Upgrade Air Gapped Secure Endpoint Private Cloud Using USB Mass Storage Device

Introduction

This document describes step-by-step guide on how to upgrade software on Secure Endpoint Private cloud using USB mass storage.

Problem

In highly secure environments, air-gapped appliances are critical for protecting sensitive data and systems from external threats. These appliances operate without any network connection, ensuring that there is no direct or indirect communication with untrusted networks. While this isolation provides exceptional security, it also introduces significant challenges when it comes to maintaining and updating software of the appliance.

The primary problem lies in effectively and securely upgrading air-gapped appliances without compromising their isolated status or security posture. Traditional update methods, which often rely on network connectivity, are not applicable in these scenarios. Consequently, organizations must find alternative methods to deliver updates, ensure compliance with security standards, and minimize downtime during the upgrade process.

Addressing these challenges requires a well-defined, secure, and efficient update mechanism tailored to the unique constraints of air-gapped environments. In this context, the updates via USB mass storage presents a viable solution that can enhance the manageability and security of upgrading air-gapped appliances.

Solution

1. Download amp-sync application from OPadmin portal > Operations > Update Device > Download amp-sync.

Tip: If you see this message: "This Private Cloud device includes a Protect DB snapshot. It is recommended to run amp-sync with the -X and -M 20230821-1604 options to save bandwidth" add these attributes to the end of the amp-sync command, for example amp-sync all -X -M 20230821-1604.

2. Copy amp-sync to Linux-based machine and add executable privileges. Place it in the folder you have enough space (over 300 GB for whole database).

3. There are two options to run amp-sync:

a. as a main process:

amp-sync all

b. in background:

nohup amp-sync all &

to allow it to run even if SSH session gets disconnected. This is useful if whole download process takes multiple hours. You can peek into the current status with the command:

tail -f nohup.out

4. Copy ISO image to the computer where you have your USB mass storage attached.

5. Copy ISO image to USB storage.

Caution: USB mass storage must be formatted in ext2, ext3, ext4 or XFS format. exFAT and NTFS is not supported. FAT32 whereas supported on both platforms has limitation that a file cannot be larger than 4 GB.

6. Safely detatch USB mass storage and plug it into Private Cloud Appliance.

7. Mount USB mass storage and copy ISO file to /data/mount folder:

mkdir /mnt/usb
mount /dev/sdd1 /mnt/usb
cp /mnt/usb/PrivateCloud-4.2.1-Updates-2024-08-30-NOSNAP-D20230821-1604-prod.iso /data/mount

8. Go to OPadmin > Operations > Mount ISO.

9. Select Mount Type as Local, Local Directory as /data/mount and Local ISO File as the name of the file in that Local Directory folder, for example:

10. Click Mount and monitor Mount Status updates. If ISO was successfully mounted you can see similar output:

11. Go to OPadmin > Operations > Update Device and click Check Update ISO and then Update Content or/and Update Software.