Overview of the dataxform Utility
The dataxform utility is installed on a protected host during CTE Agent installation. The utility:
-
Reads each file block-by-block
-
Uses the production key to decrypt each block
-
Re-encrypts it with the data transformation key
-
Rewrites it to its original location.
The following figure illustrates that transforming data with dataxform requires collaboration between the Protected Host Administrator and the Security Administrator for the key manager with which the host is registered.
Figure 1-7: Administrator Collaboration
-
The protected host administrator disables access to the files to be transformed, by stopping applications and/or databases that use them. They inform the key manager Security Administrator when they are inaccessible.
-
The key manager Security Administrator creates a dataxform policy with appropriate encryption key(s) and applies it to the GuardPoint.
-
The protected host administrator runs the dataxform utility on the GuardPoint directory with the appropriate parameters and options, and informs the key manager Security Administrator when the utility completes.
-
The key manager Security Administrator replaces the dataxform policy with a production/standard policy (or an initial test policy used to create the production policy). These policies use production keys that are the same as the encryption key used in the dataxform policy. After the switch, the key manager Security Administrator informs the protected host administrator.
-
The protected host administrator re-enables user access to the protected data.
Protected host and key manager Security Administrators must coordinate with each other to transform protected data sets using dataxform. While this makes it impossible for a single individual to subvert CTE security, close coordination can be difficult to arrange, particularly in large data centers with many protected hosts administered by different individuals. To partially relax this requirement without compromising security, dataxform execution can be automated. See Automatic Data Transformation.
In addition to rekeying protected files, you can use dataxform for the initial encryption and decryption of file sets. For initial encryption, the key manager Security Administrator specifies clear_key
as the transformation policy’s encryption key and a new encryption key as the production key. This instructs the utility not to decrypt files before “re-encrypting” them. Similarly, to decrypt protected data, the key manager Security Administrator specifies clear_key
, as the transformation key and the existing encryption key as the production key, causing dataxform to decrypt, but bypass re-encryption.
The dataxform utility starts by creating a list of all files that may require transformation. To guarantee that the list remains correct until the transformation is completed, the admin must prevent all file access by including an "all_ops
" "deny
" rule in the policy. Without this rule, dataxform does not start.
When using dataxform, it is important to keep in mind the following issues:
-
Ensure that the pre-transformation production policy, the dataxform policy, and post-transformation production policy, all specify the same files to be affected.
-
Similarly, the dataxform policy must specify the same production key as the pre-transformation production policy. The post-transformation production policy must specify the same production key as the dataxform policy’s transformation key.
CTE does not cross-check key relationships. This is the responsibility of the key manager Security Administrator.