Using the Copy or Restore Encryption Method on File Systems
If you apply an encryption GuardPoint to a folder containing files, those files remain unencrypted. If you try to access those files, they are then encrypted. If you attempt a write, you can potentially corrupt parts or the entire file. The only method to access those files in an unencrypted state is to disable or remove the GuardPoint.
Prerequisites
-
Verify that there is a good backup of the data to be encrypted. This step is vital.
-
You will need to stop ALL access and services to the data to be encrypted during part of this procedure, and access will NOT be restored until all of the data has been copied to the new location and the encryption process is complete. Make sure that you plan for this outage and that users know the data will be inaccessible for some time.
-
Make sure you have enough empty storage space to copy the data.
-
Make sure that you have a CTE production policy with the proper security rules defined for the new GuardPoint. The production policy needs to use the same encryption key that you will be using to initially encrypt the data.
Procedure
-
Log on to your key manager and, if necessary, switch to the domain containing the host you want to protect.
-
Identify the encryption key you want to use to encrypt the data or create a new encryption key.
-
Create an initial encryption policy for the GuardPoint. This policy will only be used to encrypt the data as it is copied into the new directory, after which you will replace the policy with a production policy.
a. For Policy Type, select Standard.
b. Add a security rule with:
-
Action: all_ops
-
Effect: Apply Key, Permit
c. Add a Key Rule that specifies the encryption key you want to use. This key must match the one specified in the production policy you intend to apply to the GuardPoint after the data has been encrypted.
-
-
Create an empty directory for the protected data if necessary.
-
Create a GuardPoint on the empty directory.
-
For Policy, select the initial encryption policy you want to use.
-
In the Type field, select either Directory (Auto Guard) or Directory (Manual Guard).
If you select Auto Guard, CTE starts the guard process as soon as the policy is pushed to the host. You enable, disable, guard, and unguard the GuardPoint in your key manager.
If you select Manual Guard, You guard the GuardPoint on the protected host with the
secfsd -guard <path>
command and unguard it with thesecfsd -unguard <path>
command. This gives you more control over when data transformations occur because CTE will not start encrypting or rekeying the device until you manually start the process. -
For Path, enter the path to the directory or click Browse. For example,
/dev/sda1/data/HR
orE:/data/HR
.
-
-
Stop ALL access and services to the data to be encrypted. Make sure no processes, services, or users are currently accessing the data. You cannot restore access to the data until the encryption process is complete.
-
Copy or restore the data from the old operational directory to the newly created GuardPoint. CTE encrypts the data as it is added to the GuardPoint.
Make sure you wait until the encryption process has finished for all data in the GuardPoint before you continue with this procedure.
-
Disable the encryption policy from the new GuardPoint and apply your production policy. Your data is now fully encrypted and you can redirect access to the GuardPoint.
-
Start application testing and inform application teams that systems are ready for use. Everything should work exactly as before except that now the data is encrypted. Monitor the situation with your users.