Common Scenarios
This section describes the common encryption scenarios in which paths can be encrypted using the CTE solution. Similarly, you can configure different types of policies with different combinations of policy elements to suit your requirements.
This section describes encryption using:
Different Access Privileges for Subdirectory or Different File Formats
Different Access Privileges for Combination of Users, Processes, and Resources
Prerequisites
The CipherTrust Manager is up and running. Refer to the CipherTrust Manager Deployment Guide for details.
A CTE UserSpace license is activated and installed. Refer to Licensing for details.
- The CTE UserSpace Agent is installed on client machines where data is to be protected. The client machines are running a supported platform.
Note
Policy elements can be created either in advance or when creating the policy. Refer to Creating Policy Elements for details.
User-based Access Privileges
Encrypt a local path with the following access privileges:
User set UserSet1 can encrypt/decrypt data in the GuardPoint.
User set UserSet2 can access the ciphertext data but cannot encrypt or decrypt.
All other user sets are denied access to the GuardPoint data.
Depending on the data availability (or downtime) and storage requirements in your setup, you can apply any of these policies:
Refer to Data Transformation Techniques for advantages and limitations of data transformation techniques.
Standard Production Policies
If the GuardPoint does not contain any existing data, and the data would be created after the GuardPoint is applied:
Create a standard policy. Refer to Creating Policies for details.
Apply a GuardPoint using the standard policy. Refer to Creating Standard GuardPoints for details.
Standard Dataxform Policies
If the GuardPoint already contains data, and the existing data needs to be migrated to encrypted form by using the dataxform utility:
Create a dataxform policy. Refer to Creating Policies for details.
Apply a GuardPoint using the dataxform policy. Refer to Creating Standard GuardPoints for details.
After the existing data is migrated, unguard the dataxform policy from the GuardPoint. Refer to Removing GuardPoints for details.
Create a standard policy with same key (as used by the dataxform policy in the first step). Refer to Creating Policies for details.
Now, you must run the
dataxform --rekey --gp <GuardPath>
command on the CTE Agent.Apply the GuardPoint using the standard policy created in the previous step. Refer to Creating Standard GuardPoints for details.
Process-based Access Privileges
Encrypt a local path with the following access privileges:
Process set ProcessSet1 can encrypt/decrypt data in the GuardPoint.
Process set ProcessSet2 can access the ciphertext data but cannot encrypt or decrypt.
All other process sets are denied access to the GuardPoint data.
Process-based policies are configured in exactly the same way the user-based policies are configured, as described in User-based Access Privileges. The only difference is that instead of adding user sets add process sets to the Security Rules tab of the policy.
Depending on the data availability (or downtime) and storage requirements in your setup, you can apply any of these policies:
Refer to Data Transformation Techniques for advantages and limitations of data transformation techniques.
Different Access Privileges for Subdirectory or Different File Formats
Encrypt a local path with the following access privileges:
Encrypt/decrypt only a subdirectory, subdir1, under the GuardPath.
Deny access to all other files and directories under the GuardPoint.
To achieve this use case, you need to add a resource set to the policy. In a resource set, you can provide details about the subdirectories or specific file formats that need to be handled differently under a GuardPoint.
To achieve this use case:
Create a resource set. Specify the details of the subdirectory (subdir1) in the resources. Refer to Creating Resource Sets for details.
Note
Paths specified in a resource set should be relative to the GuardPath. Do not provide absolute path for the resources.
Create the desired policy type. Make sure to add the resource set created in the previous step. This is done to enforce the desired access policy. Refer to Creating Policies for details.
Apply the GuardPoint using the policy created in the previous step. Refer to Managing GuardPoints for details.
Different Access Privileges for Combination of Users, Processes, and Resources
Encrypt a local path with the following access privileges:
Allow only the process usrbin.exe being run by User1 to encrypt/decrypt text files (*.txt) present under the GuardPath.
Deny access to all other users and processes.
To achieve this use case:
Created the required resource set. Refer to Creating Resource Sets for details.
Create the required user set. Refer to Creating User Sets for details.
Create the required process set. Refer to Creating Process Sets for details.
Create the desired policy type using the resource set, the user set, and the process set created above. Refer to Creating Policies for details.
Apply the GuardPoint using the policy created in the previous step. Refer to Managing GuardPoints for details.