For maximum protection, set backup encryption on an appliance or on a primary appliance for cluster-wide protection. You may encrypt a Safeguard Backup File (.sgb) with one of the following methods:
- Standard (default): No password or GPG key is required.
-
Password: You can enter any password value. You must have the password to restore the backup.
|
CAUTION: Make sure to save the password in a safe vault. There is no way to recover the password needed to restore the backup. |
-
GNU Privacy Guard (GPG) public key (RSA only): You can upload a .txt file with the public key and meta data or copy and paste the public key and meta data to Safeguard for Privileged Passwords. A backup file created with a GPG public key is encrypted when it is downloaded or archived. Only the private key holder can decrypt the backup file prior to the file being uploaded and restored. Once the private key holder decrypts the backup, the backup is the same as a backup generated when only appliance protection was selected.
|
CAUTION: Make sure to save the GPG private key in a safe vault. There is no way to unencrypt the GPG protected file without the private key. |
Once set, future backups created manually or automatically are protected.
Safeguard for Privileged Passwords detects all attempted uploads of an invalid backup. If a backup is GNU Privacy Guard (GPG) encrypted, a message like the following displays: The uploaded file could not be validated as a genuine Safeguard backup image. It has been blocked from the appliance. An audit event is created for the failed backup load with the error reasons which include an invalid signature.
For details, see:
To configure backup protection
- If you will use GPG key protection, generate your public key file and create a .txt file to be uploaded or copy and pasted.
- Go to Backup and Restore:
- web client: Navigate to Backup and Retention > Backup and Restore. Then, click Settings.
- From the Backup Settings dialog, select the type of backup protection for the appliance. The settings on a primary appliance are replicated to the cluster. The settings are read-only on each cluster node.
- Appliance Protection Only: This is the default and includes no password or GPG Key protection of the backup. The backup is only encrypted as a Safeguard genuine backup.
- Add Password Protection: Once selected, enter the password in the Backup Password text box. If a password already exists, a static number of dots display. You can type in a new password in place of the existing password and then confirm the password. The password you type in is used for backups made from the time the password is set until it is changed. Make sure to keep the password information in a safe vault.
- Add GPG Key Protection: Once selected, do one of the following:
- Click Browse to upload the public key file from a .txt file you created earlier.
- Paste the public key information generated earlier into the text box.
When you navigate back to this dialog, you will see the name, fingerprint, and the detail to identify the public key file.
The GPG public key you submit is used for backups generated from the time protection is set until it is changed. Once a backup is generated while GPG is set, it will always be downloaded or archived with the GPG public key encryption, regardless of any settings changed on the appliance after it is generated. The GPG public key encryption stays with the backup metadata. In addition, if you upload the backup to another appliance, downloading the backup again will encrypt it with the same GPG public key originally provided.
-
Click OK.
It is the responsibility of the Appliance Administrator to configure the maximum number of backup files you want Safeguard for Privileged Passwords to store on the appliance.
To configure the appliance backup retention settings
- Go to Backup Retention:
- web client: Navigate to Backup and Retention > Backup Retention.
- Enter the maximum number of backup files you want to store on the appliance. You can enter 0 to 40 for the number of backup files that will be stored on the appliance. Then click Save.
Once Safeguard for Privileged Passwords saves the maximum number of backup files, next time it performs a backup, it deletes the backup file with the oldest date.
The Safeguard for Privileged Passwords web client allows you to generate a backup on a hardware appliance which can then be uploaded and restored on a Safeguard virtual machine.
IMPORTANT: Due to the potential security risk with migrating from a hardware appliance to a virtual machine, the Appliance Administrator making the request is required to contact One Identity Support as part of this process before they will be able to complete enabling this feature. This approval is indicated by the Not Authorized/Authorized indicator at the top of the Authorize VM Compatible Backups page.
IMPORTANT: You cannot upload a backup to a hardware appliance which was previously downloaded from hardware as VM compatible. Such a backup can only be uploaded to a Safeguard virtual machine.
IMPORTANT: This feature is not available on a replica within a cluster.
To authorize generating a hardware appliance backup for use on a virtual machine
- Navigate to Backup and Retention > Authorize VM Compatible Backups.
-
In the Challenge Request User Identifier field, enter the name of the user requesting permission for the backup to be generated.
-
Click Generate Request.
NOTE: Only one challenge request can be active at a time. If there is a pending challenge request already active, you can cancel the active request by selecting the Invalidate Existing Challenge Request check box before generating a new request.
-
A Challenge Request text box will appear. This text box contains the information needed by One Identity to confirm the VM compatible backup authorization request is valid. Use one of the following options to copy the information:
-
Contact One Identity Support regarding your request to authorize the download of VM compatible backups from a hardware appliance. When requested, send the copied or downloaded challenge request to One Identity Support.
-
Once One Identity Support has confirmed the request, a challenge response will be sent back. This text needs to be copy/pasted or uploaded (using the Browse button) to the Challenge Response text box.
-
Click Verify Response to confirm the request as been approved.
Once confirmed, an Authorized indicator will be displayed at the top of the Authorize VM Compatible Backups page. The Download VM Compatible option will now be available through the button on the Backup and Restore page on hardware appliances. In order to download a VM compatible backup it must have been created with password or GPG public key protection settings.
You can use the Remove Authorization button to disable this feature. To reenable a new Challenge Request must be sent to One Identity Support.
Use the Certificate settings to manage the certificates used to secure One Identity Safeguard for Privileged Passwords. The panes on this page display default certificates that can be replaced or user-supplied certificates that have been added to Safeguard for Privileged Passwords.
It is the responsibility of the Appliance Administrator to manage the Certificate Signing Requests (CSRs) used by Safeguard for Privileged Passwords.
Go to Certificates:
- web client: Navigate to Certificates.
Table 25: Certificates settings
Audit Log Signing Certificate |
Where you manage the audit log signing certificate used to validate audit logs stored on an archive server. When the audit log is exported, the log is signed with this certificate to ensure that it is legitimate and has not been tampered with after export. |
Certificate Signing Request |
Where you can view and manage certificate signing requests (CSRs) that have been issued by Safeguard for Privileged Passwords. CSRs that may be created in Safeguard for Privileged Passwords include: Audit Log Signing Certificate, SMTP Client Certificate, SSL Certificates, or Syslog Client Certificates. |
Hardware Security Module Certificates |
Where you manage client and server Hardware Security Module certificates. These certificates are used for connecting to Hardware Security Module devices. |
SMTP Certificate |
Where you manage SMTP client certificates. |
SSL/TLS Certificates |
Where you manage SSL/TLS certificates, including installing certificates or creating CSRs to enroll a public SSL/TLS certificate. This certificate is used to secure all HTTP traffic. |
Syslog Client Certificate |
Where you manage the syslog client certificate used to secure traffic between Safeguard for Privileged Passwords and the syslog server. |
Trusted CA Certificates |
Where you add and manage certificates trusted by Safeguard for Privileged Passwordsand used to verify the chain of trust on certificates for various usages. For example , a trusted certificate may be your company's root Certificate Authority (CA) certificate or an intermediate certificate . |