How to use Thales CTE with Wasabi?

Wasabi has been validated for use with Thales CipherTrust Transparent Encryption (CTE). Thales CTE delivers data-at-rest encryption with centralized key management, privileged user access control and detailed data access audit logging. 

 

Table of Contents

1. Prerequisites 

2. Reference Architecture

3. Create CTE User and Group

4. Test Access to Wasabi

5. Install AWS CLI

6. CipherTrust Manager Config

7. Create Key 

8. Create CTE Policy

9. Install CTE Agent on Linux

10. Install CTE with COS Service

11. Configure CTE COS

12. Configure CTE GuardPoint

13. Configure AWS CLI Network Proxy

14. Test CTE COS

 

1. Prerequisites

 

2. Reference Architecture

Thales_CTE_Architecture.jpg

 

3. Create CTE User and Group

3.1 Create a CTE User account in your Wasabi Cloud Console. Click on "Users" in the left hand pane and then click on "Create User" on the right hand side.

User_Creation.jpg

 

3.2 Name the user, then select "Programmatic (create API key)" and then click on "Next"

cte-user.jpg

 

3.3 Next click on "+ Create A New Group" and name the group "cte" and then click on "Next" at the bottom.

create_group.jpg

 

3.4 Add "WasabiFullAccess" and "AmazonS3FullAccess" policies to the group and then click "Next".

add_policies.jpg

 

3.5 Verify the information and then click on "Create User".

create_user.jpg

 

3.6 Download and save your newly created API Key Set for the user which will be used by the CTE Agent.

user_api_keys.jpg

 

4. Test Access to Wasabi

4.1 Copy file to bucket 

aws s3 cp hello.txt s3://cte-wasabi-demo/ --endpoint-url=https://s3.us-east-1.wasabisys.com

4.2 Verify file exists in Wasabi

  • via cli
aws s3 ls s3://cte-wasabi-demo/ --endpoint-url=https://s3.us-east-1.wasabisys.com

Note: This configuration example discusses the use of Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in our Wasabi Service URLs.

  • via Console

file_bucket_verification.jpg

 

5. Install AWS CLI

5.1 Run the following commands to install the AWS CLI

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

 

5.2 Configure AWS CLI with the Wasabi User Credentials and Region where the bucket resides

aws configure

aws_configure.jpg

Note: This configuration example discusses the use of Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in our Wasabi Service URLs.

 

5.3 Add CTE cosCA.crt location to the configuration file

sudo vim .aws/config
ca_bundle = /opt/vormetric/DataSecurityExpert/agent/squid/etc/cosCA.crt

CTE_cosCA.jpg

 

6. CipherTrust Manager Config

6.1 Add Registration Token

  • From the CM Console, expand "Access Management" and then click on "Registration Tokens"

CT_M_Tokens.jpg

 

6.2 Click "+ Add Registration Token"

add_registration_token.jpg

 

6.3 Click on "Begin"

click_begin.jpg

 

6.4 Enter the name prefix and click on "Next"

new_token_name.jpg

 

6.5 Click on "Local" under CA Type and then click on "Create Token"

new_token_ca.jpg

 

6.6 Copy Token for later use and then click on "Add Token"

click_add_token.jpg

 

registration_tokens.jpg

 

7. Create Key

7.1 Click on the keys menu and then click on "+Add Key"

 

7.2 Enter the following details and then click on "Add Key"

  • Key Name - name of the key
  • Check the box "XTS/CBC CS1
  • Select "Encrypt" and "Decrypt" boxes

 

8. Create CTE Policy

8.1 From the Products Menu click on "Transparent Encryption"

 

8.2 Expand "Policies" in the left hand pane, click on "Policies" and then click "+ Create Policy"

 

8.3 Click on "+ Add Security Rule"

 

8.4 Enter the policy details and click on "Next"

  • Name - name of the policy
  • Policy Type - Cloud Object Storage

 

8.5 Create a Security Rule

  • Action - Set to all_ops
  • Effect - Set to Permit, ApplKey. Audit is optional

Click on "Add" and then "Next"

 

8.6 Create a Key Rule by clicking on "+ Create Key Rule"

 

8.7 Click on the "Select" button for the "Key Name" section

 

8.8 Select the key created earlier in previous steps.

 

8.9 Click on "Add"

8.10 Click on "Save" and now your policy is created.

 

 

9. Install CTE Agent on Linux 

Note - Required Linux Packages - https://www.thalesdocs.com/ctp/cte-con/cte/latest/integrations/lin-int/lin-int-cos/lin-int-packages/index.html

9.1 Run the following commands:

sudo yum install boost-regex boost-system boost-thread libcurl libtool-ltdl libxml2 epel-release -y
sudo yum install cryptopp log4cpp -y
sudo yum install python3 python3-pip -y
sudo pip3 install boto3 future
sudo yum install lsof
sudo yum install policycoreutils-python-utils

 

10. Install CTE with COS Service

Note - CTE for Cloud Object Storage Documentation found here https://www.thalesdocs.com/ctp/cte-con/cte/latest/integrations/lin-int/lin-int-cos/index.html

10.1 Copy the CTE binary to the RHEL instance

10.2 Login as Root and Install l CTE Agent

./vee-fs-7.3.0-135-rh8-x86_64.bin


10.3. Enter the details of your environment.
Be sure to answer Y to Cloud Object Storage

 

11. Configure CTE COS

11.1 Add Wasabi Credentials to the CTE COS S3

voradmin cos s3 cred add BZUACKKCBOERAVKTG15M i52OdrknYzq0nbsq5ptEpmUYHUw0y2BRelibLPwZ
voradmin cos s3 chunk BZUACKKCBOERAVKTG15M i52OdrknYzq0nbsq5ptEpmUYHUw0y2BRelibLPwZ 8

 

12. Configure CTE GuardPoint

12.1 From the Transparent Encryption Section expand "Clients" and click on "Clients" in the left hand pane.

 

12.2 Click on the client name and then click on "+ Create GuardPoint"

12.3 Enter GuardPoint Settings and then click on "Create"

  • Policy - Select policy created earlier
  • Type - Auto Cloud Storage
  • URL - URL of the Wasabi bucket

Cloud_GuardPoint_Settings.jpg

 

12.4 After a few moments the GuardPoint will become active

 

12.5 You can verify the status of the GuardPoint from the RHEL instance with the following command:

sudo secfsd -status guard

 

13. Configure the AWS CLI Network Proxy

13.1 All communications between client applications and the AWS server must be done through the COS proxy and the environment variable HTTPS_PROXY or https_proxy should be set. If both variables are defined, then the AWS CLI will use https_proxy.

Export HTTPS_PROXY=localhost:3128

 

14. Test CTE COS

14.1 Copy file from RHEL instance to the Wasabi bucket

aws s3 cp hello.txt s3://cte-wasabi-demo/ --endpoint-url=https://s3.us-east-1.wasabisys.com

Note: This configuration example discusses the use of Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in our Wasabi Service URLs.

 

14.2 At this point you should see ciphertext if accessing the file from the Wasabi console.

  • Download File and open

encrypted_file_results.jpg

 

 

 

 

 

 

 

 

 

 

 

Have more questions? Submit a request