Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Using the Standard Encryption Method

Creating Standard GuardPoints with the DFSR Hub and Spoke Topology

search

Please Note:

Creating Standard GuardPoints with the DFSR Hub and Spoke Topology

If you are using the hub and spoke DFSR topology, you should start encrypt the data on the hub and then encrypt the data on the spokes. After you have encrypted the data on the hub server, you have two options for the data on the spoke servers:

  • Option 1: Delete the existing spoke server data and allow DFSR to replicate the encrypted hub data to the spoke servers. The advantage of this method is that you only need to encrypt the data on the hub. The disadvantage is that it will take time to replicate the data on all the spoke servers.

  • Option 2: Encrypt each spoke server using the same encryption process as you use on the hub server. The advantage of this method is that you do not need to wait for the full data replication process across the network. The disadvantage is that you must run the encryption process on all spoke servers.

Prerequisites

  • Make sure you have a good backup of the data you plan to encrypt.

  • Make sure you know what devices or directories you plan to protect.

  • Make sure you understand how data transformation GuardPoints are created as described in the CTE Data Transformation Guide.

  • Make sure you have an initial encryption and a production policy as described in Creating Standard Policies for DFSR.

    The following procedures assume you are using dataxform to encrypt the data in place. If you are using the copy or restore encryption method, see the CTE Data Transformation Guide.

Procedure for Option 1: Use DFSR to Replicate the Encrypted Data

  1. Disable user and application access to all devices and directories you intend to encrypt so that no users can add or change the data during the transformation process. This must be done on the hub server and all spoke servers in the namespace.

    You do not have to take down the namespace itself.

  2. On the hub server:

    1. Stop the DFSR service.

    2. In your key manager, create the GuardPoints you want to encrypt and apply the initial encryption policy to those GuardPoints.

      Make sure that all GuardPoints are at or above the level of the DFSR replication point as described in Considerations with DFSR.

      Do not create GuardPoints for the DfsrPrivate directories yet.

    3. On the hub server, run the dataxform utility as described in the CTE Data Transformation Guide.

    4. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and reguard them using the production DFSR policy.

    5. If any of your GuardPoints are at the directory level, create a GuardPoint for the <dir name>\DfsrPrivate directory that goes with that GuardPoint. For example, If the GuardPoint is D:\data\, the private directory would be D:\data\DfsrPrivate. Make sure you use the same production policy for the DfsrPrivate directory that you used for the main directory.

      Do not start the DFSR service yet.

  3. On each spoke server, do the following:

    1. Stop the DFSR service on the spoke server.

    2. Delete the data in all devices and directories that you added GuardPoints for on the hub server.

    3. In your key manager, create the same GuardPoints on the spoke server that you created on the hub server, making sure that you apply the same operational policy to each GuardPoint on the spoke server that you applied on the hub server.

      Make sure you also create the same DfsrPrivate GuardPoints on the spoke server that you created on the hub server.

      Because the directories are empty, you do not need to use the initial encryption policy or the dataxform utility on the spoke servers. You can just guard the empty directory and the private directories directly using the production policy.

    4. Start the DFSR service on the spoke server.

  4. Repeat the previous step for each spoke server in the configuration.

  5. When every spoke server has the exact same production GuardPoints as the hub server, return to the hub server and do the following:

    1. Start the DFSR service on the hub.

    2. Force replication from the hub to the spokes.

  6. When replication is complete to all spokes in the configuration, re-enable user and application access to the devices and directories you encrypted.

Procedure for Option 2: Encrypt the Data on All Servers

  1. Disable user and application access to all devices and directories you intend to encrypt so that no users can add or change the data during the transformation process. This must be done on the hub server and all spoke servers in the namespace.

    You do not have to take down the namespace itself.

  2. On the hub server, do the following:

    1. Disable access to the hub server so that no one can change the data during the transformation process.

    2. Stop the DFSR service on the hub.

    3. In your key manager, create the GuardPoints you want to encrypt and apply the initial encryption policy to those GuardPoints.

      Make sure that all GuardPoints are at or above the level of the DFSR replication point as described in Considerations with DFSR.

      Do not create GuardPoints for the DfsrPrivate directories yet.

    4. Run the dataxform utility on the hub server as described in the CTE Data Transformation Guide.

    5. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and reguard them using the production DFSR policy.

    6. If any of your GuardPoints are at the directory level, create a GuardPoint for the <dir name>\DfsrPrivate directory that goes with that GuardPoint. For example, If the GuardPoint is D:\data\, the private directory would be D:\data\DfsrPrivate. Make sure you use the same production policy for the DfsrPrivate directory that you used for the main directory.

    7. Restart the DFSR service on the hub server.

  3. On each spoke server, do the following:

    1. Stop the DFSR service on the spoke server.

    2. In your key manager, create the same GuardPoints on the spoke server that you created on the hub server, making sure that you apply the same initial encryption policy to the GuardPoints on the spoke server that you applied on the hub server.

      Do not create the DfsrPrivate GuardPoints yet.

    3. On the spoke server, run the dataxform utility as described in the CTE Data Transformation Guide.

    4. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and reguard them using the same production DFSR policy that you used for the corresponding GuardPoint on the hub server.

    5. Create the same DfsrPrivate GuardPoints on the spoke server that you created on the hub server. Make sure you use the same production policy for the DfsrPrivate directory that you used for the main directory.

    6. Restart the DFSR service on the spoke server.

    7. Re-enable user and application access to the spoke server.

  4. Repeat the previous step for each spoke server in the configuration.

  5. When data encryption is complete to all spokes in the configuration, re-enable user and application access to the devices and directories you encrypted.

On this page