Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Guard the Linux Device with an ES GuardPoint

Data Transformation on Existing Linux Devices

search

Please Note:

Data Transformation on Existing Linux Devices

As the ES Header is written before data transformation begins, the data transformed to cipher-text and written back to the device during data transformation process is subject to data reduction process through the storage array.

Existing devices populated with data are transformed from clear-text to cipher-text using the encryption key applied to each device. Data transformation is also called In-Place Data Transformation (CTE-IDT).

CTE-IDT is not the same as the legacy offline data transformation. CTE-IDT is a block level data transformation with built-in resiliency to recover from system crashes during the data transformation process. CTE-IDT uses the CTE Private Region on the device to manage the entire transformation process. CTE-IDT partitions the data on a device in segments of 1MB in size and transforms one or multiple segments, up to 60 segments, in parallel. The CTE-IDT process preserves existing data in a segment during transformation in the private region of the device, and then transforms the data in-place. CTE-IDT also maintains the segments undergoing transformation in the private region. In the event of system crash, CTE-IDT will recover the segments undergoing transformation at the time of crash and then resume the transformation process.

You can specify the number of segments to transform concurrently using -c option of the voradmin command when initializing the device. Choose a concurrency level that does not affect performance of your production workload. By default, CTE-IDT transforms 8 segments concurrently, if the concurrency level has not been specified through the voradmin command.

note

Note

When choosing the concurrency level for your system you must consider the number of CPU cores, the total IOPS of your storage system and production workload, the size of the device to transform, and the duration for the data transformation.

Another advantage of CTE-IDT over legacy offline data transformation is that CTE-IDT does not require a separate policy for data transformation. With the same production policy applied to the device, CTE-IDT determines whether the device is in need of data transformation, per specification of xform option when device was initialized, and starts the CTE-IDT process when transformation is required. During the CTE-IDT process, access to the device is blocked until the CTE-IDT process completes.

copy link to clipboardThin-Provisioned Devices

CTE-IDT skips transforming thin-provisioned regions of a device. Data returned to CTE-IDT as sequence of clear-text zeros, in sector size granularity, is indication of possible sparse or un-allocated regions of the device that do not have to be transformed.

copy link to clipboardCTE-IDT Recovery From Crash

CTE-IDT is fault tolerant in the event of system crashes. CTE-IDT keeps track of the transformation process over the entire device. In the event of a crash, CTE-IDT will automatically resume transformation from the point of failure as soon the GuardPoint is enabled after system startup.

If you find the transformation status set to In-Progress when the GuardPoint is not enabled, the In-Progress state reflects an earlier system crash after which the GuardPoint has not been enabled to recover from the interruption in the CTE-IDT process.

On this page

  • CTE-IDT Recovery From Crash