Vormetric Transparent Encryption for PCF (Beta)
WARNING: The Vormetric Transparent Encryption for Pivotal Cloud Foundry (PCF) is currently in Beta and is intended for evaluation and test purposes only. Do not use this product in a PCF production environment.
This documentation describes the Vormetric Transparent Encryption (VTE) for PCF. Vormetric Transparent Encryption for PCF works in conjunction with other on-demand PCF products by encrypting the data of the products with access control, allowing security administrators to manage and monitor the instances through the console of the Vormetric Data Security Manager (DSM).
Vormetric Transparent Encryption for PCF protects data stored within PCF products with file-level encryption and access control, effectively limiting data file access to only allowed users, groups, and processes. This combination enables organizations to meet compliance requirements and best practices for data security, including access control for administrators of the Pivotal environment.
The solution is a BOSH Add-on and supports multi-tenancy. A Registration Service maps tenant organizations and spaces as defined in Pivotal Apps Manager to domains within a Vormetric data security management environment. After you are registered, the Vormetric tile protects directories based on pre-configured encryption keys and policies. Domains within this management environment can isolate management of data security policies and keys for specific PCF instances to specific organizations or business units.
A Vormetric Data Security Manager is required to use the VTE tile, and you must have a base VTE and a Live Data Transformation (LDT) license to activate. Contact your Thales e-Security account manager or email@example.com to obtain these licenses.
The Vormetric Transparent Encryption for PCF currently supports the following PCF products:
- MySQL for PCF v2.4.0 and later
Vormetric Transparent Encryption for PCF includes the following key features:
- Meet compliance and regulatory requirements for protecting sensitive data – encrypt and control access to data files used with PCF product instances
- Scalable and automated – automatically protect data as you add new PCF product instances
- High Performance – the tile accelerates encryption operations using the hardware encryption capabilities of CPUs in the underlying Pivotal Cloud Foundry environment
- Multi-tenant – supports multi-tenancy with mappings between Pivotal Organization Space and Vormetric Data Security Domains
The following table provides version and version-support information about the Vormetric Transparent Encryption for PCF.
|Release date||May 21, 2019|
|Vormetric Transparent Encryption version||v6.1.3-46|
|Vormetric Data Security Manager version||v6.0.3+|
|Compatible Ubuntu Xenial kernel versions (up to)||4.15.0-48-generic|
|Compatible Ubuntu Xenial Stemcell versions (up to)**||97.82, 170.51|
|Compatible MySQL for PCF version(s)||v2.4.x and v2.5.x|
|Compatible Ops Manager version(s)||v2.3.x, v2.4.x, and v2.5.x|
|Compatible Pivotal Application Service version(s)||v2.3.x, v2.4.x, and v2.5.x|
|IaaS support||AWS, Azure, GCP, OpenStack, and vSphere|
** Stemcells with versions above those listed may work if the underlying kernels are compatible with VTE.
WARNING: Vormetric transparent Encryption for PCF v0.1.1 and earlier require a Ubuntu Trusty stemcell. The end-of-life date for Ubuntu Trusty is April 2019. If a security vulnerability is found on this stemcell after April, it will not be fixed.
The Vormetric Transparent Encryption for PCF has the following requirements:
- You must have Vormetric Data Security Manager running software v6.0.3 or later.
- You must have an active account with Thales e-Security for the support of Vormetric encryption product suite.
- You must obtain a license for the Vormetric encryption product suite with the Live Data Transformation (LDT) feature.
- You must install Offline Java Buildpack in PCF.
- You must use MySQL for PCF v2.4.0 or later.
- Manual configuration of domains and security policies, etc. in the Vormetric Data Security Manager is required before using the tile.
- Shared secret for VTE registration must be the same for all host groups and domains in the Vormetric Data Security Manager.
- Per-instance activation in one PCF environment is not supported.
- The release was tested on Azure and Google Cloud Platform and is expected to work with other IaaSes as well.
If you have a feature request, questions, or information about a bug, email Pivotal Cloud Foundry Feedback.
For Vormetric-specific issues, questions, or feedback, contact Support using one of the following methods:
For Thales e-Security Sales:
- Email Sales
- Call 888-267-3732
A license for the Vormetric encryption product suite with the Live Data Transformation (LDT) feature is required to use the tile.