Migrating ProtectFile to CTE Agent
Note
If SafeNet ProtectFile is configured with SafeNet KeySecure Classic, you must first migrate the ProtectFile configuration to CM before you can migrate to CTE. For more information, refer to Migration from KeySecure Classic to CipherTrust Manager.
The migration process migrates only the CM configuration and encrypted data. The entire ProtectFile configuration consists of:
Keys
Encryption rules
Access policies on KeySecure
Offline policies on each file server
Configuration files (Linux)
Registry settings (Windows) on each file server
Encrypted data on local disks, NAS or clusters
Log files
Both ProtectFile and CTE provide transparent encryption, with additional access controls. However, there are several small but significant differences, in terms of deployment scenarios, policy management,encryption schemes, application access, and audit trails. This guide describes all such differences.
Note
Thales strongly recommends that customers do a basic evaluation of the CTE and CM solutions, in addition to reading the product manuals, before beginning with the migration. Customers must be familiar with the basic terms and concepts used by CTE.
The Thales team has added support to ProtectFile, CTE and CM to allow migration of encrypted data in a smooth and secure manner. The migration is achieved through two main steps:
The CM configuration for ProtectFile is migrated to CTE through the
pfmigrate
utility provided for that purpose.The data on the file servers is migrated. For the data migration, the CTE GuardPoints are stacked on top of ProtectFile encrypted paths and the CTE Dataxform tool is used to perform the data migration.
Note
GuardPoints are directories protected by CTE policies. Access to files and encryption of files in protected directories is controlled by security policies.
The following sections describe the process to follow for this approach. In a small number of cases, this approach may not be feasible and migration will require a manual approach. This is described in Manually Migrating to CTE.
Platforms Not Supported by CTE Linux
This is the list of platforms that ProtectFile Linux supports but CTE does not.
Oracle Enterprise Linux - UEK kernels
PowerPC 64 Little Endian (ppc64le)
File Systems Not Supported by CTE Linux
This is the list of file systems that CTE does not support.
TRFS
OCFS2
GFS2
VxFS
Expectations
Remember the following while performing the migration:
Cipher-text backups taken with ProtectFile can no longer be restored after an encrypted path is migrated to CTE.
Users with ReadPlain or ReadCipher access, under an extension-based rule, are not able to create encrypted files with the extension after migration to CTE.
If you are planning to deploy any more encryption rules, deploy them as a CTE rule after the migration is completed. Do not create new ProtectFile encryption rules.
ProtectFile and CTE can coexist on the same file server and is required to perform the migration securely. You will notice that during the migration of ProtectFile protected paths, the CTE GuardPoint are overlayed on the ProtectFile encrypted path.
Once the path is migrated successfully and removed from the ProtectFile path, CTE ensures the protection of those paths.
If the name of a User set, Resource set, Process set, groups, rules, or access polices in PF contains a space, those spaces are removed during migration.
For example:
Before migration:
username: pf user
After migration:
username: pfuser
Thales recommends using the underscore character in place of spaces in CTE.
!!! note For example: pf_user.
Migration Paths
Customers with ProtectFile could be using KeySecure Classic, or have moved to CM previously. The CTE migration requires both ProtectFile and CTE to use CM.
Migration requires the following minimum versions for each product:
Software | Recommended Minimum Version |
---|---|
ProtectFile Windows | 8.12.2.203 |
ProtectFile Linux | 8.12.2.000-048 |
CipherTrust Manager | 2.2.0-5508 (because enable/disable of ProtectFile policies is now available in the UI. In v2.1, it is only available in the API.) |
CipherTrust Transparent Encryption | 7.1.0-66 |
KeySecure Classic | Note: You can only migrate versions greater than v8.10 to CM. |
For installations using ProtectFile with KeySecure Classic, the migration consists of three stages:
Migrate the KeySecure Classic configuration to CM while still running ProtectFile on KeySecure.
Migrate the ProtectFile configuration elements on CM to their equivalent CTE configuration elements on CM.
Migrate the encrypted data for each ProtectFile encryption rule from ProtectFile format to CTE format.
The following diagram depicts the migration stages:
ProtectFile clients that have already migrated to CM do not require the first step, however they must follow the versions as mentioned above.
There is no direct migration path from KeySecure Classic to the CTE and CM platform.
Overview for Migration of ProtectFile Rules
The following list is a high-level summary overview of the steps required for migrating ProtectFile Rules on Windows or Linux file servers. The succeeding sections describe the details of the migration.
Note
For explicit details on how to complete tasks on ProtectFile, CM, CTE and Data Transformation, consult the product documentation for each product.
Run the
pfmigrate
utility with required parameters to migrate the CM configuration for ProtectFile.Note
Thales recommends that you transform one encryption rule at a time.
Install CTE on the file servers and register with the CM.
On the CM ProtectFile encryption rule which is to be migrated, edit the access policy to give ReadWrite access to the dataxform process.
Check that all of the appropriate policies, rules and client/ client groups are created in CM.
Make sure that GuardPoints are applied properly on the Linux and Windows servers.
On the file server, run data transformation on each encryption rule/protected path.
Navigate to the ProtectFile encryption rule on the CM and disable it.
Disable the corresponding data transformation CTE GuardPoint on the CM.
Navigate to the corresponding production CTE GuardPoint on the CM and enable it.
After all the encryption rules are transformed then they must uninstall PF agent from the host.
Prerequisites for Migration
The following prerequisites must be performed before beginning the migration process. Refer to the CTE documentation for more information on installing and configuring CTE:
Ensure that the CTE release supports the OS version on which ProtectFile is installed. CTE Windows supports all of the platforms supported by ProtectFile Windows. CTE Linux supports almost all of the OS versions that ProtectFile supports. The exceptions are listed in Platforms Not Supported by CTE Linux. These ProtectFile instances cannot be migrated to CTE.
For Linux installations, ensure that CTE is certified for the kernel version on which ProtectFile is installed. In case the kernel version is not certified, do not proceed with the migration and contact Thales support.
User must have Read/Write access to DataXform.
For Linux installations, the default root access must be read/write. Otherwise, the system can crash.
For both ProtectFile Windows and Linux installations, ensure that the file system of the encrypted paths is supported by CTE. CTE Windows supports all of the file systems that are supported by ProtectFile Windows. For CTE Linux, there are some file systems which are not supported. File Systems Not Supported by CTE Linux contains the list of file systems that are not supported by CTE Linux. If the file system is not supported by CTE, the migration is not possible.
For ProtectFile Linux installations that protect data on NFS shares, examine the mount point of the NFS shares on each node. For ProtectFile, the NFS shares can be mounted on a different path on each node. However, in CTE, the NFS shares must be mounted on the same path on all of the nodes. Do not proceed with migration until the shares are mounted on the same path on all of the nodes.
For example:
Note
/mnt_1 is a mount point
ProtectFile
192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_1 ← host 1
192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_2 ← host 2
CipherTrust Transpareant Encryption
192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_1 ← host 1
192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_1 ← host 2
Backup the data. The migration process does not preserve state across a power cycle. In the event of a power failure or intentional/ unintentional reboot of file server when migration is in progress, data must be restored from a backup.
Plan downtime. Downtime is required for each protected path on a file server that will be migrated. This means that the other paths can continue to be used with production workloads.
Downtime for an encrypted path means the following:
No application can use that path. In case of NAS shares, the shares must be unmounted from all nodes except the one on which the migration is being performed.
For Linux: In case of clusters, the migration is carried out on the active node and all of the other nodes must be passive.
For Windows: Storage must be offline. Otherwise, failover can occur.
In case an encrypted path is exported as a NAS share, you must stop the export before beginning the migration.
Migration requires that ProtectFile encrypted paths must have Read/Write access to write, which allows plain text access to applications.
Using the pfmigrate Utility to Migrate ProtectFile Configuration to CTE
Thales developed the pfmigrate
utility for converting the ProtectFile configuration elements on CM to their equivalent CTE configuration elements on CM. You can run the utility from any Linux or Windows system.
Note
The tool is not part of ProtectFile or CTE and ships separately.
The pfmigrate
utility migrates the following ProtectFile configuration elements:
Keys
Clients
Access policies
Access policy groups
NAS shares
Clusters
Encryption rules
The utility creates equivalent CTE configuration elements and sets up the necessary linkage between them.
Prerequisites for Running pfmigrate Utility
Running the pfmigrate
utility requires the following tasks:
Network Access
CipherTrust Manager must be reachable through port 443 from where you are running the pfmigrate
utility. If you cannot communicate through the port, fix that issue before proceeding.
Permissions
You can run the pfmigrate
utility from any Windows or Linux client that can access CM. You can run it as any user and it does not require root or administrator privileges.
It can migrate the ProtectFile to CTE configuration elements on the same CM which hosts the ProtectFile configuration. Alternatively, you can choose a different CM for the CTE configuration.
Install pfmigrate Utility
To install the pfmigrate
utility:
Obtain the
pfmigrate
utility from the Thales Support portal.Copy the
pfmigrate
utility to a directory that WILL NOT be guarded.
The pfmigrate
utility creates the Client groups for the NAS, or clusters.
Create a Mapping File
Note
A mapping file is only required for Linux file servers that have encryption rules on NAS paths.
The mapping file is a JSON file that associates the share names, as they are defined in CM, to their mount path on the file servers. The mapping file should contain an entry for each NAS share. A sample format for the mapping file is provided in Sample Mapping File.
If there are network shares configured on ProtectFile Linux clients, you must create a mapping file in JSON format to map pf_share_id
to mount_point
(on client machine). Sample mapping file is as follows:
{
"mapping":[
{
"pf_share_name": "share1",
"mount_point": "/mnt/nfs/employee"
}
]
}
Running pfmigrate
Note
Prior to running the utility it is assumed that there exists a ProtectFile client registered on a CM with some active PF rules
The pfmigrate
utility is now ready to run.
Navigate to the directory that you copied the
pfmigrate
utility into and run it:In Linux, type:
./pfmigrate
In Windows, click on the pfmigrate.exe file
The utility prompts you for the following information. Provide the answers at each step:
Enter the IP address of the CipherTrust Manager from which you are importing ProtectFile data
Enter the Web Server Certificate Fingerprint, of the CipherTrust Manager server, from which you are importing ProtectFile data
Note
Copy the Web Server Certificate Fingerprint from CM, in Access Management > Registration Tokens.
Enter the user name of the CipherTrust Manager Administrator who is part of the ProtectFile Administrators and CTE Administrators group
Enter the password of the CipherTrust Manager
Enter the domain of the CipherTrust Manager (optional)
Are there any network shares configured with ProtectFile linux clients? (Y/N)
Enter the path of the PF share to the mount point mapping file
The
pfmigrate
utility runs.
The utility can take some time to finish. The utility creates a log of its operations in the file Migrations.log
in the current directory. After it finishes, examine the log file for any errors. Also login to the CM and go through the configuration elements created by the utility. Refer to Production Policies for a better understanding of the CTE configuration elements.
There will be two CTE GuardPoints created by the pfmigrate
utility for each ProtectFile rule:
Transformation GuardPoint: Created in disabled state and used for data transformation.
Production GuardPoint: Created in disabled state and used for applying production policy.
CTE Client Software Installation
Note
You must run the pfmigrate
utility BEFORE installing CTE. See Running pfmigrate.
Install the CTE client software on each client.
Make sure that in CM, in the CTE Server > Client section, you select Communication Enabled and Registration Allowed.
Register all of the nodes of the NAS, or cluster, to CM.
Note
Refer to the CTE Quick Start Guides or the CTE Advanced Configuration and Integration Guides on Thales Docs online for your Operating System.
Data Transformation
CTE provides a data transformation tool called dataxform
. This tool has been enhanced to convert the data from ProtectFile to CTE format, by providing it with the --migrate
option.
Note
Refer to the CTE Data Transformation Guide for more information
The pfmigrate
utility should have created two GuardPoints for each encryption rule, both of them in the disabled state.
Data Transformation: Used for performing the initial data transformation.
Production: Used for applying the production policy.This policy helps encrypt future files as well as decrypting the content of the files based on access privileges.
If the two GuardPoints exist, then you are ready to begin the data transformation. If they don’t exist, run the pfmigrate
utility again.
Preparing for Data Transformation
To begin:
On CM, click ProtectFile/ Transparent Encryption UserSpace.
Click on a client name to view the rules and the access policy associated with that client.
Choose the rule for the migration and note the corresponding access policy.
Changing the Access Policy for Windows
Click Access Policies.
Create an access policy group for migrations(for ex: windows_migration_grp) with Read/Write access for the Administrator.
Create an access policy (for ex: windows_migration).
Add a access policy rule that gives the administrator user ReadWrite access permissions.
Create an access policy group (for ex: windows_migration_grp) with:
OS: Windows
Group: Access Control & Encryption
Default Access: No Access
Click on the newly created access policy group (windows_migration_gp) to open it.
Search for newly created access policy (windows_migration).
Click on the ellipsis and choose Add to Group.
The newly created access policy group looks like the following graphic. This access policy group will be used for all of the rules.
Change the access policy group for the current rule to this newly created access policy group.
Apply changes and wait for rules to be applied at client.
On the CM, navigate to corresponding CTE offline (Dataxform) GuardPoint and enable it:
- On CM, click CTE.
- Click Client on the relevant client name.
- Click on ellipses for the GuardPoint and select Enable.
Allow sometime for CM to enable the GuardPoint. When the status changes to Active, the GuardPoint is enabled. At this moment, the CTE GuardPoint would be overlaid on the ProtectFile encrypted path. Confirm this by examining the file servers.
Transforming Data in Windows
Open the Windows command line as an Administrator.
Run the
pfstatus
command, type:**pfstatus.exe**
Note
For ProtectFile file or folder policies, use absolute file/folder path with
pfstatus
utility to know statusRun the status command, type:
secfsd –status guard –v
The following screenshot depicts how the CTE GuardPoint is overlaid on the ProtectFile encrypted path.
Run the dataxform command.
dataxform –-rekey –-migrate --gp <GuardPoint>
Run the dataxform command for sparse files:
dataxform –-rekey --preserve_sparse_files -–migrate --gp <GuardPoint>
Exit the Windows command line tool.
After the dataxform has completed, navigate to the corresponding dataxform GuardPoint on the CM and disable it. Wait for the removal of the GuardPoint from the file server.
Navigate to the ProtectFile encryption rule on the CM and disable it. Wait for the process to complete.
Navigate to the corresponding production GuardPoint on CM and enable it. Wait for the operation to finish. Verify that the CTE GuardPoint is reapplied on the file server.
Note
If the Client is member of a ClientGroup, then navigate to the corresponding production GuardPoint in the ClientGroup and enable it. Wait for the peration to finish. Verify that the CTE GuardPoint is reapplied on the file server.
Manually Migrating DFS Replication Data
If you are using Distributed File System (DFS) replication, you must manually add additional GuardPoints for Replication endpoints such as a DFS Private folder.
For each DFS replication client, follow these additional, manual steps for migrating PF encrypted data to CTE encrypted data.
Navigate to the DFS Replication client on Transparent Encryption on CM. Note the DFS Replication protected path for the initial transformation/ production GuardPoint.
Click on the Policy for the DFS Replication production GuardPoint created by pfmigrate utility. Note the DFS Replication policy name.
Unguard both the initial transformation and production GuardPoints for DFS Replication path. Wait for these GuardPoints to be removed from the client.
Once both the initial transformation and production Guardpoints are removed, click Create GuardPoint and select the DFS policy.
Provide the DFS production GuardPoint replication path, and the DFSPrivate folder path manually, in the path field in the Create GuardPoint dialog.
Wait for the GuardPoints to become active on the file server. (It states Yes in the Enabled column.)
Manually Migrating DFS Replication Data
If you are using Distributed File System (DFS) replication, you must manually add additional GuardPoints for Replication endpoints such as a DFS Private folder.
For each DFS replication client, follow these additional, manual steps for migrating PF encrypted data to CTE encrypted data.
Navigate to the DFS Replication client on Transparent Encryption on CM. Note the DFS Replication protected path for the initial transformation/ production GuardPoint.
Click on the Policy for the DFS Replication production GuardPoint created by pfmigrate utility. Note the DFS Replication policy name.
Unguard both the initial transformation and production GuardPoints for DFS Replication path. Wait for these GuardPoints to be removed from the client.
Once both the initial transformation and production Guardpoints are removed, click Create GuardPoint and select the DFS policy.
Provide the DFS production GuardPoint replication path, and the DFSPrivate folder path manually, in the path field in the Create GuardPoint dialog.
Wait for the GuardPoints to become active on the file server. (The Enabled values change to Yes)
Changing the Access Policy for Linux
Click Access Policies.
Create an access policy group, (for ex: linux_migration_grp) with:
OS: Linux
Group: Access Control & Encryption
Default Access: Read/Write
The newly created access policy group will look like the following picture. This access policy group will be used for all of the rules. Change access policy group for the current rule with this newly created policy group. Apply changes and wait for rules to be applied at client.
On the CM, navigate to the corresponding CTE offline (Dataxform) GuardPoint and enable it:
On CM, click CTE.
Click Client on the relevant client name.
Click on ellipses for the GuardPoint and select Enable.
Allow sometime for CM to enable the GuardPoint. When the status changes to Active, the GuardPoint is enabled. At this moment, the CTE GuardPoint would be overlaid on the ProtectFile encrypted path. Confirm this by examining the file servers.
Transforming Data in Linux
On Linux, use the
mount
command to confirm that the CTE GuardPoint is overlaying the ProtectFile encrypted path. The following screenshot depicts how the CTE GuardPoint is overlayed on the ProtectFile encrypted path.For file servers, login directly as root. Do not execute a switch user command before starting the data transformation.
Run the dataxform tool as follows:
dataxform -–rekey -–migrate --gp <GuardPoint>
For transformation to preserve the original timestamps, run it with the following additional option:
dataxform –-rekey --migrate --preserve_access_time –preserve_modified_time --gp <GuardPoint>
Note
The logs are stored in
/var/log/vormetric
.Exit the terminal which was used to run dataxform.
After the data transformation has completed, navigate to the corresponding Dataxform GuardPoint on the CM and disable it. Wait for the GuardPoint to unmount on the file server.
For the encryption rule, navigate to the ProtectFile encryption rule on the CM and disable it. Wait for the encryption rule to unmount on the file server.
For Access only rule, navigate to the ProtectFile encryption rule on the CM and remove it. Wait for the rule to unmount on the file server.
Navigate to the corresponding production GuardPoint on CM and enable it. Wait for the operation to finish. Verify that the CTE GuardPoint is reapplied on the file server.
Note
If the Client is member of a ClientGroup, navigate to the corresponding production GuardPoint in the respective ClientGroup and enable it. Wait for the operation to finish. Verify that the CTE GuardPoint is reapplied on the file server.
Post Migration
At this point, the migration for this encryption rule is completed. The data is converted to the CTE format and the access rules are enforced. The encrypted path is now ready for production use.
Verify the integrity of the data for each ProtectFile encrypted path. Consult the CTE product documentation for information on how to verify the data integrity.
Linux File Server: After data migration, close existing login sessions/terminals and then verify the integrity of the data for each protected path.
Windows File Server: After data migration, reboot the file server. Once the file server is rebooted, verify the integrity of the data for each protected path.
If you need to migrate other encryption rules immediately, do that now.
If you are not migrating any other encryption rules, make the full cluster nodes, and all of the NAS clients, active.
Repeat the steps for all encryption rules for the ProtectFile client.
Delete the ProtectFile client entry from the CM once all of the rules are migrated to CTE.
On Windows ProtectFile clients, backup the registry.
Uninstall the ProtectFile software from the file server.
Take a backup of the CM Configuration and the protected data now encrypted with CTE.
On Linux clients, backup the folder
/etc/safenet
and save all of the logs in/var/log/safenet
.
CM does not support offline mode so you cannot back up offline policies.