BigFix has added Message Level Encryption (MLE) to its 7.1 platform release to allow your BigFix Clients to encrypt upstream data so that no data originating from the BigFix Client will be readable on the network. Upstream data from the BigFix Client can include Fixlet/Task/Baseline relevance, action statuses, retrieved properties and/or analyses, and files sent via the BigFix Upload Manager. This capability is useful for improving security when an organization has BigFix Clients reporting across potentially insecure networks, including the Internet. MLE does not affect actions taken from the BigFix Console or Fixlets that are already protected by digital signatures.

There are three levels of encryption that can be enabled per client through BigFix Client Settings:

 

REQUIRED: Client requires encryption of reports and uploads. The client will not report or upload files if it cannot find an encryption certificate or if its parent relay does not support receipt of encrypted documents (in other words running BES/TEM version less than 7.1.1.315).

Note: This encryption level setting should only be used if necessary as incorrect configuration can lead to significant reporting issues and orphaned clients. For example, if encryption is disabled in BigFix Admin, any clients configured to require MLE would no longer be able to report.

OPTIONAL: Client prefers but does not require encryption of reports and uploads. If encryption cannot be performed, reports and uploads are sent in clear-text. This setting will improve security while encryption is enabled, but will allow clients to continue to report should encryption be unavailable for any reason.

NONE: Client does not encrypt reports or uploads, even if an encryption certificate is present.

 

Requirements

To enable MLE, the BigFix infrastructure components (BigFix Server, BigFix Relay, and BigFix Clients) must be running at least version 7.1.1.315. The BigFix Server will require additional CPU resources to process the encrypted client. BigFix Server hardware recommendations (for CPU) are as follows:

Deployment Size

CPU

250

2-3 GHz - 2 Cores
1,000

2-3 GHz - 2-4 Cores
10,000

2-3 GHz - 4 Cores
50,000

2-3 GHz - 4-8 Cores
100,000

2-3 GHz - 8-16 Cores
200,000

2-3+ GHz - 16 Cores

If your deployment is over 50,000 seats, or you are using an encryption key strength of 2048 or 4096 bits, BigFix highly recommends also configuring one or more decrypting top level BigFix Relays (with 2-4 CPU cores each) to help distribute the additional processing load.

Enabling Message Level Encryption

To enable Message Level Encryption:

  1. Run BigFix Admin, and go to the Encryption tab.
  2. Click Generate key.

  3. Select the desired key size, and click OK.



    Note: If you plan on leveraging top-level relays to decrypt incoming client data, make sure to uncheck "begin encrypting with this key" before clicking OK.

  4. Deploy the Task in the Support Site called 'BigFix Client Setting: Encrypted Reports' (Task ID 543 in BigFix Support) to enable encryption on BigFix Clients, and select one of the encryption level options.

Enabling MLE in a DSA Server Setup

To enable a MLE in a DSA Server Setup:

  1. You will need to transfer the encryption key to the DSA BES Server. The key can be found on the main BigFix Server with a default location of:

    "Program Files\BigFix Enterprise\BigFix Server\Encryption Keys\SHA1HASH.pvk"

    and should be copied on the DSA BigFix Server in the same location:

    "Program Files\BigFix Enterprise\BigFix Server\Encryption Keys\SHA1HASH.pvk".
  2. Since this is a private key, BigFix recommends transferring this file securely (for example, with a USB key). Should the key be exposed or compromised, a new encryption key can be generated using BigFixAdmin.
  3. Once the encryption key has been copied to the DSA BES Server, execute BESAdmin on the DSA Server: select the "Encryption" tab, and click "Deploy key". Click "OK".

Enabling Decrypting Relays (optional)

You can enable a BigFix Relay to decrypt data and pass the decrypted date to the BigFix Server. This is a useful way to offload CPU load from the main BigFix Server to a relay, but it complicates the MLE setup (which is otherwise very simple). Additionally, information between the decrypting relay and the main server will not be encrypted (which is usually not a significant problem).

Generally you will not need to use a decrypting relay unless you have many tens of thousands of agents or if your main BigFix Server CPU load is too high.

To enable a decrypting relay:

  1. You will need to transfer the encryption key to the decrypting top-level relays before enabling MLE. The key can be found on the main BigFix Server with a default location of:

    "Program Files\BigFix Enterprise\BigFix Server\Encryption Keys\SHA1HASH.pvk"

    and should be copied on the decrypting relays to:

    "Program Files\BigFix Enterprise\BigFix Relay\Encryption Keys"
  2. Since this is a private key, BigFix recommends transferring this file securely (for example, with a USB key). Should the key be exposed or compromised, a new encryption key can be generated using BigFixAdmin.
  3. Once the encryption key has been copied to all the decrypting top level BigFix Relays, click the"Enable" button in the "Encryption" tab.