Initialize Windows CTE-Efficient Storage Devices
When you initialize a Windows CTE-Efficient Storage device, the process creates the CTE Private Region on the device so that CTE can write the Efficient Storage Device Header along with metadata that identifies the storage device as a guarded device. The CTE Private Region also contains the metadata for the initial transformation of clear-text data on device to cipher-text, and for the subsequent transformation of cipher-text on the device to another encryption key as needed. The initialization process also adds a user-defined label for the storage device that the Administrator will use when referring to the device in the CipherTrust Manager.
This user-defined label is maintained across system reboots, allowing CTE to always find the device regardless of any device name changes that may happen within Windows.
How you initialize the device depends on whether it is a new device or an existing device that already has data that needs to be transformed into cipher-text. For details, see:
Initialize New Windows Devices
For each new device you want to initialize, run the voradmin esg config new command. The new option specifies that the device does not hold user data, and that CTE can reserve the first 64MB of storage on the device for the CTE Private Region. The remaining storage space is available for new user data. The device size reported to applications is the actual device size minus the CTE Private Region size.
Do not use the voradmin esg config new command if the Windows disk has existing data that you want to keep. After you guard a device that has been initialized with this command, you will need to reformat the device and all existing data will be lost. To initialize a disk with existing data, see Initialize and Resize Existing Windows Devices.
-
Log into the device as an Administrator and open PowerShell or Cmd (command prompt).
-
Close all applications, including any Windows disk management tools, that are using or mounting the device.
-
If this disk is part of a cluster, you must take the disk offline. You do not need to take any of the other disks in the cluster offline and you do not need to take the disk out of the cluster. But the disk itself must be offline during this procedure if it is part of cluster.
-
For an unstructured data cluster, open the Windows Failover Cluster Manager and go to <cluster name> > Storage > Disks, then select the disk and take it offline.
-
For a structured SQL database cluster, open the Windows Failover Cluster Manager and go to Roles -SQL <cluster name> Role. Stop the Role for the SQL instance or take the SQL server offline.
-
-
Make sure you know the Device Names of the devices that you want to protect.
To get a list of the Device Names for the available devices, use the
voradmin esg list diskcommand and look in the Device Name column. Any new disk that is not a boot disk and that does not contain any data can be initialized by CTE as a new disk. For example:voradmin esg list disk Disk### Device Name Boot Disk Size Status Partition Read Only SERIAL NUMBER ------- ------------------------------ --------- --------- --------- --------- --------- --------------- Disk0 \Device\Ide\IdeDeviceP0T0L0-0 Yes 127.0 GB Online MBR No 6000c29d241599... Disk1 \Device\00000032 No 49.9 GB Online MBR No 6000c29b1d5a4c... Disk2 \Device\00000033 No 50.9 GB Online MBR Yes 6000c290582227... Disk3 \Device\00000034 No 50.9 GB Online MBR No 6000c290fd627b...In the example above, the available Device Names are
\Device\00000032,\Device\00000033, and\Device\00000034. -
Run the
voradmin esg config new <device-name>=<label>command, where:-
new(required) indicates that the device contains no data (it is a new disk). CTE will create the CTE private region at the beginning of the disk and the rest of the disk will be available for user data. -
<device-name>=<label>(required) is the device name and a user-defined label for the device. This label will be the path the Administrator uses to specify to the device in the CipherTrust Manager. (For example,\Device\00000033=NewESDisk.) The label can be 1 to 32 ASCII characters. Do not use spaces or special characters in the label.Make sure that the device you select does not contain any existing data. When CTE applies the GuardPoint to a new device, it removes the existing file system information from the device. That means the device will need to be reformatted and all existing data will be unrecoverable as soon as the GuardPoint is applied.
For example, if you want to initialize a new disk Windows device named
00000033with the label “NewESDisk”, you would specify:voradmin esg config new \Device\00000033=NewESDisk Disk is initialized successfully with CTE ESG protection. -
-
To verify that the disk has been initialized, run the
voradmin esg statuscommand.This command shows that the device label has been set and the Xform Status has been set to NA (not applicable). For example:
voradmin esg status Disk### Device Name Boot Disk ESG Device label Guard Status Xform Status ------- --------------------------------- --------- ------------------------------- ------------- ------------- Disk0 \Device\Ide\IdeDeviceP0T0L0-0 Yes NA unguarded Disk1 \Device\00000032 No unguarded Disk2 \Device\00000033 No NewESDisk unguarded NA Disk3 \Device\00000034 No unguarded -
At this point the CipherTrust Manager Administrator can protect the device as an ES GuardPoint through the console as described in Guard the Windows Device with an ES GuardPoint.
The initialization process prepares the devices to be guarded but does not actually guard them. You need to assign an ES GuardPoint to each device through the CipherTrust Manager before the devices are actually protected. In addition, the initialization process is only kept in memory until the devices are guarded or rebooted. If a device is rebooted before you guard it, you will need to perform the initialization procedure again.
Initialize and Resize Existing Windows Devices
If a Windows device has existing data, you need to use the voradmin esg config xform command to initialize the disk for CTE. This command tells CTE that the data on the device needs to be encrypted after an ES GuardPoint is assigned to the device through the CipherTrust Manager. After the CTE initialization is complete, you then need to resize the device before you can guard it with an ES GuardPoint.
The following procedure describes how to initialize existing devices for CTE. Note that the existing data is not altered in any way until after you perform this procedure and you guard the data with an ES GuardPoint. CTE does not begin transforming the data from clear-text to cipher-text until the ES GuardPoint has been applied and the encryption key has been pushed to the device through the GuardPoint Policy.
-
Log into the device as an Administrator and open PowerShell or Cmd (command prompt).
-
Close all applications, including any Windows disk management tools, that are using or mounting the device.
-
If this disk is part of a cluster, you must take the disk offline. You do not need to take any of the other disks in the cluster offline and you do not need to take the disk out of the cluster. But the disk itself must be offline during this procedure if it is part of cluster.
-
For an unstructured data cluster, open the Windows Failover Cluster Manager and go to <cluster name> > Storage > Disks, then select the disk and take it offline.
-
For a structured SQL database cluster, open the Windows Failover Cluster Manager and go to Roles -SQL <cluster name> Role. Stop the Role for the SQL instance or take the SQL server offline.
-
-
Make sure you know the Device Names of the devices that you want to protect.
To get a list of available devices on Windows, use the
voradmin esg list diskcommand. The Disk Name column shows the names of the available disks. In the list, existing disks must not be boot disks and they must not be Read Only. In the following example,\Device\00000032and\Device\00000034show No in the Boot Disk and Read Only columns:voradmin esg list disk Disk### Device Name Boot Disk Size Status Partition Read Only SERIAL NUMBER ------- ------------------------------ --------- --------- --------- --------- --------- --------------- Disk0 \Device\Ide\IdeDeviceP0T0L0-0 Yes 127.0 GB Online MBR No 6000c29d241599... Disk1 \Device\00000032 No 49.9 GB Online MBR No 6000c29b1d5a4c... Disk2 \Device\00000033 No 50.9 GB Online MBR Yes 6000c290582227... Disk3 \Device\00000034 No 50.9 GB Online MBR No 6000c290fd627b... -
If you want to make sure the disk has not yet been initialized, used the
voradmin esg statuscommand. If the disk already has an ESG Device Label, then the disk has already been initialized. In the following example, Disk2 has already been initialized, but Disk1 and Disk3 have not:voradmin esg status Disk### Device Name Boot Disk ESG Device label Guard Status Xform Status ------- --------------------------------- --------- ------------------------------- ------------- ------------- Disk0 \Device\Ide\IdeDeviceP0T0L0-0 Yes NA unguarded Disk1 \Device\00000032 No unguarded Disk2 \Device\00000033 No NewESDisk unguarded NA Disk3 \Device\00000034 No unguarded -
For each existing device you want to initialize, run the
voradmin esg config xform <device-name>=<label>command, where:-
xform(required) indicates that the device contains existing data. CTE will transform all existing data on the device from clear-text to cipher-text as soon as you guard the device. The device will be unaccessible until the transformation is complete, and the device must remain offline during the entire transformation process. No user access will be permitted until all data has been transformed. -
<device-name>=<label>(required) is the device name and a user-defined label for the device. This label will be the path the Administrator uses to specify to the device in the CipherTrust Manager. (For example,\Device\00000032=ExistWinDisk1.) The label can be 1 to 32 ASCII characters. Do not use spaces or special characters in the label.
For example, if you want to initialize a new disk Windows device named
00000032with the labelExistWinDisk1and the device00000034with the labelExistWinDisk2, you would specify:voradmin esg config xform \Device\00000032=ExistWinDisk1 Disk is initialized successfully with CTE ESG protection. Disk must be Resized to at least 128MB before guarding as Efficient Storage GuardPoint C:> voradmin esg config xform \Device\00000034=ExistWinDisk2 Disk is initialized successfully with CTE ESG protection. Disk must be Resized to at least 128MB before guarding as Efficient Storage GuardPointWith Windows, you always need to increase the disk size on each device by at least 128MB, which provides enough space for the CTE Private Region as well as room to relocate the existing data. After you guard the disk, you can expand it again later but you cannot shrink it unless you remove the GuardPoint. For details about the data relocation, see Data Relocation on Existing Windows Devices.
-
-
To verify that the disks have been initialized, run the
voradmin esg statuscommand.This command shows that the device labels have been set and the Xform Status has been set to Not Started. For example:
voradmin esg status Disk### Device Name Boot Disk ESG Device label Guard Status Xform Status ------- --------------------------------- --------- ------------------------------- ------------- ------------- Disk0 \Device\Ide\IdeDeviceP0T0L0-0 Yes NA unguarded Disk1 \Device\00000032 No ExistWinDisk1 unguarded Not Started Disk2 \Device\00000033 No NewESDisk unguarded NA Disk3 \Device\00000034 No ExistWinDisk2 unguarded Not Started -
At this point, you need to resize all initialized existing devices by increasing their volume size through the Pure Storage management interface. Make sure you increase the device size on each device by at least 128 MB. For details, see your Pure Storage documentation.
To verify that the disk size has been increased, use the
voradmin esg list diskcommand.voradmin esg list disk Disk### Device Name Boot Disk Size Status Partition Read Only SERIAL NUMBER ------- ------------------------------ --------- --------- --------- --------- --------- --------------- Disk0 \Device\Ide\IdeDeviceP0T0L0-0 Yes 127.0 GB Online MBR No 6000c29d241599... Disk1 \Device\00000032 No 50.1 GB Online MBR No 6000c29b1d5a4c... Disk2 \Device\00000033 No 50.9 GB Online MBR Yes 6000c290582227... Disk3 \Device\00000034 No 51.1 GB Online MBR No 6000c290fd627b...You cannot assign an ES GuardPoint to the devices until it they have been resized. If you do not resize the devices, the GuardPoint assignment will fail.
-
After the devices have been resized, the CipherTrust Manager Administrator can protect the devices as ES GuardPoints through the console as described in Guard the Windows Device with an ES GuardPoint.
The initialization process prepares the devices to be guarded but does not actually guard them. You need to assign an ES GuardPoint to each device through the CipherTrust Manager before the devices are actually protected. In addition, the initialization process is only kept in memory until the devices are guarded or rebooted. If a device is rebooted before you guard it, you will need to perform the initialization procedure again.
