Orchesto Cloud Encrypt

This guide describes how you can configure Orchesto for Orchesto Cloud Encrypt.

Overview

Orchesto can be configured to automatically encrypt object data before it is sent to the upstream backend for storage. When the object data is retrieved from the backend, Orchesto will automatically decrypt it before returning it to the client.

The aspect of being in full control of the encryption keys, directly from the point when Orchesto receives the object, provides the data owner with enhanced security compared to using encryption managed by Cloud Service Provider.

Tip

Orchesto uses AES256-GCM when encrypting the object's data. Object's metadata is not encrypted.

Orchesto can be configured manually via Orchesto Admin GUI or via CLI-commands.

Step 1 - Login to Orchesto as Root User

Orchesto will provide access credential as Access Key ID and Secret Access Key the first time it is started. This is a Root User, meaning full access to the system including management of encryption keys. Please ensure that your store the access credidentials in a safe place(s), because they cannot be restored.

Go to the web address that you have choosen like https://orchesto.yourdomain.com/

Login with Username: admin and the Secret Access Key for the Root User.

Root Login

Once logged in your reach to the Orchesto Management Console.

Management console

This guide describes how you can use the Management Console to configure and monitor the Orchesto Data Management Solution.

Overview

The Management Console is a web-based management tool for the Orchesto server. To access it, browse to the Orchesto endpoint and log in with a valid security credential.

Tip

To manage Orchesto itself, make sure to use the administrative security credential. This will grant you admin privileges, providing access to all features in the management console.

On the left-hand side of the management console is the sidebar, which provides access to all principle management functions. At the top of the console is the topbar, where you will find buttons to toggle the sidebar, access documentation, notifications and user menu.

The dashboard, seen in the middle section of the screen shot below, provides an overview of all your storage regions and some key performance indicators at a glance.

Tip

If your organisation is making use of several Orchesto deployments, a software module called The Central can be used to get an overview of the deployments. Some key features provided by The Central are consolidated metrics, license information, governance policy definition and an Orchesto news channel. For more information, see the documentation for The Central.

Management Console

Step 2 - Configure a Key Management Service

To use Cloud Encrypt, Orchesto must be configured with a supported Key Management Service (KMS). This functionallity is embedded in Orchesto. The Orchesto KMS requires an RSA key to be provided which will act as the master key. Each time a new key is uploaded for the KMS, the current master key is rotated and the newly uploaded key becomes the active master key.

Setup of KMS is achieved in the following way and can be executed either via the management console or the Orchesto API

It is recommended that a descriptive ID is used when adding a KMS, as this information is stored with each encrypted object and can be useful in disaster recovery situations.

Notes

While multiple KMS's may be configured, only one KMS can be active at any time. The active KMS is the KMS which is used to generate keys for encrypting objects.

Warning

It is important to note that the KMS which was used to encrypt an object must remain added to Orchesto for Orchesto to be able to automatically decrypt the object when it is fetched from a backend.

Orchesto KMS

Orchesto offers a simple KMS "out of the box". The Orchesto KMS requires an RSA key to be provided which will act as the master key. Each time a new key is uploaded for the KMS, the current master key is rotated and the newly uploaded key becomes the active master key.

Uploaded master keys are stored in the Orchesto configuration. It is critically important that backups of the master keys are created, as in the event the event the master key is lost, all objects which were encrypted at the time the particular master key was active will be unable to be decrypted.

Add KMS

  1. Click on "System" at the left bottom in the Management Console.

Settings

  1. Click on "Configure" button at Encryption.
  2. Click on "Add KMS" and use Provider Orchesto.

Add new KMS

Once a KMS has been configured, encryption can be enabled for a bucket. Either the management console or the Orchesto API can be used to toggle a buckets encryption status.

Step 3 - Create an IAM Admin and IAM Policy to Avoid Using Root Access

The first time you login to Orchesto Admin GUI you use the Admin access, which is a Root Access that has access to update encryption keys.

IAM user administrator

This scenario is to create a policy attached to a group (or user) allowing the following:

  • Creating new users, and delete.
  • Setting login credentials, API keys, delete and update password.
  • Set group memberships and remove from group.
  • Do not allow creating new groups.
  • Attach or detach an existing policy to users, but do not allow to alter existing policys.
  • Disallow attach/detach policys to groups

In the following example, all policy statements are added in the same policy file, organized according to which resource is involved.

  • It is possible to use wildcards ("arn:aws:iam:::*") in the iam resources definition if required.

Policy - IAM User administrator

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Step 4 – Login to Orchesto as Admin User

It is strongly recommended to store the Root access credentials in one or multiple safe places and not use the Root Access unless you need to update encryptions keys in KMS. Root access is only known by your company and cannot be restored.

Logout as Admin with Root access on the top right corner in the Management Console

Logout

Login with your new IAM User administrator access credentials provided in Step 3 and finalize the configuration as decribed below.

IAM User Admin

Step 5 – Connect a Backend

The Backends section in the sidebar is where you list and manage all available storage backends.

Here you can add and remove backends as well as get a read on some high level metrics for each backend. E.g.:

  • When the backend was added
  • Number of regions the backend has access to
  • Number of currently connected buckets to the backend
  • Data transferred in (to the backend from Orchesto) and out (from the backend to Orchesto)
  • Number of errors reported during command communication with the backend

Management Console

Tip

You can click on the region or bucket icon in the backend panel to jump and filter its correlated view.

To add a new storage storage backend, simply click the Add Backend button. Orchesto currently features 15 pre-integrated public cloud service providers and more are continuously added. Orchesto can also connect to custom private clouds that are based on the S3 or Swift protocol. In addition to object storage, there is also an opportunity to connect to filesystems. There are some slight deviations between the backends regarding what is needed to set up a connection. E.g., for AWS, an access key and a secret key is sufficient to give Orchesto access to all regions. For Azure however, an account name and an access key only give access to one region, which is determined when the connection is configured. When accessing the add backend modal, besides credentials, a backend ID will also be requested. This will be the Orchesto internal name for the backend. For instance, this is the name that will be displayed when adding a virtual bucket to a backend. Finally, when creating a new backend, Orchesto also provides the option to Cache added buckets by default. With this functionality activated, Orchesto will automatically place objects in the read cache provided that the cache configuration has been set up.

Adding a Storage Backend

Step 6 – Create a Virtual Bucket

The Buckets view, accessed via Virtual Buckets in the sidebar, is where Orchesto provides capabilities to manage buckets and objects across all virtual regions. The overview screen will hold information regarding the buckets, such as: name, region, creation date and information regarding whether or not bucket-level encryption, cache and versioning are enabled or if the bucket has been synced (migrated to a new virtual region).

Buckets Overview

You can add new buckets to Orchesto, also known as virtual buckets, by clicking on the Add Virtual Bucket button. In order to add a new virtual bucket, the following needs to be defined:

  • Simple region or Composite region: Select simple if you wish to map the virtual bucket to a dedicated storage provider in a simple region. Select composite if you wish to map the virtual bucket to a composite region. (In its definition, a composite region will hold a cluster of other regions that will be leveraged for redundancy purposes.)
  • Provider: Select backend provider for the virtual bucket. Note that if composite has been selected, the Provider field is not applicable since this mapping already has been made during the definition of the composite region.
  • Backing Bucket: Create New is selected by default in the Orchesto 2.0 release. (Work is currently underway to support virtual buckets mapping to existing buckets, whereby the existing content automatically will be imported to Orchesto to allow for indexing and Orchesto managed functionality.)
  • Region: The regional placement of the backing bucket.
  • Name: Orchesto's internal name of the virtual bucket.

Add Bucket

Step 7 – Encrypt the Virtual Bucket

To see the content and manage a specific bucket, simply click on the bucket to get access to the objects and bucket-level management functionality. Specific objects can be uploaded, deleted, downloaded and viewed. On the bucket-level, Orchesto features selections and toggles that allow for:

  • Versioning: Enable or Suspend versioning. This is an Orchesto feature that automatically provides versioning to all uploaded objects in a virtual bucket, even in instances where the backing bucket does not support versioning!
  • Creation of bucket policies: Allows for bucket-level IAM policies. See information regarding policy definitions, please see Appendix Using policy definitions.
  • Encryption: Automatically applies Gateway-Side Encryption (GSE) to all uploaded objects. When reading objects via the Orchesto management console, the APIs, or the CLI, decryption will automatically be applied. This means that any client that consumes Orchesto can consider information to be in clear text, whereas in reality it may be encrypted when it leaves Orchesto for placement in an upstream storage.
  • Cache: If enabled, objects will automatically be placed in the read cache upon upload.
  • Versioning view-ability: If enabled, users of the management console will be able to see the different versions of an object as individual objects in the bucket. If disabled, only the latest version of each object will be displayed in the management console.

Bucket Details

Toggle Encryption to enable encryption for that specific Virtual Bucket.

Please note that Cloud Encrypt is installed in a Cloud and not On-Prem, meaning TLS via HTTPS will be used upstream to Orchesto before it gets encrypted. Orchesto can also be installed On-Prem and then it becomes a true Gateway-Side Encryption.

Step 8 – EDP Encryption on object level

When encryption is disabled for a bucket, all new uploads to this bucket will not be encrypted. The objects which were uploaded to the bucket while encryption was enabled will remain encrypted and will be automatically decrypted by Orchesto when downloaded.

Note

Multipart uploads which started before encryption was disabled will be encrypted.

Tip

As mentioned in Configuring a Key Management Service (see above), the KMS which was active at the time the object was uploaded must remain configured within Orchesto for the object to be automatically decrypted on download. If the KMS is removed from Orchesto, it will need to be re-added with the same configuration (ID, etc.) before automatic decryption can occur again.

Encryption Managed by Governance Policies

Even in situations when bucket-level encryption is not enabled, an object can still be encrypted prior to upstream placement. This occurs when a Governance Policy is in effect which identifies that the object should be subjected to secure handling. The evaluation whether or not a governance policy should be applied to an incoming object takes place in the background. Once a governance policy has been activated, no user involvement will be required.

Hence, a backing bucket in Orchesto can contain a mix of clear text and encrypted objects. Orchesto will keep track of their status and, provided that the encryption keys have not been removed, Orchesto will automatically manage encryption / decryption.

Install Orctl

Orctl is is used to execute Event Driven Policies (EDP) and the binary needs to be installed on your computer to configure for example encryption based on meta-data values or filetype like .docx or .png.

Download the binary to use Orctl commands:

darwin-amd64

linux-amd64

linux-arm64

linux-armhf

windows-amd64

Note

The file permissions may need to be updated to allow for a user to run the orctl binary.

Note

For Windows: Due to new security features in Windows and Google Chrome. After download you might need to remove the added file ending .crdownload to see the .exe file and then right click on the orcrtl.exe and select Properties and check the checkbox Unlock file.

Here are a few examples how to use Event Driven Policies:

EDP Policy Example 1 - Only encrypt when meta-data=custom:encrypt and value set to True

Save the EDP Policy below as "encrypt_edp_policy_1.json" and execute with the following command:

./orctl edp add encrypt_edp_policy_1.json
{

  "id": "83d4b375-93da-41a8-9a41-ad0416c40a3d",

  "name": " Policy 1",

  "created-by": "Zebware Developer",

  "created-at": "2020-01-28T15:15:50.684279762+01:00",

  "conditions": [

    {

      "metadata-filter": [

        {

          "label": "custom:encrypt",

          "value": [

            "true"

          ]

        }

      ],

      "filetype-filter": {

        "filetype":"Any" 

      }

    }

  ],

  "actions": [

    {

      "action": "encrypt"

    }

  ]

}

EDP Policy Example 2 - Only encrypt when filetype is .docx or .png independent of meta-data

Save the EDP Policy below as "encrypt_edp_policy_2.json" and execute with the following command:

./orctl edp add encrypt_edp_policy_2.json
{

  "id": "83d4b375-93da-41a8-9a41-ad0416c40a3d",

  "name": " Policy 2",

  "created-by": "Zebware Developer",

  "created-at": "2020-01-28T15:15:50.684279762+01:00",

  "conditions": [

    {

      "filetype-filter": {

        "filetype": [

          "docx",

          "png"

        ]

      }

    }

  ],

  "actions": [

    {

      "action": "encrypt"

    }

  ]

}

To remove an existing EDP Policy you need to list existing policies with "./orctl edp list" command:

./orctl edp list

{

 "is-truncated": false,

 "marker": "",

 "policies": [

  {

   "created-at": "2020-01-28T14:15:50.68428Z",

   "created-by": "Zebware Developer",

   "description": "",

   "id": "83d4b375-93da-41a8-9a41-ad0416c40a3d",

   "name": " Policy 2"

  }

 ]

}

Copy the "id" 83d4b375-93da-41a8-9a41-ad0416c40a3d, which is unique for that EDP Policy.

Now, you are all set to use the command to delete that specific EDP Policy:

./orctl edp delete 83d4b375-93da-41a8-9a41-ad0416c40a3d

For a more in-depth commentary on Orchesto functionality and configuration, please see http://docs.orchesto.io/