CTE Components

The CTE solution consists of two parts:

• The CTE Agent software that resides on each protected virtual or physical machine (host). The CTE Agent performs the required data encryption and enforces the access policies sent to it by the key manager. The communication between the CTE Agent and the key manager is encrypted and secure.
  After the CTE Agent has encrypted a device on a host, that device is called a GuardPoint. You can use CTE to create GuardPoints on servers on-site, in the cloud, or a hybrid of both.

• A key manager that stores and manages data encryption keys, data access policies, administrative domains, and administrator profiles. After you install the CTE Agent on a host and register it with a key manager, you can use the key manager to specify which devices on the host that you want to protect, what encryption keys are used to protect those devices, and what access policies are enforced on those devices.

  Thales offers two key managers that work with CTE:

  • CipherTrust Manager, Thales's next generation key manager that supports most CTE features on Linux and Windows, and all CTE features on AIX.

  • The Vormetric Data Security Manager (DSM), Thales's legacy key manager that supports all CTE features on Linux, Windows, and AIX.

  Both key managers can be set up as either a security-hardened physical appliance or a virtual appliance. Both provide access to the protected hosts though a browser-based, graphical user interface as well as an API and a CLI. Thales recommends that you use the CipherTrust Manager unless you need a feature that is only supported by the DSM, as described below.

  CipherTrust Manager versions support all CTE for Windows features except for the following:

  • Container Security

  Support for these features will be included in future releases of the CipherTrust Manager.

  You must select one and only one key manager per host or host group. While you could have some hosts registered with a CipherTrust Manager and some registered with a DSM, you cannot have the same host registered to both a CipherTrust Manager and a DSM.

  For a list of CTE versions and supported operating systems, see the CTE Compatibility Portal.

CTE Architecture

A GuardPoint is usually associated with a Linux/AIX mount point or a Windows volume, but it may also be associated with a directory sub-tree.The CTE Agent sits between applications and the file system that hosts files within the GuardPoint. The CTE Agent intercepts every file access request and enforces the access and encryption rules in the policy associated with the GuardPoint.

Figure 1-1: CTE Architecture