Creating Standard GuardPoints
Steps to create GuardPoints on individual clients and client groups are similar. GuardPoints can be created on the GuardPoints tab of individual clients and client groups.
Creating Standard GuardPoints on Local Paths
To create a GuardPoint:
Open the Transparent Encryption application.
Select the client or client group on which you want to create a GuardPoint.
Click a client under the Client Name column (Clients > Clients).
Click a client group under the Client Group Name column (Clients > Client Groups).
On the GuardPoints tab, click Create GuardPoint.
Select a Policy. This is a mandatory field.
Click Select next to the Policy field.
Select a Standard policy. If no policy exists, create one, as described in Creating Policies.
Click Select.
Select the Type of device to protect. This is a mandatory field. Depending on the platform, the options for a Standard policy are:
Type Windows Linux Description Auto Directory Yes Yes Select for file system directories. Manual Directory No Yes Select for file system directories to be guarded manually. Auto Raw or Block Device Yes Yes Select for standard policies for raw (block) devices. Manual Raw or Block Device No Yes Select for standard policies for raw (block) devices to be guarded manually. Note
Manual Directory and Manual Raw or Block Device are guarded and unguarded (for example, mounted and unmounted) by running the
secfsd -guard
andsecfsd -unguard
commands. Do not run themount
andumount
commands to swap GuardPoint nodes in a cluster configuration.Note
Access Rules to Apply for Raw/Block Devices
When creating a GuardPoint on a raw/block device, ensure that the policy contains a signature set for the following system processes that require access to the guarded devices:
/usr/lib/systemd/systemd-udevd /sbin/dmsetup
Adjust the above paths as per their location on the file server. On newer systems (for example, RHEL 9.4, SLES 15SP6, and Ubuntu 22.04), include the following paths.
/usr/bin/udevadm /usr/sbin/dmsetup
Failure to include the above two processes in the policy might cause the GuardPoint creation to fail with the error
Does not exist
.Note
Access Rules to Apply for Raw/Block Devices
When creating a GuardPoint on a raw/block device, ensure that the policy contains a signature set for the following system processes that require access to the guarded devices:
/usr/lib/systemd/systemd-udevd /sbin/dmsetup
Adjust the above paths as per their location on the file server. Failure to include these two processes in the policy might cause the GuardPoint creation to fail with the error
Does not exist
.Specify the Path to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
Enter/Browse Path: Select this option, and enter the GuardPoint paths by either typing or clicking the Browse button.
Note
A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.
Browse Method
Click Browse to select a path by browsing the client file system. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths.
File system of a client that is not registered with the CipherTrust Manager cannot be browsed.
In the Search Local Path field, specify a starting path and click Refresh or select from the on-screen file system browser.
Click Add.
Manual Method
Alternatively, if you know the path, manually enter full paths of one or more directories in the given text box. Enter one path per line.
Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more directories. This is the recommended method to specify a large number of paths in one step.
Note
If a manually entered path does not yet exist, be sure to enter the path correctly. The CipherTrust Manager does not parse manually entered paths for correct syntax.
See Considerations Before Creating GuardPoints for what to be aware of before creating a GuardPoint.
If multiple paths are specified, they will all be protected by the same policy.
A maximum of 1000 GuardPaths per CSV file can be uploaded.
(Optional, Linux only) Select Auto Mount to specify an automount path. For a regular (non-auto) mount path, make sure that the check box is clear.
(Optional, Windows only) Select Secure Start to enable the Secure Start feature. By default, the check box is clear.
If you plan not to enable the Secure Start now, you can do that later, as described in Enabling Secure Start for GuardPoints.
(Optional, Windows only). Select Multifactor Authentication Refer to Multifactor Authentication for details.
Click Create. A message appears prompting to confirm the reuse of these GuardPoint settings on another path.
Click Yes to use the same settings on another path. The Use Settings on Another Path dialog box is displayed. Perform the following steps:
In the Search Local Path field, specify a starting path and click Refresh or select from the on-screen browser.
Click Add Path. The newly added path appears under the Paths list on the left. Similarly, add as many paths as required.
Click OK.
Click No if you do not want to use the same settings on another path.
Depending on the number of paths you add to a GuardPoint, a status information message may appear. Refer to GuardPoint Status Information for details.
The newly created GuardPoint appears on the GuardPoints tab. The status remains Unknown
until the client sends the response after processing the GuardPoint request. Click the Refresh GuardPoints icon () to view the updated status.
Status of a GuardPoint can be checked at any time on the GuardPoints tab. Refer to Viewing GuardPoint Status for details.
GuardPoint Status Information
When you add multiple paths to a GuardPoint:
If the GuardPoint is created successfully for all paths, a message is displayed at the top right corner of the screen.
If the GuardPoint creation failed for all paths, an error message is displayed stating that none of the GuardPoints could be created. Fix the issues and retry for failed GuardPoints.
If the GuardPoint is disabled or failed for at least one of the paths (for example, when a path is already guarded), an error message is displayed stating that some of the GuardPoints could not be created. Fix the issues and retry for failed GuardPoints.
The message shows the number of created and failed GuardPoints. The list of failed GuardPaths with their respective failure reasons is also displayed.
To download the CSV file with the list of failed GuardPoints, click the Save Error Details link at the top of the error message.
When you add only one path, and the GuardPoint for that path fails, then an error message is displayed stating the reason of failure.
Refer to Creating Standard GuardPoints on Network Paths for information on creating Standard GuardPoints on network paths.
Creating Standard GuardPoints on Network Paths
To create a GuardPoint:
Open the Transparent Encryption application.
Click Clients > Clients. The list of registered clients is displayed.
Under Client Name, click the client on which you want to create a GuardPoint.
On the GuardPoints tab, click Create GuardPoint.
Select a Policy. This is a mandatory field.
Click Select next to the Policy field.
Select a Standard policy. If no policy exists, create one, as described in Creating Policies.
Click Select.
Select the Type of device to protect. This is a mandatory field. Depending on the platform, the options for a Standard policy are:
Type Windows Linux Description Auto Directory Yes Yes Select for file system directories. Manual Directory No Yes Select for file system directories to be guarded manually. Auto Raw or Block Device Yes Yes Select for standard policies for raw (block) devices. Manual Raw or Block Device No Yes Select for standard policies for raw (block) devices to be guarded manually. Note
Manual Directory and Manual Raw or Block Device are guarded and unguarded (for example, mounted and unmounted) by running the
secfsd -guard
andsecfsd -unguard
commands. Do not run themount
andumount
commands to swap GuardPoint nodes in a cluster configuration.Specify the Path to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
Enter/Browse Path: Select this option, and enter the GuardPoint paths by either typing or clicking the Browse button.
Note
A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.
Browse Method
In the text box, type the Windows network share (in the format,
\\nas-machine-hostname\share
or\\nas-machine-ip\share
).Click Browse if you want to specify a lower-level network path. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths.
File system of a client that is not registered with the CipherTrust Manager cannot be browsed.
Select Network Path as the Path Type.
Specify the User Name and Password to access the desired network path on the NAS machine.
(Optional) Specify the Domain where the NAS machine exists.
In the Search Network Path field, specify a starting path and click Refresh or select from the on-screen network path browser.
Click Add.
Manual Method
Alternatively, if you know the network path, manually enter full network paths in the given text box. Enter one path per line.
Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more directories. This is the recommended method to specify a large number of paths in one step.
Note
If a manually entered path does not yet exist, be sure to enter the path correctly. The CipherTrust Manager does not parse manually entered paths for correct syntax.
See Considerations Before Creating GuardPoints for what to be aware of before creating a GuardPoint.
If multiple paths are specified, they will all be protected by the same policy.
A maximum of 1000 GuardPaths per CSV file can be uploaded.
(Optional, Linux only) Select Auto Mount to specify an automount path. For a regular (non-auto) mount path, make sure that the check box is clear.
(Optional, Windows only) Select Secure Start to enable the Secure Start feature. By default, the check box is clear.
If you plan not to enable the Secure Start now, you can do that later, as described in Enabling Secure Start for GuardPoints.
(Optional, Windows only). Select Multifactor Authentication Refer to Multifactor Authentication for details.
Click Create. A message appears prompting to confirm the reuse of these GuardPoint settings on another path.
Click Yes to use the same settings on another path. The Use Settings on Another Path dialog box is displayed. Perform the following steps:
Select Network Path as the Path Type.
Specify the following:
User Name and Password to access the desired network path on the NAS machine.
(Optional) Domain where the NAS machine exists.
In the Search Network Path field, specify a starting network path and click Refresh or select from the on-screen browser.
Click Add Path. The newly added path appears under the Paths list on the left. Similarly, add as many paths as required.
Click OK.
Click No if you do not want to use the same settings on another path.
Depending on the number of paths you add to a GuardPoint, a status information message may appear. Refer to GuardPoint Status Information for details.
The newly created GuardPoint appears on the GuardPoints tab. The status remains Unknown
until the client sends the response after processing the GuardPoint request. Click the Refresh GuardPoints icon () to view the updated status.
Status of a GuardPoint can be checked at any time on the GuardPoints tab. Refer to Viewing GuardPoint Status for details.
Refer to Creating Standard GuardPoints on Local Paths for information on creating Standard GuardPoints on local filesystem paths.