Backup and Restore
For CipherTrust Intelligent Protection GuardPoints, CTE creates metadata files in each GuardPoint directory. These metadata (UUID) files contain the unique identifier, tag and other important information. These metadata files are required for successful backup and restore.
Because of these files, you need to perform additional steps when performing Backup & Restore for CipherTrust Intelligent Protection GuardPoints.
Thales recommends that you perform a full backup before you begin a remediation scan. Refer to Backup and Restore Support Matrix
Note
for supported scenarios.
Configuring Client Settings
In order for certain processes to access data, the user's associated identity must be authorized. You can setup this authorization by adding an entry in the Settings field on the Client Settings tab. This entry specifies a program, with a keyword, that indicates the type of authorization that is applied.
In the Settings field, you can specify which authentication mechanisms are in place for specific binaries on the client machine. Each line follows the format:
|behavior|/path/to/binary
In order to successfully back up and restore the UUID files, which hold unique identifiers for the metadata server, CTE remediation requires an additional setting in the client-settings to authorize access to the UUID files that are copied along with the data files.
You must create a client-setting entry for the admin, followed by the process name used for backup and restore.
To specify the settings:
Open the Transparent Encryption application.
Under Client Name, select the desired client.
Click the Client Settings tab.
For the behavior, type:
|tag_admin|
For the path to the binary, enter the path to the process used for backup and restore. For example:
|tag_admin|C:\Users\Administrator\Downloads\xcopy.exe
|tag_admin|/usr/bin/tar
|tag_admin|/usr/bin/cp
|tag_admin|/usr/bin/rsync
The admin is now permitted to backup and restore the entire remediation-based GuardPoint directory.
Backing up Remediation GuardPoints
Make sure that the backup process is added to the Policy with a Permit Effect. This ensures that backups are encrypted.
Perform a backup on a GuardPoint.
Restoring Remediation GuardPoints
No configuration changes are required for client setting and policies. To perform a restore operation:
Disable the GuardPoint before performing a restore operation.
Perform the restore on the GuardPoint
Enable the GuardPoint after a successful restore.
Backing up and Restoring with LDT During Remediation
When performing a backup while running LDT with Remediation:
Customers MUST suspend LDT before performing a backup. Refer to the LDT guide for more information.
Do not take a backup during the initial remediation scan. Wait until the status on the GP is OK before taking a backup.
In LDT, paths are relative. However, after Guarding, use the absolute path name when using Backup and Restore operations with Remediation.
When performing a restore operation while running LDT with Remediation:
- Disable GP for before performing restore operation.
Configuring NetBackup for use with CIP
When using Veritas NetBackup to backup and restore your system, you must disable the following option to ensure that all sensitive files are backed up properly:
Click on Client Attributes in the Properties navigation menu.
Click Windows Open File Backup.
Ensure that Enable Windows Open File Backups for this Client is NOT selected.
Backup and Restore Support Matrix
The following table describes supported backup and restore operations for CipherTrust Intelligent Protection GuardPoints:
Backup/Restore Operations | Supported |
---|---|
CIFS Shares | Not supported. Local storage only. |
Crash recovery: for a standard or LDT policy | Supported. Upon recovery, remediation starts again, from the beginning. |
Data when Remediation is in progress | Not supported |
Data when LDT re-key is in-progress | Supported |
GuardPoint (includes remediated files): Complete GuardPoint | Supported |
GuardPoint: File(s) only | Not supported |
GuardPoint changes | Not supported |
Lazy rekey | Supported |
Mount/ Map point changes during remediation | Not supported. Local storage only. |
Partially remediated files | Not supported |
Recover/ restore files orphaned in a GuardPoint so that remediation can continue on files where remediation was interrupted. | Not supported. Remediation will start over again after a crash |
Renaming GuardPoint directories after remediation has started. | Not supported. If you change a directory name,run the remediation scan again. |
Shadow copies before remediation | Not supported |
Single Files | Not supported |
Soft delete: Windows (delete and restore from recycle bin) | Supported |
Sub-Directory: Complete Sub-Directory | Supported |
Sub-Directory: File(s) only | Not supported |
Tested B/R tools: Linux (Use the following flags to preserve the metadata information along with the data backup.) cp Use --preserve=all option Rsync Use the -vapXIWP --inplace option tar Use the '--xattrs option NetBackup | Supported: Note: You must disable the GuardPoint prior to backing up and restoring |
Tested B/R tools: Windows • Robocopy • Xcopy • NetBackup | Supported: Note: You must disable the GuardPoint prior to backing up and restoring |
UUID stays with files during B/R | Supported |