Please Note:

You are not viewing the most recent version of this page. 7.7.0 is the latest version available.

User Guides
Overview of CipherTrust Transparent Encryption Agent
- Configuring CTE with CipherTrust Manager
  - Installation Prerequisites
  - Installing and Registering CTE
    - Installation on Linux
    - Installation on Windows
    - Registration with Windows
  - Guarding a Device with CipherTrust Manager
    - Access the CipherTrust Manager Domain
    - Create an Encryption Key
    - Create a Standard Policy
    - Create a GuardPoint
  - Ransomware Protection
CTE Agent for Linux Advanced Configuration Guide Release
- Overview of CTE
- Getting Started with CTE for Linux
  - Additional Considerations
  - CTE Agent Installation with UEFI Secure Boot
  - Linux Package Installation
  - Verifying Kernel Compatibility
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Linux with CipherTrust Manager
    - Installation Prerequisites
    - Interactive Installation on Linux
    - Silent Installation for CTE or CTE-U on Linux
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Installation and Registration Options
    - Guarding a Device with CipherTrust Manager
  - Linux Package Installation for Linux Distributions
    - Linux Package Installation for RHEL
    - Linux Package Installation for SLES
    - Linux Package Installation for Ubuntu
- Special Cases for CTE Policies
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Container Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC CS1 Keys and Host Groups
- CTE and systemd
  - Overview of CTE and systemd
  - CTE Agent Control Changes on systemd
  - CTE Configuration Changes Required on systemd
    - About systemd Dependency Changes for Unit Configuration Files
    - Location of Application Unit Configuration Files
    - Adding Dependencies to systemd Unit Configuration Files
    - Adding Applications to the secfs-fs-barrier.service File
    - Drop-in Files for systemd
    - Adding Dependencies to the saslauthd.service File
  - Supported Use Cases
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - fsfreeze and xfs_freeze
  - Protecting Files
  - Restricting Access with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - User Cache Lookup Improvements
  - vmutil
  - vmd utility
  - vmsec Utility
- CipherTrust in-Place Data Transformation for Linux
  - Introduction to in-Place Data Transformation (IDT)
  - Requirements for IDT-Capable GuardPoints
  - The CTE Private Region and IDT Device Header
  - IDT-Capable GuardPoint Encryption Keys
  - Guarding an IDT-Capable Device on Linux
    - Initializing an IDT-Capable Device
    - Guard the Linux Device with an IDT-Capable GuardPoint
    - Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
  - Changing the Encryption Key on Linux IDT-Capable Devices
  - Guarding an IDT-Capable Device with Multiple IO Paths on Linux
  - Linux System and IDT-Capable GuardPoint Administration
  - Resizing Guarded IDT Devices
  - Use Cases Involving IDT-Capable GuardPoints
  - Alerts and Errors on Linux
- Upgrading CTE on Linux
- Uninstalling CTE from Linux
CTE Agent for Windows Advanced Configuration Guide Release
- Overview of CTE
- Getting Started with CTE for Windows
  - Installation Workflow
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Windows with CipherTrust Manager
    - Interactive Installation on Windows
    - Silent Installation on Windows
      - Silent Installation Using the exe File
      - Silent Installation Using the MSI File
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Registering CTE After Installation is Complete
    - Guarding a Device with CipherTrust Manager
    - Installation Prerequisites
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Compatible MFA Providers
    - Using STA for Multifactor Authentication for CTE GuardPoints
    - Using Okta for Multifactor Authentication for CTE GuardPoints
    - Using Keycloak for Multifactor Authentication for CTE GuardPoints
    - Using Cisco DUO for Multifactor Authentication for CTE GuardPoints
    - Use Cases for MFA on CTE
    - Administrator Tasks for Multifactor Authentication
  - Choosing a Login Name Type
  - Ransomware Protection
    - Installing Ransomware Protection
    - Using Ransomware Protection
    - Creating GuardPoints for Ransomware Protection
  - Guarding Data on CIFS Servers and Clients
- Special Cases for CTE Policies
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - FileTable Support on Windows
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Return Codes
  - agentinfo Utility
  - Backup Utility
  - voradmin secfs Commands
  - vmsec Utility
  - vmutil
- Upgrading CTE on Windows
  - To Upgrade in Windows Silently
  - CTE Scheduled Upgrade
  - Workaround for MSI CTE Typical, Silent, and Scheduled Upgrades
- Uninstalling CTE from Windows
- Troubleshooting and Best Practices
CTE Agent for AIX Installation and Configuration Guide
- Overview
- Getting Started with CTE for AIX
  - Installation Workflow
  - AIX Package Installation
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for AIX with CipherTrust Manager
    - Installation and Registration Options
    - Installation Prerequisites
    - Interactive Installation on AIX
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Silent Installation on AIX
    - Guarding a Device with CipherTrust Manager
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Backing up DB2 Databases after Encryption
- Logs
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Protecting Files
  - Restricting Access with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - secfsd and Raw Devices
  - vmsec Utility
    - vmsec Examples
    - Configuring Dynamic Host Settings for AIX
  - vmutil
  - vmd utility
- Upgrading CTE on AIX
- Uninstalling CTE from AIX
CipherTrust Transparent Encryption Data Transformation
- Data Transformation Overview
  - The Data Transformation Process
  - CTE Terminology
  - CTE Components
  - CTE Policies
  - Considerations with Bulk Data Transformation
  - Data Transformation Techniques
    - Copy and Restore Transformation Method
    - The CTE dataxform Utility Transformation Method
  - CTE Protection Policies
  - Overview of the dataxform Utility
    - Multithreading in the dataxform Utility
    - dataxform Space Requirements
    - dataxform Execution Time
    - dataxform and Sparse Files
    - dataxform and Duplicate Elimination
    - dataxform and Linked Files
  - Automatic Data Transformation
  - Best Practices When Using dataxform
  - Summary
- Initial Data Encryption
  - Data Encryption Overview
  - Using the Copy or Restore Encryption Method on File Systems
  - Using the Copy or Restore Encryption Method on Block Devices
  - Using dataxform to Encrypt Your Data with CipherTrust Manager
- Rekeying
  - Rekeying Overview
  - Rekeying with dataxform
  - Rekeying Using the Manual Copy Method
- Appendix A: DataXform Reference
  - Common Dataxform Examples
    - Verifying that a Guarded Directory Can be Rekeyed with dataxform
    - Estimating the dataxform Runtime Period
    - Manually Running dataxform on Specific Files
    - Running Automatic Data Transformation
  - Cleaning Up a Previous dataxform Session
  - Checking for Hard-Link Files Inside the GuardPoint with dataxform
  - Monitoring dataxform
    - Using the Message Log Window
    - Using vordxf_* Files
    - Using dataxform_status* Files
    - Using dataxform_auto_config
    - Using dataxform_auto_lock
  - Recovering a Failed or Incomplete dataxform Session
  - Automatic and Manual GuardPoints
  - dataxform Examples and Full Command Syntax
    - dataxform Command Syntax Examples
    - dataxform Command Parameters
  - Unencrypting Data
CipherTrust Transparent Encryption - Live Data Transformation
- Introduction to CTE-LDT
  - Overview of CTE-LDT
  - Keys in CTE-LDT (Versioned Keys)
  - CTE-LDT Policies
  - CTE-LDT Runtime Flow
  - CTE-LDT Administrator Roles
  - Resiliency
- Getting Started
  - Using CTE-LDT
  - Backup/Restore
  - Restrictions
- Installing CTE-LDT
  - System Requirements
  - Installing the CTE-LDT License
  - Installing and Registering the CTE Agent Software on Linux
  - Installing and Registering the CTE Agent Software on Windows
  - Setting the Linux Kernel Time Zone
  - Enabling CTE-LDT on a Protected Host
- Using CTE-LDT
  - Creating and Viewing Versioned Keys
  - Creating CTE-LDT Policies
  - Quality of Service
    - How to Set QoS
    - QoS Best Practices
      - General Best Practices for QoS
      - Select and Set Rekey I/O Rate
  - Creating a CTE-LDT GuardPoint
  - Rotating Encryption Keys (Rekey)
    - Manual Key Rotation
    - Creating a Key Rotation Schedule
    - Checking the Rekey Status
    - Obtaining Information About Keys Applied to Files
    - Showing GuardPoints During Rekey (Linux)
    - Suspending and Resuming Rekey and/or Scan Phase
    - Automatic Suspend and Resume of CTE-LDT Operations Due to Insufficient Disk Space
    - Rotating Encryption Keys While a Rekey is in Progress (Relaunch)
  - File System Operations
    - Renaming Files and Directories
      - Renaming Directories on Linux
      - Caveats
      - Example
      - Considerations
    - Deleting a File
    - File Handling (Windows Only)
    - Enabling GuardPoints in Read-Only mounted file systems (Linux)
    - Copying Files Into a GuardPoint
    - Behavior of Hard Links Inside and Outside of GuardPoints (Windows)
  - Excluding Files or Directories from Rekey
    - About the Exclusion Attribute for Files Matching an Exclusion Key Rule
    - Requirements for Exclusion Key Rules
    - Usage Notes and Limitations for Configuring Exclusion Key Rules
    - Examples of Exclusion Key Rules
    - Listing All Files Included in an Exclusion Key Rule (Linux)
    - Listing All Files Included in an Exclusion Key Rule (Windows)
  - Using CTE-LDT with SAP HANA Fibre Channel Systems (Linux Only)
- CTE-LDT Administration
  - CTE-LDT Metadata in Extended Attributes
    - Listing Extended Attributes
    - MDS File (Linux)
    - Planning for CTE-LDT Attribute Storage
    - Using voradmin To Estimate Disk Space Required for CTE-LDT (Linux)
    - Displaying Metadata
    - Verifying Metadata (Windows only)
  - DFSR and Replication (Windows)
  - Backing Up and Restoring CTE-LDT GuardPoints
    - Clear Text Backup and Restore
    - Encrypted Backup and Restore
    - CTE-LDT Policy for Encrypted Backup and Restore
    - Backup/Restore of Metadata Store File (MDS) in GuardPoints Undergoing Rekey
    - Restore an Encrypted Backup
    - Restoring Non-CTE-LDT Backup Data to an CTE-LDT GuardPoint
    - Using fsfreeze (Linux only)
    - CTE-LDT Backups Using a File System or Storage-Level Snapshot Tool
    - Windows Backup and Snapshots
    - CTE-LDT Backup and Restore Troubleshooting
  - CTE-LDT Command-Line Administration: voradmin command
  - Migrating a GuardPoint to a Different CTE-LDT Policy
  - Removing CTE-LDT and Security Encryption
    - Migrating a GuardPoint Out of CTE-LDT
    - Deleting CTE-LDT Metadata (Linux)
    - Deleting CTE-LDT Metadata (Windows)
    - Removing CTE-LDT from a Host
  - Uninstalling the Agent while CTE-LDT is Rekeying GuardPoints
  - Detecting Loss of NAS connection to an LDT GuardPoint Group
- Using CTE-LDT with CIFS/NFS shares
  - Introduction
  - LDT over CIFS/NFS High-Level Overview
  - LDT Communication Groups and LDT GuardPoint Groups
    - Designation of Primary role to a host within an LDT GuardPoint Group
    - Responsibilities of the Primary host
    - Failover
    - LDT GuardPoint Group Commands
      - Info
      - Remove
  - Limitations
  - Prerequisites
    - Supported Versions
  - Administrating LDT over CIFS/NFS with CipherTrust Manager
    - Adding a CIFS Connector for CipherTrust Manager
    - CTE Windows Deployment for LDT AccessOnly nodes
    - Policy and GuardPoint Management
      - Creating a GuardPoint on a CIFS Share Drive on CipherTrust Manager
      - Pausing and Resuming LDT per host and per GuardPoint
      - Migrating GuardPoints over NFS from or to an LDT Policy
      - Multiple GuardPoint Pathnames
    - Key Rotation Commitment
    - LDT Metadata Management Over NFS/CIFS Shares
    - Backup and Restore LDT on NFS GuardPoints
  - Alerts
  - Troubleshooting
  - Quality of Service
- Troubleshooting CTE-LDT
  - Monitoring and Statistics
    - Obtaining Statistics with GuardPoint Status
    - Obtaining CTE-LDT Statistics at the Command Line
    - Obtaining a Rekey Report
    - Monitoring Ongoing CTE-LDT Operations at the Command Line (Windows only)
  - Protecting CTE-LDT GuardPoints against Failure in Underlying File Systems (Linux)
    - Recovery Alerts
  - Alerts Playbook
    - Failure to Enable GuardPoints
    - Failure to Suspend or Resume CTE-LDT Operation
    - Insufficient Resources
    - Failed to Update CTE-LDT Attribute
    - Rekey Stopped
    - Incomplete Key Rotation
    - Skipped Key Rotation
    - Failed to Update CTE-LDT Metadata During Scan Phase
    - File system inconsistencies after system crash
  - Error Messages
  - Warning and Info Messages
  - Recommendations and Considerations
    - All Platform Recommendations and Considerations
    - Windows Recommendations and Considerations
CTE Terminology

Restoring Non-CTE-LDT Backup Data to an CTE-LDT GuardPoint

This section describes how to restore data encrypted with a non-versioned key to an CTE-LDT GuardPoint.

If the backup was performed with the Apply Key effect, the backup files are in clear text. Simply restore the clear text files to the CTE-LDT GuardPoint with the Apply Key effect. All files will be encrypted with the versioned key.

If the backup of the non-CTE-LDT GuardPoint was performed without the Apply Key effect, the backup is encrypted, and you must do the following:

Note

The following example is for a manual guarding. The steps may differ slightly if your GuardPoint is configured for auto guard.

Create a temporary directory for restoring the files, type:
```
mkdir -p /oxf-fs1/tmp_restore
```
Restore the encrypted backup files into the temporary directory, type:
```
cp -pr /backup-media/oxf-fs1/gp1/data_files/* /oxf-fs1/tmp_restore
```
Create a Standard Policy with the Apply Key effect for all operations, using the same key as the policy applied on the GuardPoint at the time of backup.
Create and enable a new GuardPoint for the temporary directory using the Standard Policy just created.
```
secfsd -guard /oxf-fs1/tmp_restore
```

Ensure that the temporary GuardPoint and CTE-LDT GuardPoint are both enabled.

secfsd -status guard
GuardPoint            Policy      Type       ConfigState  Status       Reason
----------            ------      ----       -----------  ------       ------
/oxf-fs1/gp1          LDT_AES256  manual     guarded      guarded      N/A
/oxf-fs1/tmp_restore  AES256      manual     guarded      guarded      N/A

Move the restored files from the temporary folder to the GuardPoint enabled with the CTE-LDT policy. The CTE agent encrypts the files in the CTE-LDT GuardPoint using the current key version in effect for the CTE-LDT policy.
```
mv /oxf-fs1/tmp_restore/* /oxf-fs1/gp1
```
Disable the temporary GuardPoint and remove the temporary restore directory.
```
secfsd -unguard /oxf-fs1/tmp_restore
rm -fr /oxf-fs1/tmp_restore
```
Delete the temporary GuardPoint on the CipherTrust Manager.

Restoring Non-CTE-LDT Backup Data to an CTE-LDT GuardPoint

On this page

Suggest A Change