Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Guarding an Efficient Storage Device on Windows

Guard the Windows Device with an ES GuardPoint

search

Please Note:

Guard the Windows Device with an ES GuardPoint

After the device has been initialized, you can guard the device as an ES GuardPoint from the CipherTrust Manager Console. For existing devices, as soon as the GuardPoint has been pushed to the host and the status changes to guarded, CTE begins transforming the data on the disk using the encryption key associated with the GuardPoint Policy.

  1. Log on to the CipherTrust Manager Console as an administrator of type Security with Host role permissions, type Domain and Security, or type All.

  2. Make sure that you know what Policy you want to associate with the GuardPoint or create a new policy if needed. The policy you use for CTE-Efficient Storage must be either a Standard policy or an In-Place Data Transformation policy, and it must use a KMIP-accessible XTS-AES 256 key in the key rule. For more information on key requirements, see ES GuardPoint Encryption Keys.

  3. Select Hosts > Hosts on the menu bar. The Hosts window opens.

  4. Click the target host in the Host Name column. The Edit Host window opens to the General tab for the selected host.

  5. Click the GuardPoints tab and then click Guard. The Guard File System window opens.

    1. In the Policy field, select the Policy you identified or created earlier in this procedure. CTE will use the XTS-AES 256 key associated with this policy to encrypt the data on the device.

    2. In the Type field, select Raw or Block Device (Auto Guard) .

      When you select Auto Guard, CTE starts the guard process as soon as the policy is pushed to the host.

    3. In the Path field, add the device label you assigned when you initialized the disk. For example, ExistWinDisk1.

      If you specify multiple device labels in this field, all specified devices will be guarded and all will be encrypted with the encryption key specified in the selected policy.

    4. Make sure the Secure Start check box is checked.

  6. When you are done, click OK.

    The CipherTrust Manager pushes the policy and the GuardPoint configuration to the host and the CTE Agent on the host writes the ES Header into the CTE Private Region for the specified devices.

    If this is a new device, the status changes to guarded and the disk is available for user access immediately. At this point you can use the Windows Disk Manager to perform any required disk management tasks and all data that gets written to the disk will be protected by CTE.

    If there is existing data on the device, CTE begins transforming the data from clear-text to cipher-text as soon as the ES GuardPoint configuration is available and the device status changes to guarded. The device will remain inaccessible until this data transformation completes. The length of time required to transform the data depends on the size of the disk.

  7. If this disk is part of a cluster, do the following:

    1. If the disk has existing data, wait until the data transformation process has completed before you proceed. To verify the status of the process, use the voradmin esg status command.

    2. After any required data transformation is complete, apply the same GuardPoint with the same policy to the disk on each one of the hosts that can access the disk. You must specify the same policy name and disk label on each host.

      Thales recommends that you do not use a Host Group for clustered disks. Instead, you should apply the GuardPoint individually on each host.

    3. After you have created the GuardPoint on each host that can access the disk, you can bring the disk back online or restart the SQL Role/SQL server.

Data Relocation on Existing Windows Devices

When you add an ES GuardPoint to a device that has been initialized with the xform option, CTE shifts the existing data by 64MB, then it creates the CTE Private Region in the first 64MB on the device. This relocation occurs only once when the device is guarded for the first time.

Data Transformation on Existing Windows Devices

As the ES Header is written before data transformation begins, the data transformed to cipher-text and written back to the device during data transformation process is subject to data reduction process through the storage array.

Existing devices populated with data are transformed from clear-text to cipher-text using the encryption key applied to each device. Data transformation is also called CipherTrust In-Place Data Transformation (CTE-IDT).

CTE-IDT is not the same as the legacy offline data transformation. CTE-IDT is a block level data transformation with built-in resiliency to recover from system crashes during the data transformation process. CTE-IDT uses the CTE Private Region on the device to manage the entire transformation process. CTE-IDT partitions the data on a device in segments of 512KB in size and transforms one or multiple segments, up to 60 segments, in parallel. The CTE-IDT process preserves existing data in a segment during transformation in the private region of the device, and then transforms the data in-place. CTE-IDT also maintains the segments undergoing transformation in the private region. In the event of system crash, CTE-IDT will recover the segments undergoing transformation at the time of crash and then resume the transformation process.

Another advantage of CTE-IDT over legacy offline data transformation is that CTE-IDT does not require a separate policy for data transformation. With the same production policy applied to the device, CTE-IDT determines whether the device is in need of data transformation, per specification of xform option when device was initialized, and starts the CTE-IDT process when transformation is required. During the CTE-IDT process, access to the device is blocked until the CTE-IDT process completes.

To view the data transformation status, use the voradmin esg status command and look in the Xform Status column. In the following example:

  • Disk1 has been guarded and the data transformation process has completed, so the device is guarded and ready to use.

  • Disk2 was initialized as a new device, so no data transformation was required. The device is guarded and ready to use.

  • Disk3 has been guarded but the data transformation process is still in progress. This device cannot be accessed until the data transformation process has completed.

     voradmin esg status
Disk###  Device Name                        Boot Disk  ESG Device label             Guard Status   Xform Status
-------  ---------------------------------  ---------  ---------------------------  -------------  -------------
Disk0    \Device\Ide\IdeDeviceP0T0L0-0      Yes        NA                           unguarded
Disk1    \Device\00000032                   No         ExistWinDisk1                guarded        Completed
Disk2    \Device\00000033                   No         NewESDisk                    guarded        NA  
Disk3    \Device\00000034                   No         ExistWinDisk2                guarded        In-Progress (18%)

CTE-IDT Recovery From Crash

CTE-IDT is fault tolerant in the event of system crashes. CTE-IDT keeps track of the transformation process over the entire device. In the event of a crash, CTE-IDT will automatically resume transformation from the point of failure as soon the GuardPoint is enabled after system startup.

If you find the transformation status set to In-Progress when the GuardPoint is not enabled, the In-Progress state reflects an earlier system crash after which the GuardPoint has not been enabled to recover from the interruption in the CTE-IDT process.

On this page