Enabling Live Data Transformation
The Live Data Transformation (LDT) feature enables the CipherTrust Manager Security Administrators to encrypt or rekey GuardPoint data without blocking the user or application access to that data.
In standard CTE deployments, data access is blocked during the initial encryption or rekeying of the data, and each rekey operation requires guarding your data under separate production and offline data transformation policies. With LDT, encryption and rekeying of the data takes place in the background using one policy, without disrupting user or application access.
Prerequisites
To use LDT, you must have the following:
CTE Agent license. The feature is called TransparentEncryption on the Licensing page.
CTE LDT add-on license. The feature is called LiveDataTransformation on the Licensing page.
CTE Agent installed on a client. Refer to the CTE Clients Guide for information about installing and registering CTE clients.
Refer to the CTE LDT Guide and the CipherTrust Manager Compatibility Matrix for information about implementing LDT and the supported platforms.
Important Notes
If the CipherTrust Manager fails, all keys that were automatically rotated after the last backup would be lost, making all data encrypted with those keys unusable or unrecoverable. Therefore, it is recommended that the LDT feature is used in a high availability CipherTrust Manager deployment.
If LDT must be used in a single CipherTrust Manager configuration, it is recommended to:
• Set "Persistent on Client" to "Yes" for all keys that are created.
• Set the password creation method to "Manual" for all clients.
• If the standalone CipherTrust Manager fails or is unavailable, the data on the client can still be accessed by entering the known passphrase. The data is accessible as the encryption keys are cached on the client.
Enable LDT
Enable the LDT support for a client either during registration or after registration with the CipherTrust Manager.
If LDT is enabled during registration, the Live Data Transformation check box appears selected by default on the CipherTrust Manager GUI.
If LDT is not enabled during registration, you can enable it on the CipherTrust Manager GUI, as described below.
To enable LDT on a client after CTE installation:
Open the CTE application.
Click Clients > Clients.
Under Client Name, click the desired client.
In the mini detail view, select Live Data Transformation.
By default, LDT performs rekey operations on the LDT protected GuardPoints as soon as GuardPoints are enabled. To pause LDT rekey operations, click the Suspend Live Data Transformation icon (). The icon changes to Resume Live Data Transformation ().
Click Apply. LDT is now enabled on the client.
After LDT has been enabled, it cannot be disabled. To remove the feature, you must migrate existing data protected under LDT policies, unregister the client, and delete the client. Then, you can reregister the client without enabling the feature. This allows you reclaim the license for use on another client.
Refer to Managing GuardPoints for details on creating LDT GuardPoints. For details about how LDT works, guidelines, and best practices for using the feature, refer to the CTE-Live Data Transformation with CipherTrust Manager.