Limitations for ES GuardPoints on Windows

The current implementation of ES GuardPoints on Windows has the following limitations:

• CTE does not support dynamic disks or DFS/DFSR.

• All applications that access the Pure Storage LUN directly must be shut down while the devices are being initialized, guarded, and encrypted. Once you begin this process, devices must not be accessed by any other applications until all data has been transformed. If other applications do access the device, CTE may not be able to successfully apply the ES GuardPoint and the user may have to reboot the device.

• If the disk is in a cluster:

  • The disk must be taken offline during the initial guarding process or while the disk is being rekeyed. You do not need to take any of the other disks in the cluster offline and you do not need to take the disk out of the cluster. But the disk itself must be offline.

  • Thales recommends that you do not include the disk in a host group because of the issues that can arise when CTE attempts to make changes to the same device through multiple hosts. These issues are compounded if you have multiple ES GuardPoints that are protected with different policies. In a cluster environment, it is better to manage each host individually through the CipherTrust Manager.

• Once the process has started, Administrators cannot use any Disk Management tools to manage the devices. All disk administration must wait until after the process is complete.

• When you unguard an ES GuardPoint, the files in that GuardPoint may still be accessible through the Windows File Explorer until Windows has updated the file cache. To update the cache immediately, you can do either of the following:

  • Issue the voradmin esg status command on the host.

  • Reboot the host.