CTE-LDT Metadata in Extended Attributes
An extended attribute is a name/value pair permanently associated with a file or directory stored in a file system. CipherTrust Transparent Encryption (CTE) creates and maintains its own user extended attributes on CTE-LDT GuardPoint directories and files. The extended attributes are used to store metadata related to each file or directory that is protected using an CTE-LDT policy.
On Linux, CTE-LDT sets extended attributes on GuardPoint directories. The CTE-LDT attribute of an CTE-LDT GuardPoint stores the following metadata:
-
Current key version.
-
Rekey status.
-
Rekey start and end times.
-
Estimated completion time.
-
Total amount of data transformed.
-
Total number of files transformed.
-
Current key signature and applied key signature.
On both Linux and Windows, CTE-LDT sets extended attributes on files. The CTE-LDT attribute of a file stores the following metadata:
-
Name of the current key.
-
Name of the versioned key.
-
Version number of the versioned key.
-
CTE-LDT rekey status of the file.
In most cases, the current and new key names are the same. The exception is during initial transformation from a legacy policy to an CTE-LDT policy, when the file has been encrypted with the current key and is being transformed to the current version of the transformation key.
Before you set up a GuardPoint for CTE-LDT, ensure that there is sufficient disk space available in your file system for CTE-LDT metadata. The amount of disk space you need depends on the number of files in your GuardPoint. For more information about the disk space requirement, see Planning for CTE-LDT Attribute Storage.
The state of a file changes during CTE-LDT operations. The extended attributes are continually updated to reflect the current file status, which falls into one of the following categories:
-
Rekeyed to the current version of the key.
-
Rekeyed to the previous version of the key, or the initial key state (before the first CTE-LDT rekey has been performed).
-
Partially rekeyed, where some regions of the file are rekeyed to the new key version and other regions are still keyed to the previous key version or the initial key.