Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CTE-Efficient Storage for Windows

Changing the Encryption Key for a Windows ES GuardPoint

search

Please Note:

Changing the Encryption Key for a Windows ES GuardPoint

To meet various compliance requirements, you may want to change the key that CTE has used to encrypt an GuardPoint. Thales refers to this changing of encryption keys as “Key rotation” or “Rekey”. Unlike the CipherTrust Transparent Encryption - Live Data Transformation product offered by Thales for file systems on traditional storage devices, to change the encryption key on an ES GuardPoint, the device must be taken offline. The data on the device will be inaccessible during the key rotation process.

The key rotation process involves the following:

  • Creating a new policy for key rotation

  • Preparing the ESG device for key rotation

  • Applying the new policy to the ESG device on the CipherTrust Manager

See the following sections for details of key rotation. If your organization has separated security duties, some of the steps below may need to be completed by different people.

Requirements and Considerations

Rekeying a Windows ES GuardPoint requires an In-Place Data Transformation policy, which is available with the CipherTrust Manager version 6.4.2 and later. If the Windows host is registered with an older version of the CipherTrust Manager, you must upgrade the CipherTrust Manager to at least version 6.4.2 if you want to rekey a Windows ES GuardPoint.

Creating a New Policy for Key Rotation

As part of rekeying the data on an ESG device, you must create a new In-Place Data Transformation policy with a key rule specifying the current key and the new key. When this policy is pushed to the host from the CipherTrust Manager, the CTE Agent will decrypt the data on the device using the initial version of the key and then it will re-encrypt it using the next version of the key.

Rekeying the Windows Device

  1. Shutdown any applications accessing the GuardPoint. This also includes unmounting the file system if the GuardPoint is a device mounted as a file system.

    During this procedure, you will have to disable the GuardPoint while the device is being rekeyed. Therefore is it critical that no file changes occur during the rekey process or the data may become corrupted.

  2. If this disk is part of a cluster, you must check the ownership of the disk and then take the disk offline. You do not need to take any of the other disks in the cluster offline and you do not need to take the disk out of the cluster. But the disk itself must be offline during this procedure if it is part of cluster.

    During this procedure, you need to log into the host that owns the disk in order to run the voradmin esg rekey command. If you want to do that on a host other than the current owner, change the disk ownership in the Windows Failover Cluster Manager.

    After you have set the correct owner, take the disk offline:

    • For an unstructured data cluster, open the Windows Failover Cluster Manager and go to <cluster name> > Storage > Disks, then select the disk and take it offline.

    • For a structured SQL database cluster, open the Windows Failover Cluster Manager and go to Roles -SQL <cluster name> Role. Stop the Role for the SQL instance or take the SQL server offline.

  3. In the CipherTrust Manager Console, unguard the ES GuardPoint.

    If this disk is part of cluster, unguard the disk on each one of the hosts that can access the disk.

  4. Log into the host with System Administrator privileges.

    If this disk is part of a cluster, you need to log into the host that is the current owner of the disk.

  5. Make sure that the device you intend to rekey is no longer guarded using the voradmin esg status command. In the following example, we are about to rekey the device NewESDisk:

     voradmin esg status

Disk###  Device Name                        Boot Disk  ESG Device label                 Guard Status   Xform Status
-------  ---------------------------------  ---------  -------------------------------  -------------  -------------
Disk0    \Device\Ide\IdeDeviceP0T0L0-0      Yes        NA                               Unguarded
Disk1    \Device\Ide\IdeDeviceP0T1L0-1      No         NewESDisk                        Unguarded       NA
Disk2    \Device\Ide\IdeDeviceP1T1L0-3      No         ExistWinDisk1                    Guarded         NA

  6. Use the voradmin esg rekey command to prepare the device to be rekeyed. For example:

     voradmin esg rekey NewESDisk
Disk is initialized successfully with CTE ESG protection.

  7. In the CipherTrust Manager Console, guard the device with the new policy you created in Creating a New Policy for Key Rotation. Make sure that:

    • You select Raw or Block Device (Auto Guard).

    • You check the Secure Start check box.

    When you click OK, the CipherTrust Manager pushes the new policy to the ES GuardPoint and the CTE Agent rekeys the device.

  8. During the rekey process, you can use the voradmin esg status command to track the rekey progress.

     voradmin esg status
Disk###  Device Name                        Boot Disk  ESG Device label                 Guard Status   Xform Status
-------  ---------------------------------  ---------  -------------------------------  -------------  -------------
Disk0    \Device\Ide\IdeDeviceP0T0L0-0      Yes        NA                               Unguarded
Disk1    \Device\Ide\IdeDeviceP0T1L0-1      Unknown    NewESDisk                        Guarded        In Progress(80%)
Disk2    \Device\Ide\IdeDeviceP1T1L0-3      No         ExistWinDisk1                    Guarded         NA

    When the rekey process has finished, the status changes to Completed.

     voradmin esg status
Disk###  Device Name                        Boot Disk  ESG Device label                 Guard Status   Xform Status
-------  ---------------------------------  ---------  -------------------------------  -------------  -------------
Disk0    \Device\Ide\IdeDeviceP0T0L0-0      Yes        NA                               Unguarded
Disk1    \Device\Ide\IdeDeviceP0T1L0-1      Unknown    NewESDisk                        Guarded        Completed
Disk2    \Device\Ide\IdeDeviceP1T1L0-3      No         ExistWinDisk1                    Guarded         NA

  9. If you want to verify that the GuardPoint is using the new key, use the voradmin esg status xform <device-label> command. For example:

     voradmin esg status xform NewESDisk

ESG Rekey/Xform Status
-----------------------
        Status        :NA
        Device Type   :New

Key Information:
        Key UUID      :cf242f18-de61-3f72-ba57-0b28a94a4f21
        KeyID         :48361
        KeyName       :ES-Rekey
        Old KeyID     :0
        Old KeyName   :ES_Key

Block information:
        Transformed   :0
        Remaining     :0
        Total         :0

  10. If the disk is not part of a cluster, you can restore access to the disk at this point. If it is part of a cluster, do the following:

    1. After any required data transformation is complete, apply the same GuardPoint with the same policy to the disk on each one of the hosts that can access the disk. You must specify the same policy name and disk label on each host.

    2. After you have created the GuardPoint on each host that can access the disk, you can bring the disk back online or restart the SQL Role/SQL server.

On this page