Backup and Restore
For CipherTrust Intelligent Protection GuardPoints, CTE creates metadata files in each GuardPoint directory. These metadata (UUID) files contain the unique identifier, tag and other important information. These metadata files are required for successful backup and restoration.
Because of these files, you need to perform additional steps when performing backup and restore operations for CipherTrust Intelligent Protection GuardPoints.
Note
For NAS (NFS/SMB/CIFS) Storage, there are no UUID files within the guard path.
The CIP metadata is stored in the file header instead of the UUID.
The metadata is backed up with data files during the data backup.
Thales recommends that you perform a full backup before you begin a remediation scan.
Refer to Backup and Restore Support Matrix for supported scenarios.
Configuring Client Settings
For certain processes to access data, the user's associated identity must be authorized. You can set up this authorization by adding an entry in the Settings field on the Client Settings tab. This entry specifies a program, with a keyword, that indicates the type of authorization that is applied.
In the Settings field, you can specify which authentication mechanisms are in place for specific binaries on the client machine. Each line follows the format:
|behavior|/path/to/binary
To successfully back up and restore the UUID files, which hold unique identifiers for the metadata server, CTE remediation requires an additional setting in the client settings to authorize access to the UUID files that are copied along with the data files.
You must create a client-setting entry for the admin, followed by the process name used for backup and restore.
To specify the settings:
Open the Transparent Encryption application.
Under Client Name, select the desired client.
Click the Client Settings tab.
For the behavior, type:
|tag_admin|
For the path to the binary, enter the path to the process used for backup and restore. For example:
|tag_admin|C:\Users\Administrator\Downloads\xcopy.exe
|tag_admin|/usr/bin/tar
|tag_admin|/usr/bin/cp
|tag_admin|/usr/bin/rsync
The admin is now permitted to backup and restore the entire remediation-based GuardPoint directory.
Note
|tag_admin|
settings are only applicable to the following:
Standard Policy on Linux and Windows.
LDT over Linux Local Storage only.
The client settings are not required for NAS (NFS/SMB/CIFS) Storage.
Backing up Remediation GuardPoints
Make sure that the backup process is added to the Policy with a Permit Effect. This ensures that backups are encrypted.
Perform a backup on a GuardPoint.
Note
These steps are applicable for both Local and NAS (NFS/SMB/CIFS) Storage.
Restoring Remediation GuardPoints
No configuration changes are required for client settings and policies. To perform a restore operation:
Disable the GuardPoint before performing a restore operation.
Perform the restore on the GuardPoint.
Enable the GuardPoint after a successful restore.
Note
These steps are applicable for both Local and NAS (NFS/SMB/CIFS) Storage.
Backing up and Restoring with LDT During Remediation
When taking a backup while running LDT with Remediation:
Customers MUST suspend LDT before taking a backup. Refer to the LDT guide for more information.
Do not take a backup during the initial remediation scan. Wait until the status on the GuardPoint is OK before taking a backup.
In LDT, paths are relative. However, after guarding, use the absolute pathname when performing backup and restore operations with Remediation.
When performing a restore operation while running LDT with Remediation:
- Disable the GuardPoint before performing a restore operation.
Note
These steps are applicable for both Local and NAS (NFS/SMB/CIFS) Storage.
Configuring NetBackup for use with CIP
When using Veritas NetBackup to back up and restore your system, you must disable the following option to ensure that all sensitive files are backed up properly:
Click on Client Attributes in the Properties navigation menu.
Click Windows Open File Backup.
Ensure that Enable Windows Open File Backups for this Client is NOT selected.
Backup and Restore Support Matrix
The following table describes supported backup and restore operations for CipherTrust Intelligent Protection GuardPoints:
Backup/Restore Operations | Supported |
---|---|
CIFS Shares | Supported. Local Storage and SMB/CIFS. |
Crash recovery: for a standard or LDT policy | Supported. Upon recovery, remediation starts again, from the beginning. |
Data when Remediation is in progress | Not supported. |
Data when LDT re-key is in-progress | Supported. |
GuardPoint (includes remediated files): Complete GuardPoint | Supported. |
GuardPoint: File(s) only | Supported for NAS (NFS/SMB/CIFS) Storage only. |
GuardPoint changes | Not supported. |
Lazy rekey | Supported. |
Mount/ Map point changes during remediation | Not supported. Local storage only. |
Partially remediated files | Not supported. |
Recover/ restore files orphaned in a GuardPoint so that remediation can continue on files where remediation was interrupted. | Not supported. Remediation will start over again after a crash. |
Renaming GuardPoint directories after remediation has started. | Not supported. If you change a directory name, run the remediation scan again. |
Shadow copies before remediation | Not supported. |
Single Files | Supported. |
Soft delete: Windows (delete and restore from recycle bin) | Supported. |
Sub-Directory: Complete Sub-Directory | Supported. |
Sub-Directory: File(s) only | Supported. |
Tested B/R tools: Linux (Use the following flags to preserve the metadata information along with the data backup.) cp Use --preserve=all option Rsync Use the -vapXIWP --inplace option tar Use the '--xattrs option NetBackup | Supported. Note: You must disable the GuardPoint prior to backing up and restoring. |
Tested B/R tools: Windows • Robocopy • Xcopy • NetBackup | Supported. Note: You must disable the GuardPoint prior to backing up and restoring. |
UUID stays with files during B/R | Supported for Local Storage only. |