Using Initial Data Transformation for CTE for Kubernetes
The Data Transformation utility is an application that encrypts data-in-place in a GuardPoint. To perform dataxform for CTE for Kubernetes, two additional steps are required:
-
An Data Transformation GuardPolicy, along with a CTE for Kubernetes production policy, must be added to the CTE for Kubernetes storage group on CipherTrust Manager.
-
You must add an Data Transformation policy name in the CTE for Kubernetes claim against the PVC. The name of the claim is
cte-csi-claim.yaml
.
For the standard Data Transformation steps, see Data Transformation for more information.
Prerequisites
- Verify that you have valid backup files of the data to be encrypted.
Note
You will need to stop ALL access and services to the data being encrypted during part of this procedure. Access will NOT be restored until the encryption process is complete. Make sure that you plan for this outage and that users know the data will be inaccessible for some time.
Create a Storage Group
Prior to the deployment of any yaml
files for registration, you must create a CTE for Kubernetes Storage Group.
Create Policies
In CipherTrust Manager, you must create policies before you can transform the data. See Creating Policies for more information.
-
Create an Data Transformation policy with Policy Type: CTE for Kubernetes.
-
Toggle the Data Transformation button to on. This policy is only for encrypting the clear text data in persistent volumes where the policy is applied.
-
Create a CTE for Kubernetes Production policy with Policy Type: CTE for Kubernetes.
-
Make sure that the Data Transformation toggle is set to off.
-
For the key rule, you must use the same key as in the Data Transformation policy.
Apply GuardPolicies
- Add both policies, that you just created in the previous section, to the K8s Storage Group.
Adding an Annotation for Data Transformation to a claim
-
Add an annotation for the Data Transformation policy to your
yaml
claim file. For example:cte-csi-claim.yaml
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: cte-claim annotations: csi.cte.cpl.thalesgroup.com/dataxform_policy: <dataxformPolicyName> csi.cte.cpl.thalesgroup.com/policy: production-policy //This must match your CTE CSI Policy name. csi.cte.cpl.thalesgroup.com/source_pvc: nfs-test-claim // nfs source persistent volume claim spec: storageClassName: <CHANGE to the storageclass name that you deployed. For example: e.g. csi-test-sc> accessModes: - ReadWriteMany resources: requests: storage: 1Ki
Note
- The Data Transformation will start as soon as the protected pod is deployed using the above cte-claim. Check that the logs are updated or described in the Application Pod.
Warning
-
Do not delete the protected pod while Data Transformation is in progress.
-
The
dataxform_auto_lock
file is created in the Guard Policy path. Do not edit/delete this file.