol "<Key File Path>" r <loopback device name> c9-crypt <Mount Point> readWrite|readOnly start

Where <key file path> is the binary file saved after base64 decode, <loopback device name> is the loopback device attached with SecureCloudEncrypted.disk file, Mount Point is the <Mount Point> tag value in converted device key file, and specify readWrite or readOnly permission.

For example:

/var/lib/securecloud/mount_vol "key-n.bin" r /dev/loop0 c9-crypt /mnt/encrypted readWrite start

4. To unmount device, use the command:

/var/lib/securecloud/mount_vol dummy dummy <loopback device name> c9-crypt <Mount Point> readWrite|readOnly stop

For example:

/var/lib/securecloud/mount_vol dummy dummy /dev/loop0 c9-crypt /mnt/ /mnt/encrypted readWrite stop

5. To detach the loopback device, use the command:

/var/lib/securecloud/loopback_attach <SecureCloudEncrypted.disk path> <free loopback device> stop

For example:

/var/lib/securecloud/loopback_attach  /nfs-test/SecureCloudEncrypted.disk /dev/loop0 stop