Creating Standard GuardPoints with the DFSR Full Mesh Topology
If you are using the full mesh DFSR topology, you must restrict access to the data on all servers in the namespace until it has been encrypted on all servers in the namespace. That means the data will be inaccessible to users and applications until the encryption procedure has been completed on all servers.
Prerequisites
-
Make sure you have a good backup of the data you plan to encrypt.
-
Make sure you know what devices or directories you plan to protect.
-
Make sure you understand how data transformation GuardPoints are created as described in the CTE Data Transformation Guide.
-
Make sure you have an initial encryption and a production policy as described in Creating Standard Policies for DFSR.
The following procedure assumes you are using
dataxform
to encrypt the data in place. If you are using the copy or restore encryption method, see the CTE Data Transformation Guide.
Procedure
-
On all servers in the configuration:
-
Disable user and application access to all devices and directories you intend to encrypt so that no users can add or change the data during the transformation process.
-
Stop the DFSR service on each server.
The DFSR service must be stopped on all servers before you can create the GuardPoints on any server in the configuration.
-
-
On one of the servers in the configuration, do the following:
-
In your key manager, create the GuardPoints you want to encrypt and apply the initial encryption policy to those GuardPoints.
Make sure that all GuardPoints are at or above the level of the DFSR replication point as described in Considerations with DFSR.
Do not create GuardPoints for the
DfsrPrivate
directories yet. -
Run the
dataxform
utility on the server as described in the CTE Data Transformation Guide. -
After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and reguard them using the production DFSR policy.
-
If any of your GuardPoints are at the directory level, create a GuardPoint for the
<dir name>\DfsrPrivate
directory that goes with that GuardPoint. For example, If the GuardPoint isD:\data\
, the private directory would beD:\data\DfsrPrivate
. Make sure you use the same production policy for theDfsrPrivate
directory that you used for the main directory.
-
-
Repeat the previous step for each one of the servers in the configuration.
-
When you are done, the production GuardPoints should be identical on every server in the namespace.
-
Restart the DFSR service on the each server in the namespace.
-
Re-enable user and application access to all devices and directories.