Message Level Encryption
IBM Endpoint Manager added Message Level Encryption (MLE) to its BigFix 7.1 platform release to allow Clients to encrypt upstream data so that no data originating from the Client will be readable on the network. Upstream data from the Client can include Fixlet/Task/Baseline relevance, action statuses, retrieved properties and/or analyses, and files sent via the Upload Manager. This capability is useful for improving security when an organization has Clients reporting across potentially insecure networks, including the Internet. MLE does not affect actions taken from the Console or Fixlets that are already protected by digital signatures.
NOTE: The 'required' encryption level setting should only be used if necessary as incorrect configuration can lead to significant reporting issues and orphaned clients. For example, if encryption is disabled in BigFix Admin, any clients configured to require MLE would no longer be able to report.
NOTE: The 'optional' encryption level setting will improve security while encryption is enabled, but will allow clients to continue to report should encryption be unavailable for any reason.
To enable MLE, the BigFix infrastructure components (Server, Relay, and Clients) must be running at least version 22.214.171.1245. The Server will require additional CPU resources to process the encrypted client. Server hardware recommendations (for CPU) are as follows:
2-3 GHz - 2 Cores
2-3 GHz - 2-4 Cores
2-3 GHz - 4 Cores
2-3 GHz - 4-8 Cores
2-3 GHz - 8-16 Cores
2-3+ GHz - 16 Cores
If your deployment is over 50,000 seats, or you are using an encryption key strength of 2048 or 4096 bits, BigFix highly recommends also configuring one or more decrypting top level Relays (with 2-4 CPU cores each) to help distribute the additional processing load.
Enabling Message Level Encryption
- Manage client encryption.
- Generate a new encryption key.
Note: If you plan on leveraging top-level relays to decrypt incoming client data, make sure to uncheck "begin encrypting with this key" before clicking OK.
- Deploy the Task in the Support Site called 'BigFix Client Setting: Encrypted Reports' (Task ID 543 in BigFix Support) to enable encryption on Clients, and select one of the encryption level options.
Enable encryption on clients by adding a custom setting.
To enable Message Level Encryption on Linux, run the following steps as super user:
- Generate the key:
./besadmin.sh -reportencryption -generatekey -privateKeySize=max -deploynow=no -outkeypath=<path> -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password>
- Activate the key:
./besadmin.sh -reportencryption -deploynow=yes -sitePvkLocation=<path+license.pvk>
Available options can be retrieved from command help:
"./BESAdmin.sh -reportencryption -h"
Enabling MLE in a DSA Server Setup
To enable a MLE in a DSA Server Setup:
- You will need to transfer the encryption key to the DSA BES Server. For more information, see Message Level Encryption and DSA.
Transferring of the encryption key file must be done securely (for example, with a USB key). Should the key be exposed or compromised, a new encryption key can be generated using BigFixAdmin.
- Once the encryption key has been copied to the DSA BES Server, execute BESAdmin on the DSA Server: select the Encryption tab, and click Deploy key.
- Click OK.
Enabling Decrypting Relays (Optional)
You can enable a Relay to decrypt data and pass the decrypted data to the Server. This is a useful way to offload CPU load from the main Server to a relay, but it complicates the MLE setup (which is otherwise very simple). Additionally, if you have a decrypting relay when doing MLE, the decrypting relay decrypts all the client reports, then re-encrypts as a single data and forwards it to the core server.
Generally you will not need to use a decrypting relay unless you have many tens of thousands of agents or if your main Server CPU load is too high.
For more information about decrypting relays, see Creating top-level decrypting relays
To enable a decrypting relay:
- You will need to transfer the encryption key to the decrypting top-level relays before enabling MLE. The key can be found on the main Server with a default location of:
"Program Files\BigFix Enterprise\BigFix Server\Encryption Keys\SHA1HASH.pvk"
and should be copied on the decrypting relays to:
"Program Files\BigFix Enterprise\BigFix Relay\Encryption Keys"
- Since this is a private key, BigFix recommends transferring this file securely (for example, with a USB key). Should the key be exposed or compromised, a new encryption key can be generated using BigFixAdmin.
- Once the encryption key has been copied to all the decrypting top level Relays, click the Enable button in the Encryption tab.