Configure the Bomgar Privileged Access Appliance to use Data at Rest Encryption

Technical Overview

With Bomgar Base 5.0, Bomgar administrators can now enable data at rest encryption. This includes block-level encryption using XTS-AES 128-bit encryption for the following content:

  • Bomgar configuration
  • Text-based session audit history
  • Session recordings

Bomgar's data at rest encryption implementation uses KMIP to generate an encryption key for initial encryption of your content and requests the key when decrypting your content, as well.

KMIP Server Information and Testing

To configure data at rest encryption for your Bomgar Appliance, go to one of the following locations:

  • For physical and virtual Bomgar Appliances, go to /appliance > Storage > Encryption.
  • For Bomgar PA Cloud, go to /login > Appliance > Storage > Encryption.

Then configure the following details noted below.

KMIP Server Hostname and Port

  • KMIP Server Hostname: The hostname of your key management solution.
  • Port: The port used to connect to the KMIP Server.

Note: Bomgar PA Cloud instances are static to port 5696. However, for on-premises deployments, the port is configurable but defaults to port 5696.

The KMIP server must be reachable from your Bomgar PA site via Transmission Control Protocol (TCP) over the KMIP hostname and port. For on-premises deployments, the KMIP server can be on a local network or accessible via the internet. However, please ensure your firewall allows TCP connections over the specified KMIP TCP port from your Bomgar Appliance.

Server CA Certificate, Client TLS Certificate, Passphrase, Username, and Password

KMIP requires bi-directional authentication. The Bomgar PA Appliance must trust the KMIP server from which it is requesting encryption keys, and the KMIP server must trust the Bomgar Appliance for which it is storing and granting encryption keys as an authorized service. To create this level of trust, the following information is needed:

  • Server CA Certificate: The root CA certificate presented by the KMIP server to verify its authenticity to the Bomgar Appliance.
  • Client TLS Certificate: The client TLS certificate with the KMIP user account defined for the KMIP server to verify the authenticity of the Bomgar Appliance.
  • Passphrase: The passphrase needed by the Bomgar Appliance to open and read the client TLS certificate.
  • Username/ Password: The username and password associated with the KMIP user account being used to verify the authenticity of the Bomgar Appliance. This is the same user account defined in the client TLS certificate.

The Bomgar Appliance authenticates the KMIP server through the root CA certificate, which is uploaded to Bomgar /appliance. KMIP requires two-factor authentication to verify authorized services, and in this scenario, the KMIP server uses the username and password for the KMIP user account and the client TLS certificate to authenticate the Bomgar Appliance.

When the Save and Test Changes button is selected, the Bomgar Appliance issues a KMIP command and waits for a response back from the KMIP server, ensuring communication is possible. If successful, the Encrypt button becomes available in Bomgar /appliance. If not successful, the Encrypt button remains whited out and unavailable, and you must recheck the KMIP details entered on /appliance to ensure the information is correct.

Important!

The length of time needed to initially encrypt your Bomgar content depends on the amount of storage consumed by your Bomgar Appliance. For new deployments of Bomgar PA, it is recommended to configure data at rest encryption before production use of your Bomgar Appliance. In the event your Bomgar Appliance is consuming 4GB of data or more, please contact Bomgar Technical Support at help.bomgar.com.

The Encryption Process

Once the KMIP server is configured successfully, you can click the Encrypt button. The Bomgar Appliance reaches out to the KMIP server and issues a command to create an encryption key, which is stored on the KMIP server with an associated secret ID. The encryption key and the associated ID are then provided to the Bomgar Appliance for initial encryption of the data, and the Bomgar Appliance starts backing up the session,. The data is then encrypted, and the backup is restored.

Note: During encryption, the Bomgar Appliance stores the secret temporarily in its memory.

At this point, the Bomgar Appliance stores the secret’s associated ID - not the secret itself - in a decrypted portion of the Bomgar Appliance. In the event the Bomgar Appliance is rebooted, it makes a request to the KMIP server, asking for the secret associated ID. This allows the Bomgar Appliance to decrypt your data, while also ensuring the availability of your Bomgar site.

Note: For more information on how to configure data at rest encryption, please see Encryption: Configure KMIP Server and Encrypt Session Data.