LDT Use Cases
This section describes various LDT scenarios using the CTE APIs.
Suspend/Resume Rekey
The LDT rekey operation can be paused and resumed on the protected LDT clients. Run the ldtpause
API with "paused": true
to pause, and "paused": false
to resume the operation.
API
/v1/transparent-encryption/clients/{id}/ldtpause
Sample
{
"paused": <true/false>
}
Key Rotation
On a path guarded using an LDT policy, you can create a new version of the key used for encryption. This triggers the rekey operation on the client for the GaurdPath using the rotated key.
API
/v1/vault/keys2/{id}/versions
Decrypting LDT-protected GuardPoints
This section describes steps to decrypt an LDT-protected GuardPoint using the CTE APIs.
To decrypt an LDT-protected GuardPoint:
Get the LDT policy currently being used by the GuardPoint.
Run the API
get /v1/transparent-encryption/clients/<client-name>/guardpoints
Example
get /v1/transparent-encryption/clients/ldt-client-name/guardpoints
This API returns the list of GuardPoints applied to the client. Copy the value of LDT
"policy_name"
(for example,ldt-policy
) applied to the desired LDT GuardPoint.Get the key linked to the LDT policy.
Run the API
get /v1/transparent-encryption/policies/<ldt-policy-name>/ldtkeyrules
Example
get /v1/transparent-encryption/policies/ldt-policy/ldtkeyrules
This API returns the LDT key rules of the LDT policy. Copy the value of
"key_id"
(for example,current-key
). This key is used to encrypt the LDT GuardPoint.Clone the current (latest) version of the key to a non-versioned CTE key.
Run the API
post /v1/vault/keys2/<current-key-name>/clone
Request Parameters
{ "newKeyName": "<clone-key-name>", "meta": { "cte": { "persistent_on_client":true, "cte_versioned":false, "encryption_mode":"<enc-mode>" } } }
Note
Make sure that
"cte_versioned"
is set tofalse
.Example
post /v1/vault/keys2/current-key/clone { "newKeyName": "cloned-key", "meta": { "cte": { "persistent_on_client":true, "cte_versioned":false, "encryption_mode":"CBC"} } }
A new key with the specified name (for example,
cloned-key
) is created with version0
.Create a new LDT policy (for example,
new-ldt-policy
). In"ldt_key_rules"
, set:The cloned key (
cloned-key
) as the"key_id"
for"current_key"
.clear_key
as the"key_id"
for"transformation_key"
.
Run the API
post /v1/transparent-encryption/policies
Request Parameters
{ "name":"<new-ldt-policy-name>", "policy_type":"LDT", "never_deny":false, "security_rules":[ { "effect":"permit,applykey", "action":"key_op" }, { "effect":"permit,applykey,audit", "action":"all_ops", "partial_match":true } ], "ldt_key_rules":[ { "resource_set_id":"<resource-set>", "current_key":{ "key_id":"<clone-key-name>" }, "transformation_key":{ "key_id":"clear_key" } } ] }
Example
post /v1/transparent-encryption/policies { "name":"new-ldt-policy", "policy_type":"LDT", "never_deny":false, "security_rules":[ { "effect":"permit,applykey", "action":"key_op" }, { "effect":"permit,applykey,audit", "action":"all_ops", "partial_match":true } ], "ldt_key_rules":[ { "resource_set_id":"", "current_key":{ "key_id":"cloned-key" }, "transformation_key":{ "key_id":"clear_key" } } ] }
A new LDT policy with the name
new-ldt-policy
is created.Remove the LDT GuardPoint.
Run the API
patch /v1/transparent-encryption/clients/<client-name>/guardpoints/<GuardPoint-resource-id>/unguard/
Example
patch /v1/transparent-encryption/clients/ldt-client-name/guardpoints/a724ed5d-b5c5-45f3-8b8f-77ec3ec976d1/unguard
On the CTE client, remove the existing CTE-LDT attributes on the GuardPoint.
Run the Command
voradmin ldt attr delete <GuardPoint>
Example
voradmin ldt attr delete /ldt_path
The LDT metadata has been removed from all files in the GuardPoint
/ldt_path
.Create a new GuardPoint for the directory using the new policy.
Run the API
post /v1/transparent-encryption/clients/<client-name>/guardpoints
Request Parameters
{ "guard_paths":["/<GuardPath>"], "guard_point_params": { "is_idt_capable_device":false, "guard_point_type":"directory_auto", "policy_id":"<new-ldt-policy-name>", "preserve_sparse_regions":true } }
Example
post /v1/transparent-encryption/clients/ldt-client-name/guardpoints { "guard_paths":["/ldt_path"], "guard_point_params": { "is_idt_capable_device":false, "guard_point_type":"directory_auto", "policy_id":"new-ldt-policy", "preserve_sparse_regions":true } }
Wait for the rekey to complete. You can check the rekey status, as described below.
Run the API
get /v1/transparent-encryption/clients/<client-name>/guardpoints
Example
get /v1/transparent-encryption/clients/ldt-client-name/guardpoints
When the
"rstatus"
status becomes"Rekeyed"
, the rekey (decryption) is complete.Note
• If you have selected
directory_auto
, data transformation begins as soon as the client gets the new policy information from the key manager.
• If you have selecteddirectory_manual
, use thesecfsd -guard <GuardPoint>
command on the client to begin data transformation.Remove the GuardPoint. This ensures rekey is no longer triggered for any new data added to the specified GuardPath.
Run the API
patch /v1/transparent-encryption/clients/<client-name>/guardpoints/<GuardPoint-resource-id>/unguard/
Example
patch /v1/transparent-encryption/clients/ldt-client-name/guardpoints/77ec9ec67d3-c5b5-435f-7b8f-a275de45e/unguard