ImmutaVault Summary RackTop BrickStor’s ImmutaVault feature is a secure virtual air gap that guarantees isolation and immutability for critical production data and provides real-time active defense against cyber threats. Vaults protect data from admin or operator abuse (insider threat, misuse of privilege to view data) by isolating the system and restricting data permissions to vault owners. Data stored in a vault is cryptographically verified --without exposing it to the user or auditor-- to ensure the data’s integrity from the time of ingestion onward. Use ImmutaVault for immutable data attestation and compliance; additionally, it can cyber recovery to a clean room. For further details, read Immutavault Terminology. Vault Home Page The Vault home page provides the option to create and manage existing Vaults. Vault Overview - The Vault Overview provides a summary of the Vaults' statuses, displaying the number of Vaults currently in the Staging, Sealed With Contents Verified, Read-Only Views Opened statuses, etc. The Toolbar - The Toolbar provides functionality to create, filter, and export the Vault Grid. Vault Grid - The Vault Grid displays all Vault datasets on the selected appliance with varying fields depending on the selected view: Actions - Contains the options to Generate Manifest, Finish Staging/Seal, Configure, Destroy a Vault, etc. Vault - Displays the name of any existing Vault. Owners - Displays the name(s) of the current vault owners. Status - Displays the current status of any Vault. Creating a Vault Creating a Vault creates a new dataset with ImmutaVault and Software Encryption enabled. To create a Vault, follow the steps below. Open the Vault Home Page. Click Create Vault in the banner section of the Vault Home Page. The Create Vault dialog will open. Select the desired Pool and parent Dataset. Enter a name into the field next to the path selection. Select a Storage Profile. (Optional) Enter a description. (Optional) Enable SMB/NFS to access vault’s data. Click Next to continue. Configure the vault’s owner using Add Owner, then searching for the user’s name. (Optional) Configure a holding date following MM/DD/YYY HH:MM AM/PM format under the Retain Until field to prevent it from being deleted prior to a given date time. (Optional) Configure auto-destroy date following MM/DD/YYY HH:MM AM/PM format under the Auto-Destroy field. Once the Auto-Destroy date has passed, the Vault will be permanently destroyed making the data within it inaccessible. Click Next to continue. (Optional) Configure vault’s Permissions and click Next to continue. (Optional) Configure quotas and reservations using Storage Settings screen and click Next to continue. (Optional) Enable/Disable or fine tune Active Defense protection for this vault and click Next to continue. (Optional) Set or configure Data Protection policy for vault’s auto-snapshots frequency and click Next to continue. (Optional) Configure replication and click Next to continue. Review the Vault configuration and click Create ImmutaVault to continue. Managing ImmutaVaults ImmutaVault are managed using the Vault Home Page. Click the desired ImmaVault to display details page. The Vault Details Page begins with a General overview of the Vault status. It will denote the current status of SMB and NFS on the Vault, and show the location/current storage amount on the Vault. Further, the Vault Details Page will show the Vault’s configuration settings selected when Creating a Vault by section. Most importantly, the Vault Details Page shows the current status of the Vault in its Manifest/Staging/Sealing Process. Staging, Manifesting, and Sealing a Vault ImmutaVaults, when created default to the Staging phase. In this phase, the Vault’s settings and ownership are configurable via Managing ImmutaVaults. To begin the Manifest Generation, Staging and Sealing of a Vault, begin at the Vault Section of Managing ImmutaVaults. Vault Manifest The Vault Manifest serves as an authenticated catalog of all vault contents and its configuration parameters by recording file details and their respective hashes. The Immutavault ensures the integrity of its files by hashing and signing the manifest to establish a verifiable chain of trust. Consequently, these files can be extracted from the vault and stored elsewhere, offering a permanent, standalone record of the vault’s contents, independent of the vault system. The Manifest records a list of all files within the vault and their checksums. The Manifest is automatically generated during the sealing process. Creating a Manifest validates the contents before sealing. Accessing Manifest File(s) Sharing Options: Manifest file(s) are accessible for download by sharing the Vault via SMB/NFS. Manifest output consists of the following: .rtvault_manifest.txt - Vault manifest. .rtvault_manifest.sha256 - Checksum of the .rtvault_manifest.txt file. .rtvault_manifest.sig - Vault signature. Manual Manifest Generation To begin the Manifest Generation: Click Generate Manifest in the Vault Section of Managing ImmutaVaults. Clicking the Generate Manifest button in either the Vault Road Map or Actions section will yield the same result. Click Generate. Ensure the Vault name is correct and the Manifest Generation is desired. Vault Manifest summary will show on success. See example below: Click OK. Click Verify Contents in the Actions section to reopen and check the Vault contents at any time. Click Regenerate Manifest and the previous steps to regenerate the Manifest any time before sealing Vault. Accessing Manifest Access the manifest’s information at anytime by navigating back to the Vault’s Details page. The following present: Manifest Signed - Shows the date of the Manifest’s last signing. Manifest Hash - Displays the Hash string for the Manifest, this can be copied to the system clipboard by clicking the Copy icon immediately to the right of the Hash. Manifest Name - Displays the named .txt file of the Manifest. Task Initiator - Displays the Username of the user who initiated the Manifest Generation. Details of the user can be displayed in further detail by clicking the displayed Username. Task Started - Displays the date/time of the Manifest Generation’s initiation. Task Completed - Displays the date/time of the Manifest Generation’s completion. Verifying Manifest Contents Clicking Verify Contents will begin verification of Manifest contents against the Vault. A window to confirm verification will present, click Verify. An overview of the verification will present, as well as a time stamp denoting the most recent Manifest verification. Finish Staging/Seal Vault Begin the Vault sealing process by clicking Finish Staging/Seal Vault in Managing ImmutaVaults. Sealing a Vault is an irreversible process. Once data is sealed in a Vault it no longer may be changed. All Snapshots will be destroyed when the Vault is sealed. The dataset will be unshared and moved out of production when sealed. Once ready, click the empty text field and type Seal to confirm the sealing process. Click Finish Staging/Seal Vault. The vault has now been sealed. Managing a Sealed Vault Once a Vault has been sealed, there are a few new options present to manage the vault. After successfully sealing a vault, or when clicking on an already sealed vault from the Vault Home Page, the sealed Vault details will present. Here, the choice can be made to create a Read-Only View of the Vault. To do so, begin by clicking Create View on the Vault Road Map. To enable NFS or SMB on the View, click their respective Sliders. Here, the option to change the share name, allow users, connectivity by configurable IP, and auto-close timing (Defaulted to never auto-close). Once the desired settings are configured, click Create Read-Only View. The read-only view will be created, and shown on the sealed Vault details page: To view the read-only Vault dataset, click Open Dataset. The Sealed Vault settings will now display showing the Vault’s configuration. To close the read-only view of the sealed Vault, click Close View. At the bottom of the screen, a list of buttons that allow further management of the sealed Vault are present: Verify Contents - To verify Vault contents, simply click Verify Contents, click Verify, then click OK. Create View - Follows the same operative use-case as explained above. Export Vault - Allows for Vault content export to a new dataset: To export the Vault, click the Export Vault button. A think copy is an exact duplicate of the vaults contents. It is NOT a clone that references a snapshot, and is now its own source. Configure the exported dataset name, then click Export. A prompt denoting success will be presented. Configure - Allows for administrative configuration of the sealed Vault. To configure the sealed Vault, click Configure. The options to change the Vault name and ownership are available, as well as the option to set Retain Until/Auto-Destroy dates. Once configured, click Apply. Destroy Vault - Completely destroy the Vault and all of its data. To destroy the sealed Vault, click Destroy Vault. Destroying a vault is an irreversible action. The dataset and all snapshots will be irrecoverably destroyed. Once ready, click the empty text field and type destroy VAULT NAME. Finally, Click Destroy Dataset. Immutavault Terminology Active Airgap Through RackTop’s patent pending technology, data is protected to the same level as a physical air-gap without the need for disconnecting network cables or separate systems. Privileged User Protection ImmutaVaults are protected from admin or operator abuse (insider threat, misuse of privilege to view data) and accidental destruction through a patent pending isolation system which ensures that vaulted data is only accessible to its owners. Common Protocols An ImmutaVault in the staging phase can ingest data from any NFS or SMB file share. RackTop’s ImmutaVault can also instantly convert production data into a vault without the copying it to a new system. One Way & Permanent ImmutaVaults are protected from insider and outsider threats after it is sealed by preventing any further modifications to the data. Policy Driven Each ImmutaVault can have unique owners and be configured to match any type of regulatory or security compliance requirement.