Common Scenarios
This section describes the common encryption scenarios in which paths can be encrypted using the CTE solution. Similarly, you can configure different types of policies with different combinations of policy elements to suit your requirements.
This section describes encryption using:
Different Access Privileges for Subdirectory or Different File Formats
Different Access Privileges for Combination of Users, Processes, and Resources
Prerequisites
The CipherTrust Manager is up and running. Refer to the CipherTrust Manager Deployment Guide for details.
A CTE base license is activated and installed. Refer to Licensing for details.
(Optional) Add-on LDT license is activated and installed. This license is needed only if you want to deploy LDT policies. A CTE base license must be activated on the CipherTrust Manager. Refer to Licensing for details.
The CTE Agent is installed on client machines where data is to be protected. The client machines are running a supported platform. Refer to the CTE Agent Quick Start Guide specific to your platform for details.
Note
Policy elements can be created either in advance or when creating the policy. Refer to Creating Policy Elements for details.
User-based Access Privileges
Encrypt a local path with the following access privileges:
User set UserSet1 can encrypt/decrypt data in the GuardPoint.
User set UserSet2 can access the ciphertext data but cannot encrypt or decrypt.
All other user sets are denied access to the GuardPoint data.
Depending on the data availability (or downtime) and storage requirements in your setup, you can apply any of these policies:
Refer to Data Transformation Techniques for advantages and limitations of data transformation techniques. LDT policies require an add-on license to use them.
Standard Production Policies
If the GuardPoint does not contain any existing data, and the data would be created after the GuardPoint is applied:
Create a standard policy. Refer to Creating Policies for details.
Apply a GuardPoint using the standard policy. Refer to Creating Standard GuardPoints for details.
Standard Data Transformation Policies
If the GuardPoint already contains data, and the existing data needs to be migrated to encrypted form by using the dataxform
utility:
Create a data transformation policy. Refer to Creating Policies for details.
Apply a GuardPoint using the data transformation policy. Refer to Creating Standard GuardPoints for details.
After the existing data is migrated, unguard the data transformation policy from the GuardPoint. Refer to Removing GuardPoints for details.
Create a standard policy with same key (as used by the data transformation policy in the first step). Refer to Creating Policies for details.
Now, you must run the
dataxform --rekey --gp <GuardPath>
command on the CTE Agent. Refer to the CTE Data Transformation Guide specific to your platform for details.Apply the GuardPoint using the standard policy created in the previous step. Refer to Creating Standard GuardPoints for details.
LDT Policies
If you have an add-on LDT license, you can achieve the combined effects of the standard production and standard data transformation policies by applying the LDT policies.
If the GuardPoint already contains data, the policy migrates the existing data automatically. No need to run the
dataxform
utility manually. Later, the policy automatically encrypts/decrypts the data similar to a standard policy.If the GuardPoint does not contain any existing data, migration is not required. A standard (production) policy of encryption/decryption is applied automatically.
To apply an LDT policy:
Create an LDT policy. Refer to Creating Policies for details.
Apply the GuardPoint using the LDT policy. Refer to Creating LDT GuardPoints for details.
Process-based Access Privileges
Encrypt a local path with the following access privileges:
Process set ProcessSet1 can encrypt/decrypt data in the GuardPoint.
Process set ProcessSet2 can access the ciphertext data but cannot encrypt or decrypt.
All other process sets are denied access to the GuardPoint data.
Process-based policies are configured in exactly the same way the user-based policies are configured, as described in User-based Access Privileges. The only difference is that instead of adding user sets add process sets to the Security Rules tab of the policy.
Depending on the data availability (or downtime) and storage requirements in your setup, you can apply any of these policies:
Refer to Data Transformation Techniques for advantages and limitations of data transformation techniques. LDT policies require an add-on license to use them.
Signature-based Access Privileges for Processes
Encrypt a local path with the following access privileges:
Process Process1 with a particular signature can encrypt/decrypt data in the GuardPoint.
All other processes are denied access to the GuardPoint data.
To apply a signature-based access policy for a process:
Create a signature set. When creating the set, add the source path of Process1. This process will be signed. Refer to Creating Signature Sets.
Sign the signature set. Use a CTE client having the desired process to sign the process. Refer to Signing Files in a Signature Set for details.
Create a process set. When creating the set, add the newly created signature set. Refer to Creating Process Sets for details.
Configure process-based access policies. Refer to Process-based Access Privileges for details.
Different Access Privileges for Subdirectory or Different File Formats
Encrypt a local path with the following access privileges:
Encrypt/decrypt only a subdirectory, subdir1, under the GuardPath.
Deny access to all other files and directories under the GuardPoint.
To achieve this use case, you need to add a resource set to the policy. In a resource set, you can provide details about the subdirectories or specific file formats that need to be handled differently under a GuardPoint.
To achieve this use case:
Create a resource set. Specify the details of the subdirectory (subdir1) in the resources. Refer to Creating Resource Sets for details.
Note
Paths specified in a resource set should be relative to the GuardPath. Do not provide absolute path for the resources.
Create the desired policy type. Make sure to add the resource set created in the previous step. This is done to enforce the desired access policy. Refer to Creating Policies for details.
Apply the GuardPoint using the policy created in the previous step. Refer to Managing GuardPoints for details.
Different Access Privileges for Combination of Users, Processes, and Resources
Encrypt a local path with the following access privileges:
Allow only the process usrbin.exe being run by User1 to encrypt/decrypt text files (*.txt) present under the GuardPath.
Deny access to all other users and processes.
To achieve this use case:
Created the required resource set. Refer to Creating Resource Sets for details.
Create the required user set. Refer to Creating User Sets for details.
Create the required process set. Refer to Creating Process Sets for details.
Create the desired policy type using the resource set, the user set, and the process set created above. Refer to Creating Policies for details.
Apply the GuardPoint using the policy created in the previous step. Refer to Managing GuardPoints for details.