Public Key Encryption
CloudReady Monitor uses public-key encryption to securely store sensor credentials while still enabling customers the ability to easily deploy, control and configure a large number of distributed sensors from one secure location in the cloud.
Installation and Key-pairs
Installation of the Exoprise Management Client requires a private-public key-pair. You can learn more about Public Key Infrastructure (PKI) here. CloudReady makes initializing and PKI keys and certificates very easy through the use of the Management Client and custom installers that securely join the Secure Service to the CloudReady servers.
The private key is stored on the machine where the sensors and Secure Service run. The private key is registered and configured during installation of the Secure Service. CloudReady records the public key part of the key-pair in its database for encrypting credentials and sensor configuration.
During sensor creation, configuration and assignment to a Service Shell location, all of the credentials are encrypted using the public key part of the key-pair. When each sensor is deployed to a location only the Service Shell with the matching private key part of the key-pair can de-crypt the credentials specific to that sensor. This ensures that all sensor credentials and configuration are securely encrypted, end-to-end, and that there is no way of retrieving the credentials without having the private key file that is registered with the Service Shell.
If you plan on deploying a large number of sensors and locations then you should plan your deployment carefully. Currently, to enable deploying the same sensor configurations to multiple locations, you must install the same private key file alongside each secure service location. This securely enables sensor configuration sharing across different Service Shell locations. If the deployed sensor locations have different public-private key-pairs then administrators will need to supply sensor credentials for each assignment of a sensor to a locations.
For administrators who would like to use various Electronic Software Deployment tools (ESD) such as SCCM, BigFix or Altiris to deploy the Secure Service Shell you can use the bulk deployment page to retrieve a set of Join keys and download the Service Shell installer.
The Service Shell installer is a standard .exe installer that can be packaged, supports silent installs and takes a number of command line arguments as defined here:
Join keys enable a secure initial registration during the installation of a Secure Service Shell location. During installation of the shell location it passes the join key to CloudReady and validates that the location is accurate.