OpenInsight Data Encryption at Rest (RTIDER)

OpenInsight Data Encryption at Rest (RTIDER) Version 1.1 A Division of Revelation Technologies, Inc.

COPYRIGHT NOTICE 1996-2014 Revelation Technologies, Inc. All rights reserved. No part of this publication may be reproduced by any means, be it transmitted, transcribed, photocopied, stored in a retrieval system, or translated into any language in any form, without the written permission of Revelation Technologies, Inc. SOFTWARE COPYRIGHT NOTICE Your license agreement with Revelation Technologies, Inc. authorizes the conditions under which copies of the software can be made and the restrictions imposed on the computer system(s) on which they may be used. Any unauthorized duplication or use of any software product produced by Revelation Technologies, Inc., in whole or in part, in any manner, in print or an electronic storage-and-retrieval system, is strictly forbidden. TRADEMARK NOTICE OpenInsight is a registered trademark of Revelation Technologies, Inc. Windows 2000, Windows XP Professional, Windows Vista Business, Windows 7, Windows 8, Windows Server 2003, Windows Server 2008, Windows Server 2012 and above are registered trademarks of Microsoft, Inc. Part No. 314-983 Printed in the United States of America. 2

Table of Contents SECTION I: INTRODUCTION TO RTIDER... 4 DIFFERENT TYPES OF ENCRYPTED VOLUMES - SITE-SPECIFIC AND PASS... 4 SECTION II: CONFIGURATION OF RTIDER SYSTEM... 5 RTIDERSERVER INSTALL, SETUP, AND CONFIGURATION... 5 RTIDERCLIENT INSTALL, SETUP, AND CONFIGURATION... 13 SECTION III: CONFIGURE ENCRYPTION SERVER... 17 SECTION IV: CREATING VOLUMES... 28 CREATING A RTIDER VOLUME... 28 CREATING A PASS VOLUME... 31 SECTION IV: CREATING ENCRYPTED TABLES... 35 CREATING A NEW ENCRYPTED TABLE... 36 COPYING AN EXISTING TABLE TO AN ENCRYPTED VOLUME... 54 CHANGING ENCRYPTION SETTINGS AFTER CREATION... 65 SECTION V: MOVING DATA BETWEEN NORMAL AND ENCRYPTED VOLUMES ON A SINGLE SYSTEM... 71 SECTION VI: MOVING DATA BETWEEN RTIDER SYSTEMS... 72 3

Section I: Introduction to RTIDER OpenInsight version 9.3 and above incorporates a new encryption service that system administrators can deploy to encrypt (on a field by field level) data in OpenInsight. The data will be encrypted at rest using industry standard encryption routines. Clients and the encryption service use the Windows Communication Foundation (WCF) to communicate, thus allowing the data to be encrypted in transit. Through the use of an Encryption Server (normally, but not necessarily, the same machine as the Universal Driver server), each OpenInsight workstation seamlessly and securely encrypts data for storage when written into an encrypted volume. The metadata and actual table contents are stored on the encryption server use AES encryption algorithm with a key size of 256 and 2 key iterations. For more information on this type of encryption see: http://en.wikipedia.org/wiki/advanced_encryption_standard Different types of encrypted volumes - site-specific and PASS There are two different types of encrypted volumes. A normal RTIDER volume uses encryption keys that are maintained by the Encryption Server; all workstations accessing this Encryption Server can (with proper permissions) access the data, but the tables contained in these volumes cannot be used by any other system running its own Encryption Server. Alternatively, a volume can be defined as an RTIDER PASS (Password Authenticated Single Session) volume; to access tables in a PASS volume, the user must enter the required passphrases during table attachment. The PASS volume can be moved among different Encryption Server systems, and is thus suitable for transporting data either temporarily (for example, when copying tables between fixed systems) or permanently (for example, putting such tables on a pen drive). 4

Section II: Configuration of RTIDER system Prior to installing the Encryption Server, system administrators may choose to create a new privileged user on the Windows PC that will act as the server. This user MUST have permissions to access the registry on the server. If a new user is not created, an existing user with the proper permissions (NOT the default system user normally assigned to services) may be used instead. RTIDERServer install, setup, and configuration To install the Encryption Server software, system administrators must run the Encryption Server Setup routine. They will be prompted to enter the address and port number assigned to the Encryption Server, so that this information can be updated for the subsequent Encryption Client installations. After installation, the system administrator must change the "Login User" for the Encryption Server service before starting the Encryption Server software, and must in addition make sure that the specified port number is accessible from all the desired clients. Administrators will also need to run the "one time configuration" for the Encryption Server, to specify which Windows groups will be allowed to perform various encryption roles. 5

6 1. The RTIDERServer setup executable can be found in the DERServer folder under your OpenInsight directory. Right click on the executable and Run as administrator.

7

8 2. The default location is C:\Revsoft\RTIDERServer.

3. If the Service Details are incorrect you will not be able to continue. 9

10 4. The default TCP port for the Encryption Server is 8188.

11

12 5. Make sure that the RTIDERService is started prior to using the Encryption Server.

RTIDERClient install, setup, and configuration 1. The Encryption Client software is automatically installed during the client setup process (performed by running the clientsetup.exe contained in the OpenInsight folder). 13

14 2. Specify the location you want to store the client install files.

3. Click No to install the.net 4.0 framework which is required for the Encryption Service. 15

16

Section III: Configure Encryption Server 1. To configure the Encryption Server open the Database Manager from Application Tools. 17

18 2. From the Database Manager select Utilitiies, OpenInsight Tables, Data Encryption At Rest, Configure Server.

19

3. If the Encryption Server has already been configured you will receive the following message. Do NOT change your Passphrase or Encryption Seed. 4. Secure your Server Passphrase and Encryption Seed in a secure location. You will need these in the event of disaster recovery to regain access to your encrypted data. 20

5. One or more Windows Groups are assigned to one or more Encryption Server Roles provided with the Encryption Server. Members of the groups that are in the Role Manager role are the people who can assign groups to the other roles. 21

22 6. The Security Groups can be selected from a popop.

7. Members of the groups in the Server Manager roles can change the encryption settings on the server. 23

24 8. Members of the groups that are in the Table Manager role can define or change the encryption settings on tables.

9. Members of the groups that are in the Assign Impersonators role can programmatically set which group they wish to impersonate. This is used when multiple different permissions are required, but all users log into Windows as the same user (e.g. the O4W user). 25

26 10. Members of the groups that are in the Data Access roles are allowed to access the encryption system. Any users who are not members of these groups will not be able to connect to the encryption server.

27

Section IV: Creating Volumes Creating a RTIDER volume Before encrypted tables can be created, an encrypted volume must first be defined. For a normal RTIDER volume, the normal CREATE_VOLUME procedure is used, with additional encryption parameters passed in as part of the "control_location" parameter: Create_Volume( volume_name, filing_system, location, control_location, status) The volume_name is the name of the new volume to create; the filing_system must be "RTP57E" for an encrypted volume; the location is the physical Windows directory for this volume; and the control_location contains the encryption details, @VM delimited: server_address : @VM : server_port : @VM : show_protected Where server_address is the IP address of the Encryption Server, server_port is the port number that the Encryption Server service is "listening" on, and show_protected is a flag (0 or 1) to indicate whether encrypted fields should be blanked out (0) or displayed in their encrypted format (1) by users who do not have permissions to decrypt those fields. 1. To Create a Volume open the Database Manager from Application Tools. 28

2. Enter your Volume Name and Location and click the Save button. If Show encrypted is selected then users with no permissions will see the encrypted value. If Hide encrypted is selected then users with no permissions will see a blank value for all encrypted data. 29

30 3. You can add or remove one or more MFS to an entire volume instead of individual tables.

Creating a PASS volume To create a PASS volume, you must use the CREATE_VOLUME_PASS procedure: Create_Volume_Pass( volume_name, location, control_location, passphrase, initvector, status) Where volume_name, location, and control_location are defined as above, and passphrase and initvector are the unique pieces that will be used to encrypt the information in this volume. The passphrase and the initvector are both user-defined strings or words; they should be unique to each PASS volume, but may be anything that is both memorable and easy to keep secret. Note that, since PASS volumes require the passphrase and initvector to be specified each time they are initially accessed, you should NOT add tables in the PASS volume(s) to your database definition. Instead, you must always run ATTACH_TABLE_PASS to attach, on a per-session basis, the tables in the PASS volume: Attach_Table_PASS( volume_pointer_name, tablelist, database, passphrase, initvector, status) 1. To Create a PASS Volume open the Database Manager from Application Tools. 31

32 2. Enter your Volume Name and Location. Select PASS and enter the PASS Volume Passphrase and Encryption Seed. Click the Save button.

1. To Attach a PASS Volume open the Database Manager from Application Tools. 2. Select the PASS Volume location and enter the PASS Volume Passphrase and Encryption Seed. 33

34

Section IV: Creating encrypted tables Tables in the encrypted volume can be created using the CREATE_TABLE procedure, which has now been extended to include an additional parameter: Create_Table(locationlist, tablename, dictflag, databaseid, tableattributeslist, protectflag, unused, unused, encryptinfo) The encryptinfo parameter defines which fields in the table should be encrypted, which groups should be able to access the data in the table, and how keys should be processed. This parameter is @FM delimited as follows: 1. list_of_fields 2. list_of_groups 3. error flag 4. key part flag Field 1 (list_of_fields) contains a list of which fields should be encrypted; this list is comma-delimited, and may contain 0 (to indicate the key field), 0*<keypart> (for example, 0*1) (to indicate part of the key field), or -1 (to indicate all fields, including the key field). An example of the list_of_fields may be "0,1,3,4", or "-1". Field 2 (list_of_groups) defines which Windows groups should have access to each of the encrypted fields; this list is in the format <fieldnumber>:<groupname>{;<groupname>;<groupname>}{,<fieldnumber>...}. For each field that may be encrypted (as defined in the list_of_fields), you may specify one or more Windows groups that can access that fields' information. As above, the field number may contain 0 (for the key field), 0*<keypart> (for a key part), or -1 (for all fields, including the key field); the group names can also be "*" to indicate "all valid Windows users in this domain." An example of the list_of_groups may be "0:inventory;acctg,1:*,3:acctg,4:inventory" or "- 1:*". If a user attempts to update a record for which he/she does not have full permissions, the Encryption Server can either "merge" the original record's fields with the updated data, or generate an error. If field 3 (error flag) is set to 1, then an error is returned; if set to 0, then the modified data is merged with the protected fields. If a key contains multiple parts (separated by the key delimiter "*"), it can be encrypted as a single piece of information, or each key part can be encrypted separately. If field 4 (key part flag) is set to 1, then each key part is encrypted separately; if set to 0, the entire key is treated as a single string, and the key delimiters are ignored during the encryption process). Please note that it is specifically allowed to create a table with no encryption information in an encrypted volume - simply pass in an empty string ("") for the encryptinfo parameter. If instead you wish to create an encrypted table with the default settings, pass in a parameter with 4 fields, each of which are the empty string (""). 35

Creating a new encrypted table 1. You can create a new encrypted table from Database Manager, Utilities, OpenInsight Tables, Data Encryption at Rest, Create Table. 36

2. You can also create an encrypted table from Database Manager. Choose File, New Table. 37

38 3. Click the Browse button and select Defined Locations.

4. Select the location of your Encrypted Volume. Encrypted volumes are denoted with a Filing System of RTP57E. 39

40 5. Add your data dictionary columns.

6. Tables created in encrypted volumes will be prompted with the following form to set the encryption settings for this table. 41

42 7. You can set the encryption level at none, all fields or specific fields. For users with no permissions you can choose to not allow record updates or allow record updates leaving the encrypted field unchanged. Record keys can be encrypted as a single string or individually by key parts.

8. Field level encryption can be set by checking the appropriate dictionary name. Access groups are set to default settings of the Encryption Server. 43

44 9. Specific Access Groups can be selected on a field level by double clicking on Access Groups.

10. Select the appropriate Access Groups for this field from the popup provided. 45

46

11. The Encryption Attributes can be altered on a table as long as no data has been added to that table. Field Level encryption settings can only be altered on empty tables. From the Table Builder menu choose File, Encryption Attributes. 47

48 12. If a table contains data the only encryption parameter that can be modified is Update rows with restricted access.

13. In this example we will add data rows to our newly created table from Database Manager. 49

50 14. Right click on the table and choose Table Browser.

15. From Table Browser add several data rows and Save. 51

52 16. The data location of this encrypted table can be seen in line 6 of the SYSTABLES*CONTACTS record.

17. If we open this file in Notepad you can see that the fields we selected are encrypted. 53

Copying an existing table to an encrypted volume 1. You can copy an existing table to an encrypted volume by selecting Copy Table wizard from the Database Manager, Utilities, OpenInsight Tables, Data Encryption at Rest, Copy Table Wizard. 54

2. You can also copy an existing table to an encrypted volume from Database Manager. Choose File, Encrypted Copy Table Wizard. 55

56 3. Select the table that you want to copy to an encrypted volume.

4. Tables that contain indexes cannot be copied to an encrypted volume. The indexes must be removed prior to copying the table. 57

5. Once the indexes have been removed you can select your source table to copy. 6. Select the location an encrypted volume that you want to copy your table into. 58

59

7. Choose the application for the copied table. 8. By default the copied table name is the same as your source table name. You can change the table name. 60

9. Choose your level of encryption for this table. 10. Select the columns which will be encrypted. 61

62 11. You have the option to delete the source unencrypted table (not recommended) upon completion of the Wizard.

12. Upon completion of the Wizard, the table has been copied to the encrypted volume and removed from the unencrypted volume. 63

64 13. Table Browser will display the copied data rows.

Changing encryption settings after creation 1. It is possible to change the encryption settings after the table has been created; this is especially useful if you wish to use the Table Builder to create the proper dictionary definitions before deciding which fields should be encrypted. However, you MUST change the encryption settings BEFORE any data has been stored in the table. 65

66

2. In this example we are changing the Access Groups for the FAX field. 67

68 3. Users who are not members of this group cannot see the FAX data.

4. Here we are setting the Access Group back to the original setting. 69

70 5. Members of this Access Group can now view the FAX field.

Section V: Moving data between normal and encrypted volumes on a single system To encrypt existing tables, or remove encryption from an already-encrypted table, you can use the COPY_TABLE procedure, which now supports an additional parameter: Copy_Table(tablename, location, database, newtablename, lockflag, deleteflag, overwriteflag, existflag, status, removerelationalindexing, encryptinfo) The encryptinfo parameter contains the same information as specified above in CREATE_TABLE. It is only required when copying to an encrypted (RTP57E) volume. When copying from an encrypted volume to a normal volume, or between normal (RTP57) volumes, the encryptinfo parameter can be omitted. 71

Section VI: Moving data between RTIDER systems Data stored in normal RTIDER volumes can only be read by the Encryption Server on which it was created. To move data to another RTIDER system, you must create a PASS volume, and then use COPY_TABLE to duplicate the data in the PASS volume. Once completed, the entire contents of the physical Windows folder where the PASS volume was defined can be moved to the target RTIDER system, attached (using ATTACH_TABLE_PASS), and then COPY_TABLE can again be called to move the transported data onto the new RTIDER system. If you do not wish to transport an entire table's contents, but still wish to protect one or more rows via encryption during transport, the steps to follow are almost the same - create a PASS volume, create an encrypted table in the PASS volume, use COPY_ROW to copy data from the source table to this "transport" table, move the Windows folder to the target system, attach the PASS volume with ATTACH_TABLE_PASS, and then COPY_ROW the data to the target table. 72

Revelation Software, Inc 99 Kinderkamack Road Ste 109 Westwood, NJ 07675 U.S.A Toll Free: 800-262-4747 Phone: 201-594-1422 Fax: 201-722-9815 www.revelation.com Revelation Software Ltd. Boundary House Boston Road London, W7 2QE U.K. Phone: +44 0 208 912 1000 Fax: +44 0 208 912 1001 info@revsoft.co.uk BrightIdeas New Zealand 44 Cockle Bay Rd, Howick Auckland, 2014 New Zealand Phone: +64 9 534 9134 info@revelation.asia Revelation Software is a division of Revelation Technologies, Inc. Part No. 314-983 73