Unique to Client Keys
CTE on the CipherTrust Manager supports Unique to Client keys.
On the Data Security Manager (DSM), this feature is known as the Unique to Host keys.
A key is made unique to a client by using a token stored with the client record on the CipherTrust Manager. Unique to client keys provide greater security because a key compromised on one client does not compromise the keys on other clients.
Properties
Unique to client keys are stored on the client for offline use. These keys are downloaded to the client and stored and encrypted using the client password.
When the key is needed, it is decrypted and cached. If the client goes offline and is disconnected from the CipherTrust Manager, the current policy remains in effect because the encryption key is locally available in the system cache.
If the CTE Agent cannot connect to the CipherTrust Manager after a reboot , any attempt to access the contents of an encrypted file on an unconnected client will not complete. The application will hang until the CTE Agent client password is entered in another terminal window. The application resumes execution after the password is provided.
The key can also be re-established after a reboot without access to the CipherTrust Manager using the client password. You can specify the client password using the "vmsec passwd" utility, or, you can display the challenge string in challenge-response client deployments using the "vmsec challenge" utility.
These keys are used for locally attached devices, as files encrypted by them can be read by only one client. Therefore, do not use the "Persistent with Client" feature with "Unique to Client" keys in situations where data may be shared by multiple clients, such as in clustered environment or any environment that uses client mirroring.
Creating Unique to Client Keys
A unique to client key can be created when adding key rules during policy creation or on the Keys page of the CipherTrust Manager GUI, as described below.
To create a unique to client key:
Log on to the CipherTrust Manager with a user having permissions to manage CTE keys.
In the left pane, click Keys.
Create a key for use with CTE.
Tip
When creating the key, make sure to select the Unique to Client check box under the CTE Property section.
For a unique to client key, the Persistent on Client check box is selected automatically, and is non-editable. The key will be downloaded and stored (in an encrypted form) in persistent memory on the client. This can be used in the event that a connection to the CipherTrust Manager is unreliable.
Refer to Creating a New Key for detailed instructions on creating a CTE key.
Limitation
A unique to client key will have different key values on different clients. If the key is used in a file system shared by different clients, it will cause data corruption.
So, it is recommended to not use a unique to client key to protect network shares. For example, when securing a CIFS path using an LDT communication group, the CIFS path should not be guarded with a policy having a Unique to Client key.
