Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CTE Administration

Migrating CTE Resources from CipherTrust Manager Appliance

search
suggest an edit

Migrating CTE Resources from CipherTrust Manager Appliance

You can migrate CipherTrust Transparent Encryption (CTE) resources from CipherTrust Manager Appliance version 2.13.x-2.16.x to your CipherTrust Data Security Platform Service (CDSPaaS).

Note

  • Supported CipherTrust Manager Appliance versions for migration change over time as CDSPaaS adds functionality from more recent versions. Subscribe to the Changelog for updates on migration support changes.

  • Consult CipherTrust Manager appliance documentation of the applicable version for more details and the most current information on operations performed on CipherTrust Manager appliance.

copy link to clipboardPrerequisite

A CipherTrust Data Security Platform Service must be provisioned with all required CTE purchased services, as outlined in Get Started with CipherTrust Data Security Platform Services.

copy link to clipboardMigrate CTE Resources

To migrate CTE resources, follow these high level steps in order:

  1. Backup CTE Resources on CipherTrust Manager Appliance.

  2. Restore CTE Resources on the CipherTrust Data Security Platform Service.

  3. Re-register CTE Agents.

The following objects are migrated after these stages:

  • All keys, including CTE keys

  • CTE Policies

  • Policy elements associated with CTE policies

  • CTE clients

copy link to clipboardBackup CTE Resources on CipherTrust Manager Appliance

  1. Login to the CipherTrust WebUI for the desired domain, as a user in the admin or Backup Admins group.

  2. Obtain a domain backup key.

    1. Navigate to Admin Settings > Backup keys.

    2. Review the list of backup keys to see if a domain backup key exists. If no domain backup key exists, click + Add Backup Key to add one.

    3. Click the ellipsis icon (Ellipsis Icon) corresponding to the desired backup key.

    4. Click Download.

    5. Enter and confirm a password.

    6. Click Download.

      The backup key file is downloaded to your local computer.

  3. Create the backup.

    1. Navigate to Admin Settings > Backups.

    2. Click Add Backup.

    3. Select Domain Backup for the backup scope.

    4. Click Next.

    5. Provide a description and select the domain backup key obtained in step 2 from the list.

      Caution

      Make sure to select the correct backup key, so the backup can be successfully restored on the CipherTrust Data Security Platform Service.

    6. Click Add Backup. The backup includes all resources types including CTE resources.

  4. Click the ellipsis icon (Ellipsis Icon) corresponding to the new backup.

  5. Select Download.

    The backup file is downloaded to your local computer.

  6. Proceed to Restore CTE Resources on the CipherTrust Data Security Platform Service.

copy link to clipboardRestore CTE Resources on the CipherTrust Data Security Platform Service

This stage migrates keys, CTE policies, and CTE policy elements.

Caution

If a CTE policy or key in the backup file is already present on the CipherTrust Data Security Platform Service with the same name, restoring these objects can create a conflict. Conflicting keys cause the restore operation to fail with the error Error copying data from backup database. Refer to Handling Conflicting Resources for information on how CipherTrust Data Security Platform Service handles these cases, and actions you can take to resolve conflicts.

  1. Login to the CipherTrust Data Security Platform Service as a member of the admingroup, or of all of the CTE Admins, Domain Backup Admins, Domain Restore Admins, Key Admins groups.

    Note

    Generally, the first user created on the CipherTrust Data Security Platform Service has sufficient permissions.

  2. Upload the backup key file obtained from the CipherTrust Manager appliance.

    1. Navigate to Admin Settings > Backup keys.

    2. Select Upload Backup Key.

    3. Click Browse to browse to the backup key file on your local system.

    4. Enter the password for the backup key file.

    5. Click Upload.

  3. Upload the backup file obtained from the CipherTrust Manager appliance.

    1. Navigate to Admin Settings > Backups.

    2. Select Upload Backup.

    3. Click Browse to browse to the backup file on your local system.

    4. Click Upload.

  4. On the backups page, click the ellipsis icon (Ellipsis Icon) corresponding to the newly uploaded backup.

  5. Click Restore.

  6. Wait for the restore operation to complete.

  7. Confirm that all objects restored correctly.

    • Keys: Navigate to the Keys page.

    • CTE Policies: Navigate to Products > Transparent Encryption > Policies > Policies.

    • CTE Policy Elements: Navigate to Products > Transparent Encryption > Policies > Policy Elements.

  8. Delete the backup file.

    Note

    CipherTrust Data Security Platform Service has limited storage for backup files. We recommend deleting them immediately after you confirm the restore has succeeded. We can only guarantee that backup files will be retained for 3 days.

    1. Navigate to Admin Settings > Backups.

    2. Click the ellipsis icon (Ellipsis Icon) corresponding to the newly restored backup.

    3. Click Delete.

  9. Proceed to Re-register CTE Agents to migrate clients.

copy link to clipboardRe-register CTE Agents

This stage migrates CTE clients.

CDSPaaS supports CTE Agent for Windows 7.6.0-132 and above, CTE Agent for Linux 7.6.0-134 and above, and CTE Agent for AIX 7.7.0-36 and above. Each CDSPaaS service supports up to 50 clients. We recommend up to 100 guardpoints per client. Contact Thales to set up deployments with more than 50 clients or more than 5000 guardpoints.

  1. Log on to the CipherTrust Data Security Platform Service Web UI as a member of the admins or Client Admins group.

  2. In the left pane, click Access Management > Registration Tokens.

  3. On the right, click Add Registration Token. The Create New Registration Token wizard is displayed. This is a three-step wizard.

  4. Click Begin to start token creation. The Configure Token screen is displayed.

  5. (Optional) Specify a Name Prefix. Prefix for the client name. This prefix is used to construct names for clients whose names are not specified during registration with the CipherTrust Data Security Platform Service using this token.

    • If the name prefix is specified as ks_client, client names will be constructed as ks_client#; for example, ks_client1, ks_client2, ks_client3, and so on.

    • If the name prefix is not specified, the CipherTrust Data Security Platform Service will construct a random name for clients.

    However, if a client's name is specified during registration, this name prefix will not be used for that client.

  6. Specify Token lifetime. This is the duration (in minutes, hours, or days) for which this token can be used for registering clients. For example, specify the lifetime as:

    • 1 minutes for 1 minute

    • 2 hours for 2 hours

    • 3 days for 3 days

    • unlimited for a token that never expires.

    By default, the token lifetime is unlimited. The token will never expire.

  7. Specify Client Capacity. This is the maximum number of clients that can be registered using this registration token. The default capacity is 100 clients.

  8. Click Create Token. The Create Token screen is displayed. The screen displays the generated registration token in ASCII and Base64 encoding. Select ASCII encoding.

  9. Click Copy next to the token. Save the copied token. This token will be used when registering and migrating clients.

  10. Click Close.

  11. Re-register the client as outlined in Installing and Registering CTE in CTE Agent documentation. You must provide the new registration token, and the hostname of the CipherTrust Data Security Platform Service.

  12. On the CipherTrust Data Security Platform Service, re-create the guardpoints using the migrated policies.

copy link to clipboardHandling Conflicting Resources

If you attempt to migrate resources which already exist with the same name in the CipherTrust Data Security Platform Service, the CipherTrust Data Security Platform Service uses these strategies:

StrategyDescriptionResource Type
ErrorAn error, "Error copying data from backup database" is thrown during restore.Keys with the same name and version, different ID
SkipSkips the conflicting resource in the backup file, and keeps the resource present in the CipherTrust Data Security Platform Service.CTE policies with the same name

There are two options to migrate conflicting keys:

  • Retain both keys.

    1. Take the backup without the conflicting key using filters.

    2. Export the key material and import it separately.

  • Retain only the key in the backup file.

    1. Delete the key with duplicate name on the CipherTrust Data Security Platform Service.

    2. Restore the backup.

To migrate conflicting CTE policies, delete the CTE policy on the CipherTrust Data Security Platform Service before restoring the backup.

On this page