rdxLOCK Admin Guide

rdx OC
Administration Gu de
Version 2.3.0.39 - R e se
Page 1 of 32
Tandberg Data S.a.r.l.
2015-05-27
nten
1 Product Information .......................................................................................... 3
1.1 Overview ................................................................................................... 3
1.2 Key Features .............................................................................................. 3
1.2.1 Protection Policies ................................................................................. 3
1.2.2 Enhanced Security Mode (ESM) ............................................................... 4
1.2.3 AES-256 encryption ............................................................................... 5
1.2.4 Verified Retention Clock (VRC) ................................................................ 6
1.3 Restrictions ................................................................................................. 7
2 Installation ...................................................................................................... 8
2.1 Installing rdxLOCK ...................................................................................... 8
2.1.1 Starting the Installation ......................................................................... 8
2.1.2 License Agreement ................................................................................ 9
2.1.3
Select the installation path and additional tasks ...................................... 10
2.1.4 Start the installation ............................................................................ 11
2.1.5 Completing the Installation ................................................................... 12
2.2 Post-Installation ....................................................................................... 13
2.3
Uninstalling rdxLOCK ................................................................................ 14
3 Configuration ................................................................................................. 16
3.1 Obtaining and entering the “TimeSync” Key.................................................. 16
3.2 Setting up a WORM volume........................................................................ 18
3.3 Protection policies and retention periods ...................................................... 21
3.3.1 Directory-level retention period ............................................................. 21
3.3.2 rdxLOCK Directory Level Retention Policy................................................ 22
3.4 Obtaining and entering license keys ............................................................ 24
4 Best Practices ................................................................................................ 28
4.1 Data Protection......................................................................................... 28
4.1.1 Backup / Restore ................................................................................. 28
5 Troubleshooting .............................................................................................. 30
5.1 Reporting a Problem .................................................................................. 30
5.2 rdxLOCK Tab is not available on MS Explorer’s property page ......................... 30
5.3 Application event log message: “Invalid license” ........................................... 31
6 Appendix ........................................................................................................ 32
Page 2 of 32
Tandberg Data S.a.r.l.
2015-05-27
1 Product Information
1.1 Overview
rdxLOCK is a software product, which provides infinite or fixed period WORM (Write Once,
Read Many) protection for data on RDX QuikStor cartridges.
Applications can write data locally, via CIFS, FTP or NFS directly to a rdxLOCK protected file
system, but are not allowed to make any modification after the data was locked. The locking
mechanism is completely controlled by rdxLOCK on a directory-level or file-level basis and
ensures that a file object is changed to WORM based on the selected protection policy. A special
API is not necessary for this.
rdxLOCK’s protection policies ensure that files can’t be modified, renamed, moved or
overwritten in any way, preserving data in a non-rewritable, non-erasable manner for a
specified period of time or infinite. Additionally rdxLOCK prevents the alteration of file
attributes.
In order to meet regulatory compliance requirements, rdxLOCK allows the deletion of data
after a pre-defined retention period, but still prevents the user from modifying expired data.
As rdxLOCK is able to use the existing server and a RDX QuikStor drive, an audit- compliant
archive can be implemented in a cost effective manner. Even existing file systems can be
converted to WORM file systems by rdxLOCK.
rdxLOCK supports NTFS RDX volumes on 32-bit and 64-bit Windows architectures.
1.2 Key Features
1.2.1 Protection Policies
Protection policies can be configured a volume-level on directory level retention (DLR).
Page 3 of 32
Tandberg Data S.a.r.l.
2015-05-27
1.2.2 Enhanced Security Mode (ESM)
rdxLOCK protected volumes may be managed on operating system level mostly like any volume.
In particular you can move them from one disk system to another one and you can mount them
on any computer, even if there is no rdxLOCK software installed.
Enhanced Security is an additional security level to encrypt the volume in a way that no content
of the real volume is visible, if rdxLOCK is not installed. Instead of the real content of the NTFS
volume, you can see a small FAT – volume with warning information. It also inhibits the deletion
of files on rdxLOCK protected volumes in the following cases:



The rdxLOCK file system filter has been stopped.
rdxLOCK has been uninstalled from the system.
A rdxLOCK WORM volume has been moved to a server system, which does not
have rdxLOCK installed.
Since rdxLOCK 2.3.0 ESM V5 is used. This version supports encryption with AES-256. ESM
V4 volumes are still supported and can optionally be set to V5. New created volumes will only
be created as V5 with a FAST encryption. The internal ESM number is increased to prevent
older rdxLOCK version mounting this volume. V5 and V4 volumes can be converted to V5
AES-256.
Page 4 of 32
Tandberg Data S.a.r.l.
2015-05-27
1.2.3 AES-256 encryption
The AES-256 encryption is using keys with a length of 256 bits. Each WORM volume uses its
own key for both encrypting and decrypting the data. In combination with AES-256 encryption
it is possible to grant access to WORM volumes for a dedicated group of rdxLOCK computer
systems by exporting and importing keys.
Initially the volume key is not exported and AES encrypted WORM volumes can be used on any
rdxLOCK system. If a WORM volume should only be accessible by a certain group of systems the
AES key must be first exported and then imported to all other authorized systems. The system
which was used for exporting the key gets implicitly authorized. To export or import keys the
user must hold administrative rights.
The AES key of a WORM volume can be exported by the following rdxLOCK CLI
command:
rdxLockcli KeyExport <volume_drive_letter> > <key_file_name>
example: rdxLockcli KeyExport e: > aes_key_e.txt
With the export command the volume changes its state to “exported” and the ESM component
only decrypts the volume if the key has been imported for this volume on the local system.
To import the AES key of a WORM volume to a system, the following rdxLOCK CLI
command may be used:
rdxLockcli KeyImport <volume_drive_letter> <key_file_name>
example: rdxLockcli KeyImport e: aes_key_e.txt
Note:
The export and import cli commands are subject to change for upcoming
versions.
Page 5 of 32
Tandberg Data S.a.r.l.
2015-05-27
1.2.4 Verified Retention Clock (VRC)
A compliant data storage system needs a secure tamper-proof time base to measure retention
periods and ensure WORM integrity.
rdxLOCK provides a secure and compliant retention time management, called Verified Retention
Clock (VRC). This facility has to be synchronized directly after setting up the software by
entering a special key (TimeSync Key). (see chapter 3.1)
This key contains a trusted timestamp for verifying that the system clock is in a certain range
compared to UTC (Coordinated Universal Time). Only if the verification succeeds, WORM volumes
can be initialized, configured and controlled. As long as the verification has not been executed,
the system cannot be used for managing WORM volumes.
All WORM volumes created by a rdxLOCK application with a non-verified system clock are
marked as “TEST WORM VOLUMES” and can only be converted to valid, productive WORM
volumes on systems with a verified system clock and as long as their temporary license is still
valid.
After a successful system clock verification, VRC closely monitors the system clock and ensures
that system clock manipulations may not be used to delete files before they expire. Such
manipulations may end in temporary prolongation of retention periods when the system clock is
set in the future or to access restrictions when it is set in the past.
Small changes in the system clock are manageable, but when the clock is adjusted over large
ranges, or the system is switched off or rebooted for any reasons, this does result in a
prolongation of retention periods. In order to mitigate such artificially extended retention time
periods, VRC allows a drifting of the retention time offset (RTT-Offset) up to a week per year in
order to make up for downtimes due to system maintenance and
other housekeeping events. Any longer periods of downtime will need to be handled via a
TimeSync Key, if the RTT-Offset is beyond an acceptable value.
VRC is designed to support removable WORM media. Taking a WORM volume offline for an
extended time period does not end up in a temporary prolongation of retention periods
registered in a volume.
Page 6 of 32
Tandberg Data S.a.r.l.
2015-05-27
1.3 Restrictions















rdxLOCK Version 2.3.0.33 - Release is designed for NTFS formatted volumes on primary
partitions of basic disks with MBR (master boot record) and GPT (GUID Partition Table)
partitioning scheme. If rdxLOCK is configured for a volume
residing on a dynamic disk, the Enhanced Security Mode will not be supported on that
volume.
rdxLOCK may not be installed on systems which do have any version of TrueCrypt installed.
rdxLOCK supports RDX QuikStor and RDX QuikStation.
Other file systems than NTFS are not supported.
Appending data to rdxLOCK protected files is not supported.
Files having Extended Attributes or reparse points attached can’t be set to WORM.
The Recycle Bin functionality cannot be used on WORM volumes, since rdxLOCK denies the
move operation to the recycle bin, when an expired WORM file is selected for deletion.
Therefore it is recommended to deactivate the Recycle Bin for the individual WORM
volumes in order to make the deletion of expired WORMf iles possible.
Please note that Microsoft has redesigned the Recycle Bin behavior in Windows VISTA,
Windows 2008 Server and Windows 7. The properties of the Recycle Bin are now tied to
user profiles rather than the actual disk. Therefore each user must explicitly switch off the
Recycle Bin of the corresponding WORM volumes when accessing them locally for deleting
expired WORM files.
Upgrades are only supported from rdxLOCK version 2.1.0 Build 29 and higher. Previous
versions need special support, so please contact your service provider.
Read-only volumes are not supported.
Volumes mounted inside a WORM volume are not WORM protected.
Shrinking an ESM protected volume is not supported.
Adding a mirror to an ESM protected volume is not supported.
Volumes marked as 'active' cannot be used in ESM mode.
Page 7 of 32
Tandberg Data S.a.r.l.
2015-05-27
2 Installation
Administrative rights are required to install, configure, set policies and retention times, license or
update rdxLOCK. When installing on Windows 7, Windows 2008 Server or higher you need to be
logged in as Administrator or you need to run the installation program using the context menu
option “Run as administrator”.
2.1 Installing rdxLOCK
2.1.1 Starting the Installation
To install rdxLOCK

Close all applications running on the system.

Run the program rdxLocksetup_<version>.exe to start the installation wizard.
In case no other application is opened at this time, you can proceed with the installation process
by clicking the Next button.
Page 8 of 32
Tandberg Data S.a.r.l.
2015-05-27
2.1.2 License Agreement
You have to agree to the license contract in order to continue with the rdxLOCK
installation procedure.
Page 9 of 32
Tandberg Data S.a.r.l.
2015-05-27
2.1.3 Select the installation path and additional tasks
Page 10 of 32
Tandberg Data S.a.r.l.
2015-05-27
2.1.4 Start the installation
After clicking the Install button, rdxLOCK will be installed to the selected destination folder.
Page 11 of 32
Tandberg Data S.a.r.l.
2015-05-27
2.1.5 Completing the Installation
On the completion screen, we should install rdxLOCK’s Enhanced Security Module, which allows
configuration of rdxLOCK’s Enhanced Security Mode on a per volume base.
Installing the Enhanced Security Module requires a system reboot.
Page 12 of 32
Tandberg Data S.a.r.l.
2015-05-27
2.2 Post-Installation
After a new installation or an upgrade from versions prior to 2.2.6, the system clock needs to be
verified by a TimeSync key. Please refer to the chapter “Obtaining and entering the TimeSync
Key” for further information.
Note:
As long as the system clock is not verified, the following restrictions exist:

New volumes couldn't be initialized.

WORM Volumes created by rdxLOCK version 2.2.5 or previous are put to READ- ONLY
mode and are not switched to the regular WORM mode until the TimeSync verification
has been succeeded.
Page 13 of 32
Tandberg Data S.a.r.l.
2015-05-27
2.3 Uninstalling rdxLOCK
rdxLOCK can be uninstalled by using the Windows Software Manager. Click Start->
Control Panel -> Add or Remave Programs, select the rdxlock product and press the
Remave button.
Page 14 of 32
Tandberg Data S.a.r.l.
2015-05-27
If the Enhanced Security Mode was installed, a reboot is required to completely remove
rdxLOCK from your system.
NOTE:
If you remove the rdxLOCK product from your system, you will not be able to access
WORM-committed files anymore.
In addition, if the Enhanced Security Mode was previously applied to a WORM volume, the WORM
NTFS file system is hidden and inaccessible after uninstalling the rdxLOCK product. The former
NTFS WORM volume is displayed as a FAT file system with the label “Volume Lock” in this case.
Page 15 of 32
Tandberg Data S.a.r.l.
2015-05-27
3 Configuration
3.1 Obtaining and entering the “TimeSync” Key
A TimeSync key is used to verify that the system clock is in a certain range compared to
UTC and therefore ensures that file retention times are managed in a safe and secure
fashion. If the TimeSync key verification process succeeds for the first time, the system will
be ready for handling WORM volumes. Every additional TimeSync operation resets the RTTOffset. rdxLOCK maintains this internal “corrective retention time offset” parameter (RTTOffset) to manage the time offset between the system clock and the Verified Retention
Clock (VRC). These offsets occur due to normal situations like the
system being powered down or potentially abnormal situations where the system clock is
changed or potentially rolled back.
To apply a TimeSync key take the following steps:

start the rdxLock GUI application and select the menu item Configuration  Apply
Time Sync

click on the web link in the dialog below:
Page 16 of 32
Tandberg Data S.a.r.l.
2015-05-27

Copy the TimeSync key string from the web page directly to the corresponding dialog's
input field and press the Apply button. Alternatively, you may save the key to a file first
and select that file for applying the TimeSync key.
Note:
It may take up to 2 minutes until the system clock gets verified. VRC information is displayed
in the output panel view called “VRC” of the rdxLockGUI application.
Page 17 of 32
Tandberg Data S.a.r.l.
2015-05-27
3.2 Setting up a WORM volume

For converting an NTFS volume to a WORM volume, use MS Explorer, Disk Management
or rdxLOCK GUI to open the property page of the appropriate volume and select the
rdxLOCK tab. This approach can only be used if you are logged in as the local
administrator or as a domain administrator with special security options (see section 5.2
for further information). Alternatively, you may run the rdxLOCK GUI program, rightclick the appropriate volume and select “Configure”. If you are logged in as a standard
user, who is not a member of the local administrator group, you will get an UAC prompt
for entering the administrator's password in order to run the program with full elevated
rights and privileges as an Administrator.
Page 18 of 32
Tandberg Data S.a.r.l.
2015-05-27




Select the “ENABLE WORM MODE” checkbox.
Optionally you may activate the “Enhanced Security Mode” (ESM). On production sites,
this should be activated!
To save your settings, press the APPLY or OK button.
Confirm you settings and press the OK button.

After confirming the WORM – Mode, the whole volume is set to WORM status and can
never return to non-WORM status.

If Enhanced Security Mode is selected, data on the volume will be encrypted after
confirmation. This process could be long-lasting depending on the amount of used data
blocks on the volume and your hardware.

Switch off the recycle bin functionality for the newly configured WORM volume.
Page 19 of 32
Tandberg Data S.a.r.l.
2015-05-27
NOTE:

The Enhanced Security Mode may be activated on a WORM volume at any time, but
cannot be switched off after its activation.
(rdxLOCK root directory tab information after converting a volume to WORM state.)
Page 20 of 32
Tandberg Data S.a.r.l.
2015-05-27
3.3 Protection policies and retention periods
After a volume has been configured for WORM, protection policies should be defined on the root
directory. There is no requirement to set such policies, but just setting the WORM mode without
policies would not have much effects. Without policies, files would not become WORM protected.
DLR (Directory Level Retention) periods are related to directories, not to single files. All files in a
certain directory and all sub-directories are treated the same way.
Auto-commit: Files written into a certain location are committed to be WORM after a defined
period of time (AUTOCOMMIT DELAY) by rdxLOCK Software. (No application activity is needed.)
3.3.1 Directory-level retention period
The rdxLOCK DLR policy determines the expiration date of a WORM file by adding the retention
period, which is configured on a directory-level and inherited to all its sub-directories, to the
WORM-commit timestamp of that file.
The DLR policy always uses “auto-commit” mode. Means all files are set to WORM after the
“auto-commit delay” period. No file may stay on non-worm status in such folders.
Since the expiration date is not explicitly attached to a file during the WORM commit phase, but
is calculated whenever the file is selected for deletion, it is easily possible to increase retention
periods of WORM file sets, which reside in the same directory hierarchy.
Page 21 of 32
Tandberg Data S.a.r.l.
2015-05-27
3.3.2 rdxLOCK Directory Level Retention Policy
The rdxLOCK DLR policy allows the configuration of a fixed or infinite retention period level of a
WORM volume. Retention periods can be increased at any time, but it’s not allowed to decrease
a retention period. Since rdxLOCK associates the retention period defined on a directory with
each WORM file inside that directory tree, extending the retention period will also affect already
WORM committed files.
The rdxLOCK DLR policy automatically commits files to WORM after their creation, whereas the
WORM trigger can be delayed by the value, configured for the “AUTOCOMMIT DELAY”
parameter. This value can be set between 0 and 100000 seconds (~ 27.7 hours). The value
could be modified at any time (increase/decrease) to fit to your needs.
The following configuration dialog can be activated by right-clicking the appropriate folder using
MS Explorer and selecting “Properties” or “Configure” when using the rdxLock GUI program.
Page 22 of 32
Tandberg Data S.a.r.l.
2015-05-27
The following rules apply to WORM files covered by a rdxLOCK DLR policy:

WORM files cannot be modified, overwritten, renamed or deleted.

WORM files cannot be changed back to non-WORM files.

Security settings (ACL) on WORM files cannot be changed any more. Therefore we
recommend to always using security groups in order to be able to change security for
single users by adding or removing them from the assigned group.
The following rules apply to expired WORM files covered by a rdxLOCK DLR policy:

Expired files can only be deleted. Renaming or modifying an expired WORM file is not
allowed.

Increasing the retention period of a DLR policy will also be reflected on expired WORM files,
which means that an expired WORM file may be WORM protected again depending on the
length of the new retention period.
Page 23 of 32
Tandberg Data S.a.r.l.
2015-05-27
3.4 Obtaining and entering license keys
rdxLOCK includes a trial license that allows the use of a WORM volume for 60 days. The trial
license has neither a capacity limit nor a limit on the amount of WORM volumes. If you want to
keep a WORM volume past the trial period expires, you can register the volume to obtain a key
for a permanent license.
Notes:

Access to a WORM volume with an expired trial or temporary license will be
denied.

A permanent license key can only be requested on a system with a verified
system clock.
Each WORM volume is registered separately and therefore has its own rdxLOCK generated serial
number, which is needed when requesting a permanent license key for a WORM volume.
To find the WORM volume serial number and install a permanent license, take the following
steps:



In the Windows Start menu, select Programs -> rdxLock -> rdxLockGUI
In the rdxLOCK user interface, select WORM volumes and right-click on the WORM
volume for which you want to request a permanent license.
Click “Request License”
Page 24 of 32
Tandberg Data S.a.r.l.
2015-05-27

Enter the Capacity-ID, which you have received from your rdxLOCK sales representative.
Characters are automatically converted to upper case when entering lower case.

After pressing the “OK” button rdxLOCK generates the license request key, which must be
sent to the licensing service by using either the on-line WEB-PORTAL or sending the
information via email.
Please ensure that your server is connected to the internet, when choosing the “WEBPORTAL” for requesting the license key.
To access the licensing service you have to log in to the WEB-PORTAL. If you do not yet have
log-in access, please register and provide a valid email address, which is used by the
licensing service to respond back to you.
Page 25 of 32
Tandberg Data S.a.r.l.
2015-05-27

If you decide to send the license key request via email, you may either use the menu item
“EMAIL…”, which launches your email client and automatically generates an email with the
necessary information or you may copy the license request key to a text file and send it as
an email attachment to [email protected].
After receiving the permanent license key for the volume, click “Install License” and select the
file containing the license information.
Page 26 of 32
Tandberg Data S.a.r.l.
2015-05-27

Check the license status on the right-side pane of the rdxLOCK GUI. It may take up to 4
minutes until the license status is updated.

After you have installed a permanent license, you can still add additional WORM capacity to
a WORM volume by an add-on license. The new add-on license key is installed via the
volume’s context menu item “Install License” as well.
rdxLOCK monitors the capacity on each WORM volume and displays a warning message in
the application event log when a WORM volume nears its capacity limit. If the capacity limit is
exceeded, write operations on the volume will be denied until additional WORM capacity is
licensed for the volume.
The rdxLOCK user interface provides an overview of the installed license types, status
and used/free WORM capacity.
Page 27 of 32
Tandberg Data S.a.r.l.
2015-05-27
4 Best Practices
4.1 Data Protection
The following data protection strategies are available for rdxLOCK WORM volumes:
4.1.1 Backup / Restore
In order to meet regulatory compliance rules and preserve the WORM aspects of the original files
we only advise to use Full Image Backup for protecting WORM volumes.
Since an Image Backup is an exact duplicate of a volume, data can be quickly restored to the
exactstate it was when the backup was performed. This behavior ensures that
WORM volumes are always completely restored in case of a disaster recovery.
File based restore cannot guarantee that all WORM files are restored.
A suitable image backup and restore solution should provide the following features:


Total Reliability
Online image backup
Creating a consistent image backup of a WORM volume while the volume is available to
other system applications is mandatory.

Differential or incremental online image backup
Differential or incremental image backup speeds up the image backup process and
saves disk space, since only files which have been changed since the last (full) backup
need to be backed up.

Network support
Image files can be saved directly to internal and network drives.

Configurable image file sizes
The solution should allow specifying a maximum size for the disk image files.

Support of volumes larger 2 TB (GPT disk)

Command line support
This functionality is needed for automating backup and restore procedures.

Compression mode

Data Encryption
Page 28 of 32
Tandberg Data S.a.r.l.
2015-05-27
The following Image Backup product has been evaluated with rdxLOCK:

Image for Windows, TeraByte Inc.
http://www.terabyteunlimited.com/image-for-windows.htm
NOTES:

The option “Backup unused sectors” must be selected when backing up an ESM
encrypted WORM volume on a GPT disks.

A new permanent license key is required when restoring a WORM volume from a full
image backup copy.
Page 29 of 32
Tandberg Data S.a.r.l.
2015-05-27
5 Troubleshooting
5.1 Reporting a Problem
For technical assistance with a registered version of rdxLOCK, email your inquiries to
[email protected].
Please have the following information included in your email when you report a rdxLOCK
issue:

Issue
o
o
o
o
description
Provide symptoms of the issue.
When did the issue occur?
Which activities have caused the issue?
Which file objects are affected by the issue?

rdxLOCK Service Report.
The rdxLOCKGUI application automatically generates a Service Report by selecting the
menu item <Diagnostics> -> <Generate Service Report>. All service information is
stored to the file FL_Diag.zip, which is located in the directory <rdxLOCK installation
directory>\Diagnostics.

List of third-party-applications installed on your system, including antivirus scanners and
backup management applications.
5.2 rdxLOCK Tab is not available on MS Explorer’s property page
The rdxLOCK tab on the MS Explorer’s property page is only available for local or domain
administrators.
If rdxLOCK is running on Windows 2008 Server, Windows 7 or Windows 2012 Server please set
up the User Account Control accordingly:
If the built-in domain administrator account is used for configuring rdxLOCK, the local security
policy "User Account Control: Admin Approval Mode for the Built-in Administrator Account" must
be disabled.
If another domain admin account than the built-in domain administrator is used, the local
security policy "User Account Control: Run all administrators in Admin Approval Mode"
must be disabled.
Page 30 of 32
Tandberg Data S.a.r.l.
2015-05-27
5.3 Application event log message: “Invalid license”
An invalid license may result from the following conditions:



Temporary license has been expired.
License information can’t be read on the WORM volume. Please check, if the
rdxLock service is running.
WORM volume has been restored. In this case a new permanent license must
be requested.
Page 31 of 32
Tandberg Data S.a.r.l.
2015-05-27
6 Appendix
Filter-Compatibility:
rdxLock was successfully tested in combination with the following 3rd party applications:
- Symantec AntiVirus Version 12
- McAfee VirusScan Enterprise 8.7
- TrendMicro ServerProtect 5.58
- 3rd party replication tools were not tested with rdxLock version 2.2.
For last minute information regarding limitations and known problems, please read the
ReadMe.txt.
Page 32 of 32
Tandberg Data S.a.r.l.
2015-05-27