Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CTE Policies for Exchange DAG

Creating Policies for Standard Encryption with CipherTrust Manager

search

Please Note:

Creating Policies for Standard Encryption with CipherTrust Manager

When you use standard encryption, you need to create two policies:

  • The initial encryption policy specifies the current encryption key (if any) and the encryption key you want CTE to use when it encrypts the data. This policy also denies access to any other process trying to access the GuardPoint.

    You apply the initial encryption policy when you first create the GuardPoint, and you leave it in place until all of the data has been encrypted. After that, you remove this policy from the GuardPoint.

  • The production policy specifies the same encryption key as the initial encryption policy along with any security rules you want to use to protect your data. After the initial encryption has completed, you apply the production policy to the GuardPoint and allow users and applications to access the now-protected data.

copy link to clipboardCreating the Initial Encryption Policy

  1. Log into CipherTrust Manager and launch the CTE application.

  2. In the left-hand menu bar, click Policies.

  3. Click Create Policy.

  4. For Name, make sure you use a name that clearly designates this as an initial-encryption policy and not a production policy. You will need to be able to find this policy name from the list of all available policies when you create the GuardPoint.

  5. For Policy Type, select Standard.

  6. Enable the Data Transformation check box.

  7. Click Next to go to the Security Rules page. CipherTrust Manager should have automatically added a security rule for Action: key_op, Effect: permit,applykey. If this security rule is not there, click Back and make sure you have enabled the Data Transformation check box.

  8. Click Create Security Rule and do the following:

    1. In the Action field, select all_ops.

    2. In the Effect field, select deny.

    3. Click Add to return to the Security Rules page.

    You should now have two security rules, as shown:

  9. Click Next to go to the Key Rules page.

  10. Click Create Key Rule.

  11. In Current Key Name, click Select to specify the current encryption key used for the data. If the data is unencrypted, specify clear_key as the encryption key. When you are done, click Add. For example:

    tip

    Tip

    You can also create a new key at this point if desired. For details on creating an encryption key, see your CipherTrust Manager documentation.

  12. Click Next to go to the Data Transformation page.

  13. Click Create Data Transformation Rule.

  14. In the Transformation Key Name field select the encryption key you want to use to encrypt the data. This key must match the one specified in the production policy you intend to apply to the GuardPoint after the data has been encrypted. For example, if you want to encrypt the data with the key CS1_AES256, you would specify the following transformation rule:

  15. Click Next to go to the Confirmation page.

  16. Verify your selections and click Save to save the policy.

copy link to clipboardCreating the Production Policy

  1. Launch the CTE application.

  2. In the left-hand menu bar, click Policies.

  3. Click Create Policy.

  4. For Name, make sure you use a name that clearly designates this as a production policy and not an initial encryption policy. You will need to be able to find this policy name from the list of all available policies when you create the GuardPoint.

  5. For Policy Type, select Standard.

  6. Click Next to go to the Security Rules page. Enter the security rules you want to use based on your production environent requirements. You can add as many security rules as you need to define who should have access to the protected data.

  7. When you are done, click Next to go to the Key Rules page.

  8. Click Create Key Rule.

  9. In Key Name field, click Select to specify the encryption key used to transform the data in the initial encryption policy. When you are done, click Add. For example:

  10. Click Next to go to the Data Transformation page.

  11. Click Create Data Transformation Rule.

  12. In the Transformation Key Name field select the encryption key you want to use to encrypt the data. This key must match the one specified in the production policy you intend to apply to the GuardPoint after the data has been encrypted. For example, if you want to encrypt the data with the key CS1_AES256, you would specify the following transformation rule:

  13. Click Next to go to the Confirmation page.

  14. Verify your selections and click Save to save the policy.

On this page