Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Data Transformation for CTE for Kubernetes

Using Initial Data Transformation for CTE for Kubernetes

search

Using Initial Data Transformation for CTE for Kubernetes

The Data Transformation utility is an application that encrypts data-in-place in a GuardPoint. To perform dataxform for CTE for Kubernetes, two additional steps are required:

  1. An Data Transformation GuardPolicy, along with a CTE for Kubernetes production policy, must be added to the CTE for Kubernetes storage group on CipherTrust Manager.

  2. You must add an Data Transformation policy name in the CTE for Kubernetes claim against the PVC. The name of the claim is cte-csi-claim.yaml.

For the standard Data Transformation steps, see Data Transformation for more information.

Prerequisites

  • Verify that you have valid backup files of the data to be encrypted.

Note

You will need to stop ALL access and services to the data being encrypted during part of this procedure. Access will NOT be restored until the encryption process is complete. Make sure that you plan for this outage and that users know the data will be inaccessible for some time.

Create a Storage Group

Prior to the deployment of any yaml files for registration, you must create a CTE for Kubernetes Storage Group.

Create Policies

In CipherTrust Manager, you must create policies before you can transform the data. See Creating Policies for more information.

  1. Create an Data Transformation policy with Policy Type: CTE for Kubernetes.

  2. Toggle the Data Transformation button to on. This policy is only for encrypting the clear text data in persistent volumes where the policy is applied.

  3. Create a CTE for Kubernetes Production policy with Policy Type: CTE for Kubernetes.

  4. Make sure that the Data Transformation toggle is set to off.

  5. For the key rule, you must use the same key as in the Data Transformation policy.

Apply GuardPolicies

  • Add both policies, that you just created in the previous section, to the K8s Storage Group.

Adding an Annotation for Data Transformation to a claim

  • Add an annotation for the Data Transformation policy to your yaml claim file. For example:

    cte-csi-claim.yaml

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
    name: cte-claim
    annotations:
        csi.cte.cpl.thalesgroup.com/dataxform_policy: <dataxformPolicyName>
        csi.cte.cpl.thalesgroup.com/policy: production-policy  //This must match your CTE CSI Policy name.
        csi.cte.cpl.thalesgroup.com/source_pvc: nfs-test-claim  // nfs source persistent volume claim
spec:
    storageClassName: <CHANGE to the storageclass name that you deployed. For example: e.g. csi-test-sc>
    accessModes:
        - ReadWriteMany
resources:
    requests:
        storage: 1Ki

Note

  • The Data Transformation will start as soon as the protected pod is deployed using the above cte-claim. Check that the logs are updated or described in the Application Pod.

Warning

  • Do not delete the protected pod while Data Transformation is in progress.

  • The dataxform_auto_lock file is created in the GuardPoint path. Do not edit/delete this file.

On this page