Migrating a GuardPoint to a Different CTE-LDT Policy
To change the CTE-LDT policy that an CTE-LDT GuardPoint uses, complete the following steps to ensure that the GuardPoint is migrated properly from one CTE-LDT policy to another CTE-LDT policy.
This procedure is for the migration of local file system GuardPoints only. For information about migrating NFS GuardPoints to clear_key, see Migrating GuardPoints over NFS from or to an LDT Policy.
Scenario
The GuardPoint is currently attached to LDT-Policy-1, which rekeys from clear_key
to LDT-Key-1
. The objective is to migrate the data in the GuardPoint to another versioned key, LDT-Key-2
. Migration to LDT-Key-2
requires detaching the GuardPoint from LDT-Policy-1
, and then attaching it to LDT-Policy-2
, assuming LDT-Key-2
is the versioned key specified in LDT-Policy-2
. To do so:
-
Clone the latest version of the key
LDT-Key-1
to a non-versioned key such asLDT-Key-1-Clone
.-
From the Products page in the CipherTrust Manager Console, click Keys in the left hand pane.
To navigate to the Products page from anywhere in the CipherTrust Manager Console, click the App Switcher icon in the top left corner.
-
Click the name of the versioned key that you want to clone.
-
In the Key Details area, find the version that you want to clone.
-
Click the (...) button at the end of the row and select Clone to clone the selected version of the key.
-
-
Identify or create a new versioned key that you want CTE-LDT to use to re-encrypt the data. For example,
LDT-Key-2
. -
Create a new Live Data Transformation policy that specifies
LDT-Key-1-Clone
as the Initial Key andLDT-Key-2
as the Transformation Key. -
Make sure that all data transformation has completed on the GuardPoint. To verify this, use the
voradmin ldt attr get <GuardPoint>
command. -
In your key manager, unguard the GuardPoint.
-
On the host, remove the existing CTE-LDT attributes on the GuardPoint using the
voradmin ldt attr delete <GuardPoint>
command.voradmin ldt attr delete /oxf-fs1/gp1 LDT metadata has been removed from all files in GuardPoint [/oxf-fs1/gp1] LDT attributes deleted from 10 files in /oxf-fs1/gp1 LDT: Metadata has been removed from all files in guard point [/oxf-fs1/gp1]
-
Guard the directory using the new LDT policy.
-
If you have selected Auto Guard, data transformation begins as soon as the host gets the new policy information from the key manager.
-
If you have selected Manual Guard, use the
secfsd -guard <GuardPoint>
command on the host to begin data transformation.
-