Please Note:

Integrations and Solutions
CTE Agent for AIX Integration Guide
- Using CTE with Oracle
  - CTE on Oracle ACFS Overview
  - Creating an Oracle ASM Disk Group for Guarding
  - Oracle RAC ASM
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Basic Troubleshooting Techniques
- Using CTE with PowerTech Antivirus
CTE Agent for Linux Integration Guides
- Installing CTE on Hadoop
  - Overview
  - Implementing CTE on HDFS
    - Create an Encryption Zone in HDFS Name Space for AWS EMR
    - Using the Original Information from HDFS
    - Create an HDFS Host Group and GuardPoint in CipherTrust Manager
    - Adding a New DataNode to a CTE-protected HDFS
    - Configure NameNodes
    - Take a DataNode Offline and Perform Data Transformation
    - Implementing CTE on HDFS on a Single Host
  - Deploy Cloudera Hadoop on CTE
  - HDFS Upgrade with CTE
    - Configure the Hadoop Cluster for CTE
    - Create a CipherTrust Configuration Group
    - Update the Hadoop-env Template with CTE Settings
    - Modify the HDFS IOCTL
    - Change the HDFS File Rename Check
    - User Information Push
    - Uninstalling CTE for the Hadoop Cluster
  - CTE Installation and Configuration
    - Configuring Hadoop to Use CTE
  - Deleting Metadata in HDFS when Migrating Out of LDT
- Using CTE with Oracle
  - Basic Troubleshooting Techniques
    - Verifying Database Encryption
  - Using CTE LDT with Oracle
  - Oracle RAC ASM and ASMLib
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - Oracle RAC ASMLib Multi-Disk Online Method
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Using CTE with Oracle ASM Filter Driver
    - Audience
    - Enable Oracle ASMFD for CTE
    - Configure CTE and create a guarded Oracle ASMFD
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Offline method
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Online method
    - Uninstall/ Upgrade CTE with active ASMFD Setup
  - Using Oracle with CTE-U
- Integrating and Configuring EDB
- Integration with Pacemaker
  - Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup
  - Using CTE with Pacemaker
- Using CTE with SQL Server on Linux on Red Hat 8
- Configuring Support for SAP HANA
- Using CTE with GlusterFS
- NetApp Snapshot Directory
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
  - Stop secfs Before Upgrading StorNext LAN Clients
- Using CTE with McAfee Endpoint Security for Linux Threat Prevention
- Using CTE with Trend Micro Deep Security Software
- CTE for Cloud Object Storage
  - Overview
  - System and Software Requirements
  - Client Software Requirements
  - CTE COS S3 Installation Overview
  - Install Required Linux Packages
  - Install CTE with COS Service
  - Configure the AWS CLI to use the COS Root CA Certificate
  - Configure the AWS CLI Network Proxy
  - Configure CTE COS S3
  - Configure a CTE COS S3 Role for Guarded Buckets
    - Secure an S3 Bucket with the CTE COS S3 Role
    - Disable the CTE COS S3 Role for an S3 Bucket
  - Guard an AWS Bucket
  - Additional COS Proxy Root CA Certificate Information
  - Protecting Python Programs with CTE
  - Enable COS on an Agent with no COS Service
  - Creating a COS Policy
  - Uninstall COS from an Agent
- CTE-Efficient Storage for Linux
  - Introduction to CTE-Efficient Storage
    - CTE-Efficient Storage Enhanced Storage Arrays
    - Efficient Storage Device Header and CTE Private Region
    - Device Size
    - ES GuardPoint Encryption Keys
    - Policy Requirements for ES GuardPoints
  - Guarding an Efficient Storage Device on Linux
    - Requirements for Efficient Storage GuardPoints on Linux
    - Initialize Linux Efficient Storage Devices
    - Guard the Linux Device with an ES GuardPoint
      - Data Relocation on Existing Linux Devices
      - Data Transformation on Existing Linux Devices
    - Example of Creating an ES GuardPoint on an Existing Linux Device
  - Guarding a CTE-Efficient Storage Device with Multiple IO Paths on Linux
  - Linux System and ES GuardPoint Administration
    - voradmin ESG Commands on Linux
    - Viewing Device Status and the ES Header on Linux
    - File System Mount Points on Linux
    - Linux System Utilities for Signing
  - Changing the Encryption Key on Linux ESG Devices
  - Resizing Guarded Efficient Storage Devices
    - Example: Resizing a Linux Device
  - Use Cases involving Efficient Storage GuardPoints
    - Use Case 1: Single Encryption Key
    - Use Case 2: Device-Level GuardPoints
    - Use Case 3: Directory-Level GuardPoints
      - Challenges with Root Access on Linux
    - Best Practices for the Migration of a legacy Raw Device Guardpoint to an Efficient Storage Guardpoint
    - Migration Prerequisites
    - Migration
    - Use Case 4: Using CTE-Efficient Storage with LVM
  - Alerts and Errors on Linux
- CTE with Teradata Database Appliances
  - IDT-Capable GuardPoints and Teradata Database Appliances
  - Requirements and Considerations
  - Guarding a Teradata Database Device
    - Install CTE on the Teradata Database Appliance
    - Identify the Devices to Be Guarded
    - Select the Initial Configuration Method
    - Initialize and Guard the Database Devices Using the Standard Initialization Method
    - Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method
  - Changing the Encryption Key on Teradata Devices
  - Access Rules to Apply on the Teradata Database Appliance
  - Replication of IDT Metadata Files Across Members of a Clique
  - Best Practices
  - Uninstalling CTE from the Teradata Cluster
  - Alerts and Errors
  - Generating IDT-capable Metadata for Teradata Storage Expansion
- Integrating CTE with an Exasol Database
- Integrating CTE with a Couchbase Database
- Integrating CTE with an EnterpriseDB Postgres Advanced Server
- Integrating CTE with a MongoDB database
- Integrating CTE with an Apache Cassandra database
- Integrating CTE with a Neo4j Database
CTE Agent for Windows Integration Guides
- Using CTE with Microsoft SQL AlwaysOn and SQL File Tables
  - Using CTE with Microsoft SQL
    - Using CTE with SQL
    - Using CTE with SQL FileTables
      - Supported FileTables Use Cases
      - Unsupported FileTables Use Cases
    - Installing CTE on Microsoft SQL AlwaysOn
    - Data Transformation (Encryption in place)
    - Copy/Restore
    - SQL Server Policy Tuning
  - Using LDT with Microsoft SQL
    - Using LDT with SQL AlwaysOn
    - Using LDT with SQL FILESTREAM
- CTE with DFSR
  - Overview
  - Creating Required DFSR Policy Components
  - Using the Standard Encryption Method
    - Creating Standard Policies for DFSR
    - Creating Standard GuardPoints with the DFSR Hub and Spoke Topology
    - Creating Standard GuardPoints with the DFSR Full Mesh Topology
  - Using the CTE-LDT Encryption Method
    - Creating a CTE-LDT Policy for DFSR
    - Creating a CTE-LDT GuardPoint for DFSR
- Secure Start
  - Secure Start Overview
  - Prerequisites
  - Encrypt by Moving the AD Service into a Guarded Directory
  - Encrypt Data in Place with Offline Transformation
  - Encrypt with an LDT Transformation Policy
  - Configure the Time Out Failure
  - Recover a Server After it Loses Connection to the Key Manager
  - Other Use Cases
  - Best Practices for Encrypting and Protecting the AD Service
- Exchange DAG
  - Exchange DAG Overview
  - CTE Policies for Exchange DAG
    - Creating a Policy for CTE-LDT Encryption with CipherTrust Manager
    - Creating Policies for Standard Encryption with CipherTrust Manager
  - Encrypting with CTE-LDT in an Exchange DAG Environment
  - Encrypting with a Standard CTE Policy in the Exchange DAG Environment
  - Decrypting with CTE-LDT in an Exchange DAG Environment
- Storage Spaces Direct
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
- CTE-Efficient Storage for Windows
  - Introduction to CTE-Efficient Storage
    - CTE-Efficient Storage Enhanced Storage Arrays
    - Efficient Storage Device Header and CTE Private Region
    - Device Size
    - ES GuardPoint Encryption Keys
    - Policy Requirements for ES GuardPoints
  - Guarding an Efficient Storage Device on Windows
    - Requirements for Efficient Storage GuardPoints on Linux
    - Limitations for ES GuardPoints on Windows
    - Initialize Windows CTE-Efficient Storage Devices
    - Guard the Windows Device with an ES GuardPoint
  - Windows System and ES GuardPoint Administration
  - Changing the Encryption Key for a Windows ES GuardPoint
  - Resizing Guarded Efficient Storage Devices
  - Use Cases involving Efficient Storage GuardPoints
    - Use Case 1: Single Encryption Key
    - Use Case 2: Device-Level GuardPoints
    - Use Case 3: Directory-Level GuardPoints
    - Use Case 4: Full Device Protection
  - Alerts and Errors on Windows
- Encrypt Microsoft OneDrive files with CTE

Using CTE with SQL Server on Linux on Red Hat 8

Considerations and Requirements

System Requirements:
- SQL Server 2019. Other versions of SQL Server are not supported with CipherTrust Transparent Encryption.
- Red Hat 8. Other versions of Red Hat are not supported with CipherTrust Transparent Encryption.
Note
Other database applications may be used instead of MySQL, but Thales has only tested this feature with MySQL.
CipherTrust Transparent Encryption agent supports manual GuardPoints on a device or folder for both standalone and cluster SQL Server database. Automatic GuardPoints are supported on a standalone SQL Server database. Automatic GuardPoints are supported on a standalone SQL Server database but not for cluster SQL Server databases.
The CipherTrust Transparent Encryption resource agent supports GuardPoints created from standard or Live Data Transformation policies. It does not support IDT-Capable GuardPoints or Efficient Storage GuardPoints.

Create a CTE guarded standalone SQL Server database

Configure the target database data and log directory location as mssql, type:

sudo /opt/mssql/bin/mssql-conf set <filelocation.defaultdatadir> /u01/app/mssql/data
sudo /opt/mssql/bin/mssql-conf set <filelocation.defaultlogdir> /u01/app/mssql/log
sudo systemctl restart mssql-server

Guard targeted directory with standard encryption policy using CS1 or CBC keys of either 128aes or 256aes encryption.

Example

Policy Type: Standard

Rule	Value
Security Rules
Action	all_ops
Effect	permit, audit, applykey
Key Selection Rule
Key	aes128 or 256 with CS1 or CBC

# secfsd -status guard

Response

:::text
GP                      Policy                  Type   ConfigState  Status   Reason
----------              ------                  ----   -----------  ------   ------
/u01/app/mssql/data     encrypt_cs1_aes128_all  local  guarded      guarded  N/A
/u01/app/mssql/data     encrypt_cbc_aes256_all  local  guarded      guarded  N/A

Create a target SQL Server database on a guarded directory as mssql, type:

sqlcmd -S localhost -U SA -P '<password>'
CREATE DATABASE <targetdb>
go

Verify that data and log files are residing in the newly designated directory:
```
use <targetdb>
SELECT filename from sysfiles
GO
```

Expected results: Should see data/log file in a guarded directory:

/u01/app/mssql/data/testdb.mdf
/u01/app/mssql/log/testdb_log.ldf

Convert a baseline SQL Server database to a CTE GuardPoint using Dataxform

Shutdown the SQL Server service, type:

# sudo systemctl stop mssql-server
# systemctl status mssql-server

Create an online policy using CS1 or CBC keys of either 128aes or 256aes encryption.

Example of aes256

Policy Name: dxf_clear_to_cbc_aes250_onhost

Policy Type: Standard

Rule Value

Security Rules

Action key_ops

Effect permit, applykey

Key Selection Rule

Key clear_key

Data Transformation

Key cbc_aes256_onhost

Add the GuardPoint with the policy dxf_clear_to_aes256_onhost to the targeted baseline database data/log directory, type:

# secfsd -status guard

Response

GuardPoint            Policy                          Type  ConfigState  Status   Reason
----------            ------                          ----  -----------  ------   ------
/u01/app/mssql/log    dxf_clear_to_cbc_aes250_onhost  local  guarded     guarded  N/A
/u01/app/mssql/data   dxf_clear_to_cbc_aes250_onhost  local  guarded     guarded  N/A

Run dataxform with the above policy as the root user.

dataxform --rekey --cleanup_on_success --gp /u01/app/mssql/dataxform/data
dataxform --rekey --cleanup_on_success --gp /u01/app/mssql/dataxform/log

Example

# dataxform --rekey --cleanup_on_success --gp /u01/app/mssql/dataxform/data

Response

Checking if `/u01/app/mssql/dataxform/data` is a guard point with a rekey policy applied
`/u01/app/mssql/dataxform/data` is a guard point with a rekey policy applied
About to perform the requested data transform operation
-- Be sure to back up your data
-- Please do not attempt to terminate the application
Do you wish to continue (y/n)?y
.
.
.
Data transform for guard point /data1/oracle/oradata/xformdb finished
About to remove the data transformation status files
Do you wish to continue (y/n)?y
Removal of data transformation status files completed

Unguard GuardPoints /u01/app/mssql/dataxform/data and /u01/app/mssql/dataxform/data from policy dxf_clear_to_aes256_onhost.

Guard these GuardPoints again with a standard policy which encrypts using the same open aes256 key policy as dxf_clear_to_cbc_aes256_onhost.

# secfsd -status guard

Response

GuardPoint            Policy                  Type   ConfigState  Status   Reason
----------            ------                  ----   -----------  ------   ------
/u01/app/mssql/data   encrypt_cbc_aes256_all  local  guarded      guarded  N/A
/u01/app/mssql/log    encrypt_cbc_aes256_all  local  guarded      guarded  N/A

Start the database and then test to see if the data is accessible, type:

# sudo systemctl start mssql-server
# sqlcmd -S localhost -U SA -P '<password>'
use <targetdb>
SELECT filename from sysfiles
go

Expected results: You should be able to log into your targeted datatransformed database and query system files.

Create a CTE guarded Standalone SQL Server database using LDT

Enable the LDT setting in CipherTrust Manager using one of the following methods:
- Install agent to your targeted database host with LDT enabled Configuring CTE with CipherTrust Manager.
- Enable LDT on an existing CipherTrust Transparent Encryption installed host using the CM GUI.

Create a targeted new baseline in the SQL Server database:

Example

sudo /opt/mssql/bin/mssql-conf set filelocation.defaultdatadir /var/opt/mssql/LDT/data
sudo /opt/mssql/bin/mssql-conf set filelocation.defaultlogdir /var/opt/mssql/LDT/data
sudo systemctl restart mssql-server
systemctl status mssql-server
sqlcmd -S localhost -U SA -P '<password>'
CREATE DATABASE `<targetdb>`
SELECT Name from sys.Databases
go

Create an LDT encryption policy using CS1 or CBC keys of either 128aes or 256aes.

Example

Field	Value
Name	LDT_clear_to_CS1_aes256_onhost_key
Expiration Date	`<target date>`
Algorithm	AES256 or AES128
Encryption Mode	CBC_CS1 or CBC
Key Type	Cache on Host
Automatic Key Rotation	Selected
Key Version Life Span (days)	`<target #>`

Create an online LDT policy using the key created in the previous step.

Example for CBC_CS1 with AES256

Policy Name: LDT_clear_to_CS1_aes256_onhost

Security Rules

Rule Action

Order 1

Action key_op

Effect Permit, Apply Key

Browsing No

Rule Action

Order 2

Action all_ops

Effect Permit, Audit, Apply Key

Browsing Yes

Rule Action

Order 3

Action all_ops

Effect Deny, Audit

Browsing Yes

Key Selection Rule:

Key Description

Order 1

Current Key clear_key

Transformation Key LDT_clear_to_CS1_aes256_onhost_key

Exclusion Rule No

Rule	Action
Order 1
Action	key_op
Effect	Permit, Apply Key
Browsing	No

Rule	Action
Order 2
Action	all_ops
Effect	Permit, Audit, Apply Key
Browsing	Yes

Rule	Action
Order 3
Action	all_ops
Effect	Deny, Audit
Browsing	Yes

Key	Description
Order 1
Current Key	clear_key
Transformation Key	LDT_clear_to_CS1_aes256_onhost_key
Exclusion Rule	No

Stop the SQL Server, type:

# sudo systemctl stop mssql-server
# systemctl status mssql-server

Guard the new LDT baseline database with the LDT policy created in the previous step.

# secfsd -status guard

Response

GuardPoint                     Policy                            Type       ConfigState  Status   Reason
----------                ------                            ----       -----------  ------   ------
/var/opt/mssql/LDT/data   LDT_clear_to_CS1_aes256_onhost    local      guarded      guarded  N/A

Wait for the Rekey Status in CipherTrust Manager to display: Rekeyed.

Run LDT with the same policy to verify the transformation of the baseline database.

# voradmin ldt attr get <data/log directory of baseline database>

Example:

# voradmin ldt attr get /var/opt/mssql/LDT/data

Response

LDT stats: version=6, rekey_status=rekeyed
    Number of times rekeyed:                1 time
    Rekey start time:                       2022/09/02 05:41:26
    Last rekey completion time:             2022/09/02 05:41:28
    Estimated rekey completion time:        N/A
    Policy key version:                     0
    Pushed Policy key version:              0
    Policy ID:
        1001
    Data stats:
        total=16.0MB, rekeyed=11.0MB
        truncated=0.0MB, sparse=5.0MB
    File stats:
        total=2, rekeyed=2, failed=0
        passed=0, skipped=0, created=0, removed=0, excluded=0

Expected results:

No errors in output
rekey_status=rekeyed

Note

Do not start the next step until rekey_status = rekeyed.

Restart the SQL Server, type:

# su - mssql
# sudo systemctl start mssql-server
# systemctl status mssql-server

Access the targeted database and query the data, type:

sqlcmd -S localhost -U SA -P '<password>'
use <targetdb>
use <targetdb>
SELECT filename from sysfiles
go

Expected results: You should be able to log into your targeted database and query system files.

Using CTE with SQL Server on Linux on Red Hat 8

Considerations and Requirements

Create a CTE guarded standalone SQL Server database

Convert a baseline SQL Server database to a CTE GuardPoint using Dataxform

Create a CTE guarded Standalone SQL Server database using LDT

On this page

Suggest A Change