Managing Client Encryption

Server and relay-bound communications from clients can be encrypted to prevent unauthorized access to sensitive information. To enable it, you must generate a key and provide a value on clients for the setting named _BESClient_Report_Encryption. By default, the value for this setting is set to optional. The value is set in the console and is described in Enabling encryption on Clients.

On Windows servers, the key is generated from the Encryption tab of the BigFix Administration Tool:

  1. Launch the BigFix Administration Tool by selecting Start > Programs > BigFix > BigFix Administration Tool.
  2. Select the Encryption tab. At the top of the dialog is a statement of the current state.

Client encryption has four states: Disabled, Pending, Enabled, and Pending Rotation:

Disabled
This state indicates that no encryption certificate is included in your deployment masthead, which means that Clients cannot encrypt their reports even if they are told to do so. Click Generate Key to create an encryption certificate (and the corresponding private key, which can be used to decrypt reports at the receiving end). The state is set to Pending state.
Pending
In this state, an encryption certificate has been generated and is ready for deployment, but the private key has not yet been distributed to all necessary decrypting relays and servers. When you have manually distributed the private key, click the Enable Encryption button to embed the certificate in the masthead and send it out to all clients. The state is set to Enabled. Click Cancel to return to the Disabled state.
Enabled
In this state, an encryption certificate has been found in your deployment masthead, which means that you are able to turn on encryption (using the setting discussed previously) for any of the clients in your deployment. At any time, you can click Generate new key to create a new encryption certificate. This is useful if you have a key rotation policy or if your encryption key is ever compromised (see next section). Generating a new key returns the state to Pending (unless you choose to deploy immediately as described in the next section). You can also click Disable to move back to the Disabled state.
Pending Rotation
In this state, an encryption certificate is included in your deployment masthead, and a new certificate has been generated and is ready to replace the existing certificate.

On Linux servers, you can encrypt clients by completing the following steps as super user:

  1. Generate the key:
    ./BESAdmin.sh -reportencryption -generatekey -privateKeySize=max -deploynow=yes 
    -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password>
  2. Activate the key:
    ./BESAdmin.sh -reportencryption -enablekey -sitePvkLocation=<path+license.pvk> 
    -sitePvkPassword=<password>
To list all the available options run:
./BESAdmin.sh -reportencryption -h