Full Disk Encryption

Full disk encryption

Requirements

Full disk encryption requires three (3) uTrust Token Pro Mini tokens (provided by SoftIron during the cluster order: Tx Systems shop. In addition, full disk encryption requires that a minimum of three static nodes be from one of the following hardware families:

• HD21XXX
• HR41XXX / HC41XXX
• HD51XXX
• HD61XXX / HR61XXX / HC61XXX
• HR71XXX / HC71XXX

More specifically, the following nodes are not supported as STATIC NODES, but ARE supported as STORAGE NODES.

• HD11XXX / HR11XXX
• HD31XXX

The nodes MUST have USB enabled by upgrading to at least UEFI ≥ 4.12.

On-premise key generation

In an environment (e.g. classified) where customers must generate their own keys on premises, to setup full disk encryption on a HyperCloud cluster on a customer site, follow the steps below:

Software requirements

• MS Visual C++ Runtimes: https://aka.ms/vs/17/release/vc_redist.x64.exe
• OpenSSL for Windows: https://slproweb.com/products/Win32OpenSSL.html
  • Download the OpenSSL Light Package
• PIVKey Admin Tools: https://pivkey.com/pkadmin.zip

Procedure Overview

• Certificate on PIVKey
• PIN location in cluster control

Generate Keys

Launch "OpenSSL Command Prompt"

Perform:

cd Desktop
mkdir hypercloud_keys
cd hypercloud_keys
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650
openssl pkcs12 -export -out store.p12 -inkey key.pem -in cert.pem

Load onto Card

1. Launch vSEC_CMS as "Administrator"
2. Click on the "Certificates and Keys" tab

3. Delete the default certificate

   The Default PIN is "000000"

4. Import the newly generated store.p12 file (Change key type to "Signature")

5. Click "Smart Card PIN" tab
6. Enter old PIN and new PIN twice and click "Change PIN"

Map certificate to PIV slot

Note

Certificate generation will occur on a 3rd party Windows machine.

Launch PowerShell as Administrator

Perform:

cd 'C:\Program Files (x86)\PIVKey Installer\PIVKey Admin Tools\'
.\PivKeyTool.exe --userpin 000000 --clearmappings # Change "000000" to new PIN
.\PivKeyTool.exe --userpin 000000 --listmd # NOTE: Notate Certificate name "i.e. ksc00"
.\PivKeyTool.exe --userpin 000000 --mappiv9a ksc00

Apply PIN to HyperCloud cluster

This location for the PIN is on the HyperCloud cluster

mkdir -p /var/run/cluster-control/facts/disk-encryption/
echo "000000" > /var/run/cluster-control/facts/disk-encryption/pin

Note

At this point you can clean up the hypercloud_keys directory OR escrow it. Once purged, the keys can NEVER be recovered again. If the PIN is forgotten, all smart cards become blocked, all smart cards become damaged, all smart cards are lost, or if all static nodes go down, the data on the cluster is lost forever and SoftIron CANNOT recover it.

Important

HyperCloud keys are intended to be long-lived. Treat them as you would a Root CA key.