Message Level Encryption (MLE) Overview

Message Level Encryption (MLE) allows your Clients to encrypt upstream data using a combination of an RSA public/private key-pair and an AES session key.

The RSA key-pair can be of 2048- or 4096-bit key length, with longer keys offering additional security, but requiring more processing power for decryption at the server. The AES session key uses the maximum FIPS-recommended length of 256 bits. You can configure your Relays to reduce the load on the Server by decrypting and repackaging the Client data before relaying it.

The RSA public key encrypts the session key and adds it to the AES-encrypted report. At the BigFix Server (or a decrypting Relay) the corresponding RSA private key is used to decrypt the AES session key, which is then used to decrypt the Client report.

There are three levels of report encryption:

Required
Clients require encryption of reports and uploads. The client does not report or upload files if it cannot find an encryption certificate or if its parent relay does not support receipt of encrypted documents.
Optional
Clients prefer, but do not require encryption of reports and uploads. If encryption cannot be performed, reports and uploads are done in clear-text.
None
Clients do not encrypt, even if an encryption certificate is present.

For more information about how to set encryption on Clients, see Enabling encryption on Clients.

Requirements

To enable MLE, the BigFix Server will require additional CPU resources to process the encrypted client. Server hardware recommendations (for CPU) are as follows:

Deployment Size CPU
250 2-3 GHz - 2 Cores
1,000 2-3 GHz - 2-4 Cores
10,000 2-3 GHz - 4 Cores
50,000 2-3 GHz - 4-8 Cores
100,000 2-3 GHz - 8-16 Cores
200,000 2-3+ GHz - 16 Cores

If your deployment is over 50,000 seats, or you are using an encryption key strength of 2048 or 4096 bits, BigFix highly recommends also configuring one or more decrypting top level Relays (with 2-4 CPU cores each) to help distribute the additional processing load.

Enabling Message Level Encryption

Windows Server:

  1. Managing Client Encryption.
  2. Generating a new encryption key

    Note: If you plan on leveraging top-level relays to decrypt incoming client data, make sure to uncheck "begin encrypting with this key" before clicking OK.

  3. Deploy the Task in the Support Site called 'BigFix Client Setting: Encrypted Reports' (Task ID 543 in BigFix Support) to enable encryption on Clients, and select one of the encryption level options.

    OR by adding a custom setting.

Note: When disabling Message Level Encryption on Windows, the encryption goes into a Pending state. To definitely disable it, click the same function again.

Linux Server:

To enable Message Level Encryption on Linux, run the following steps as super user:

  1. Generate the key:
    ./BESAdmin.sh -reportencryption -generatekey -privateKeySize=max -deploynow=no -outkeypath=<path> 
-sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password>
  2. Activate the key:
    ./BESAdmin.sh -reportencryption -enablekey -deploynow=yes -sitePvkLocation=<path+license.pvk>
- sitePvkPassword=<password>
    Note: Step 2 is not necessary when running step 1 using the option -deploynow=yes
Available options can be retrieved from command help:
./BESAdmin.sh -reportencryption -h
Note: When disabling Message Level Encryption on Linux by running the command 
./BESAdmin.sh -reportencryption -disable -sitePvkLocation=/tmp/license.pvk
the encryption goes into a Pending state. To definitely disable it, run the same command again.

Enabling MLE in a DSA Server Setup

To enable a MLE in a DSA Server Setup:

  1. You will need to transfer the encryption key to the DSA BES Server. For more information, see Message Level Encryption and DSA. Transferring of the encryption key file must be done securely (for example, with a USB key). Should the key be exposed or compromised, a new encryption key can be generated using BigFix Admin.
  2. Once the encryption key has been copied to the DSA BES Server, execute BESAdmin on the DSA Server: select the Encryption tab, and click Deploy key.
  3. Click OK.

Enabling Decrypting Relays (Optional)

You can enable a Relay to decrypt data and pass the decrypted data to the Server. This is a useful way to offload CPU load from the main Server to a relay, but it complicates the MLE setup (which is otherwise very simple). Additionally, if you have a decrypting relay when doing MLE, the decrypting relay decrypts all the client reports, then re-encrypts as a single data and forwards it to the core server.

Generally you will not need to use a decrypting relay unless you have many tens of thousands of agents or if your main Server CPU load is too high.

For more information about decrypting relays, see Creating top-level decrypting relays.

To enable a decrypting relay:

  1. You will need to transfer the encryption key to the decrypting top-level relays before enabling MLE. The key can be found on the main Server with a default location of:

    "Program Files\BigFix Enterprise\BigFix Server\Encryption Keys\SHA1HASH.pvk"

    and should be copied on the decrypting relays to:

    "Program Files\BigFix Enterprise\BigFix Relay\Encryption Keys"

  2. Since this is a private key, BigFix recommends transferring this file securely (for example, with a USB key). Should the key be exposed or compromised, a new encryption key can be generated using BigFixAdmin.
  3. Once the encryption key has been copied to all the decrypting top level Relays, click the Enable button in the Encryption tab.