InterSystems has tested the encryption of Caché database files in Caché 5.0. The following topics describe the requirements, recommendations, and procedures developed on each of the tested operating systems:
Encrypting Caché Files on Microsoft Windows
This topic describes the basic steps for encrypting Caché files on Microsoft Windows platforms. It contains the following sections:
Requirements and Recommendations
Requirements:
Recommendations:
Encryption Procedures
To encrypt the appropriate Caché database (cache.dat) files on Microsoft Windows, perform the following steps:
  1. Install Caché 5.0. See the Caché Installation Guide for Windows for specific instructions.
  2. Define your databases, isolating them from files in the Bin and Mgr directories of your Caché installation. See Configuring Databases in the “Configuring Caché” chapter of the Caché System Administration Guide for more information.
  3. Shut down Caché.
  4. Exit the Caché Cube and shut down the IIS Web server and any other processes that might cause sharing violations.
  5. Start the Web server.
  6. Start Caché.
If you do not set up the file encryption properly, an error occurs immediately when starting Caché; the ccontrol start command fails. View the console.log for error information.
Update the Caché Controller Service
Edit the Caché Controller Service for proper Caché startup.
  1. From the Windows Control Panel click Services from the Administrative Tools submenu.
  2. For each instance of Caché on the machine, there is a service named Caché Controller for <configname>, (Caché Controller for CACHE, for example). Right-click this name and click Properties from the shortcut menu.
  3. Click the Log On tab, change the Log on as property to be the same as the account that installed Caché. Click OK.
Encrypt Caché Database Files
From Windows Explorer, perform the following on each folder you choose to encrypt:
  1. Right-click the appropriate folder and click Properties from the shortcut menu:
  2. From the General tab, click Advanced to display the Advanced Attributes dialog box:
  3. Select the Encrypt contents to secure data check box and click OK. Encryption and compression are mutually exclusive.
  4. Repeat this process for each folder that contains files you would like to encrypt.
File encryption is transparent to Caché. To undo the encryption, follow this same process and clear the encryption check box.
Additional Resources
For additional information about the Windows Encrypting File System (EFS) and related topics, see the following Microsoft documents, which you can find on the Microsoft Web site, www.microsoft.com:
Encrypting Caché Files on Red Hat Linux
This topic describes the basic steps for encrypting Caché files on the Red Hat Linux platform using loopback devices. It contains the following sections:
Requirements and Recommendations
Requirements
Recommendations
Encryption Procedure
The Loop-AES facility is a special device that provides a fast and transparent file system and swap encryption package for Linux. The following sections describe the procedures InterSystems recommends for setting up this type of encryption:
Modify User-space Tools
The Loop-AES facility requires modified user-space tools for the mount and losetup commands, as well as the latest Linux patch file.
  1. Note:
    This example uses loop-AES-laters.tar.gz.
  2. Extract the util-linux-*.diff patch file; note the version number.
    Note:
    This example uses util-linux version 2.12a.
  3. Obtain the util-linux package that matches the patch file version above from ftp://ftp.kernel.org/pub/linux/utils/util-linux/.
    Note:
    This example uses util-linux-2.12a.tar.gz.
  4. Extract the util-linux package.
  5. Apply the util-linux-*.diff patch.
  6. Read the INSTALL file for build and install notes.
  7. Configure and make, but do not install, the package.
  8. Copy the new losetup and mount programs to a directory. This example uses /usr/local/bin.
    Caution:
    Do not overwrite /bin/mount or /sbin/losetup, or you may render the system unbootable.
    The following is an example set of commands to perform steps 4-8:
      tar zxvf util-linux-2.12a.tar.gz
      cd util-linux-2.12a
      patch -p1 < ../loop-AES-v2.1c/util-linux-2.12a.diff
      more INSTALL
      ./configure
      make
      cd mount
      cp -a losetup /usr/local/bin
      cp -a mount /usr/local/bin
    
  9. Test the updated tools. For example:
      /usr/local/bin/losetup -e aes /dev/loop0 /dev/sdb1
      (enter password)
      mke2fs -j /dev/loop0
      mount /dev/loop0 /mnt
    
    
      umount /mnt
      losetup -d /dev/loop0
To undo the encryption, move the files out of the partition. The encryption is transparent to Caché. Once the file system is mounted, it is readable for anyone who has permissions.
Set Up Key Files
This section outlines a procedure for setting up key files and uses the following sample file names:
As root:
  1. Create 64 random encryption keys and encrypt them to keyfile using the GNU Privacy Guard (gpg) encryption and digital signature tool:
    head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 \
        | gpg -c -a > /keyfile.gpg
    
    
    Enter a passphrase at the prompt.
  2. Add the following (single) line to /etc/fstab:
    /dev/sdb2 /encrypted ext3 defaults,noauto,loop=/dev/loop0,encryption=AES128,gpgkey=/keyfile.gpg 0 0
    
    
    Important:
    Due to formatting limitations in some documentation output media, the previous commands may display on two lines; in practice, enter them as a single line.
  3. Construct a file system on the loop back device:
    losetup -F /dev/loop0
    mkfs -t ext3 /dev/loop0
    losetup -d /dev/loop0
    
    
    At the prompt, enter the passphrase from step 1.
  4. Create a mount point:
    mkdir /encrypted
    
    
  5. Mount the file system:
    mount /encrypted
    
    
    At the prompt, enter the passphrase from step 1.
The file system encryption key contains the user key. You are prompted for the user key at mount time for encrypted files.
Additional Resources
For additional information about encrypting files and related topics, see the following documents: