Observer Analyzer : Observer Analyzer : Security and Privacy : How to encrypt captured data at rest
How to encrypt captured data at rest
Captured data at rest can be encrypted using the 256-bit Advanced Encryption Standard (AES) algorithm. This significantly increases the security of your at-rest data.
You must have a special Observer license to enable and use this feature. There is no extra charge for the license.
You must have a GigaStor hardware appliance. This feature is not available to GigaStor Software Edition. See the differences in software and hardware offerings for GigaStor.
Data at rest encryption is prevents visibility into any packets or even the metadata about the packets stored on the GigaStor. Any packets that are captured by the GigaStor are considered "data" and while they are stored on the GigaStor they are considered "at rest." Should any of the drives in the GigaStor be removed or misplaced, the data on the drives is protected. There is no remote access to this data apart from Observer’s own analyzer, and the data tagging methods for organizing and retrieving data can only be used in conjunction with Observer.
The GigaStor can capture 10 Gb line rate while simultaneously encrypting the traffic with AES-256 encryption without any significant performance impact on write or read speeds of the GigaStor. The RAID hardware is responsible for the encryption, and the data is encrypted before it is written to disk.
These instructions describe how to apply data at rest encryption to a GigaStor already in your possession. If your GigaStor shipped from the warehouse with the data at rest security already enabled, you do not need to complete this process unless two or more drives in your RAID have failed.
Caution: This procedure deletes all of the data on your GigaStor! Ensure you have a backup of any data you wish to keep.
1. Download the latest firmware for the Areca 1882 Series RAID card or contact VIAVI Support for the file.
2. Choose Start > All Programs > Areca Technology Corp > ArcHttpSrvGui > Areca HTTP Proxy Server GUI. The program starts. You should see something similar to the Figure 47 image.
Figure 47: Areca RAID application
3. Select Controller#01 and click Launch Browser. If the controller is not running, click the Start button then launch the browser. The Areca RAID application attempts to connect to its web server.
4. Type the user name and password. The default user name is admin. There is no default password. Click OK to open the browser.
In the browser you can see the RAID set, IDE channels, Volume, and capacity.
5. In the web browser, choose System Controls > Upgrade Firmware. In the Browse field, choose each of the four files from the firmware package you downloaded or received from Technical Support in step 1 and click Submit. Choose the files in the order they are listed below. After adding the arch1882firm.bin file you are prompted to restart the system. Ignore that restart request and add the fourth file.
6. Restart the GigaStor.
7. Choose Volume Set Functions > Delete Volume Set. Select the volume, then select Confirm The Operation and click Submit. This deletes all of the existing data on the RAID.
8. Choose Volume Set Functions > Create Volume Set. Set the following options to these values, select Confirm The Operation, and click Submit.
Volume RAID Level
Raid 5
Greater Two TB Volume Support
64bit LBA
Volume Initialization Mode
Foreground Initialization. It may take several hours (six hours for 48 TB) to initialization the volume. While the volume is being initialized, the GigaStor cannot be used. If you choose Background Initialization, you may use your GigaStor, but it will take significantly longer to complete and performance will be negatively affected.
Volume Stripe Size
Volume Cache Mode
Write Back
Volume Write Protection
Full Volume Encryption
256Bit Key, AES Key
Tagged Command Queueing
SCSI Channel
Volumes To Be Created
9. Open Observer and apply your new license. Restart Observer.
Because this is the first time that Observer is opened with the new license, it does not yet have a key for the encrypted volume. A window appears indicating that the volume is locked.
10. Click Generate Key and save the key file in a secure location following your organization's security policy.
When rebooting, the system needs access to key in order to unlock the drive. This is the key necessary to write to and read from the RAID volume.
Observer will not open unless it can find the key. Without the key present neither packet capture nor packet analysis can occur. You can choose to remember the key file location so that Observer opens automatically, or, if left cleared, each time Observer is opened you must provide the path to the key file.
Securely storing the key is a critical part of your responsibility.
11. Close Observer until the rest of this procedure is complete.
12. In Control Panel > Administrative Tools > Computer Management > Storage > Disk Management select the RAID volume, right-click and choose Initialize. In the Initialize Disk window, select Disk 1 and GPT (GUID Partition Table). Convert the volume to a Simple Layout, assign a drive letter (typically, D:), and provide a name (typically, DATA).
13. Repeat this process for each RAID volume for your GigaStor.
14. Open Observer.