Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Backing Up and Restoring CTE-LDT GuardPoints

CTE-LDT Backups Using a File System or Storage-Level Snapshot Tool

search

Please Note:

CTE-LDT Backups Using a File System or Storage-Level Snapshot Tool

You can make a file system snapshot using a Logical Volume Manager service or mirroring/splitting storage level LUNs of a file system inside the storage subsystem. CTE-LDT does not have requirements for where and how you create a file system snapshot. However, it is required that you suspend CTE-LDT processes before you take the file system snapshot. Suspending CTE-LDT ensures data and metadata consistency between files and CTE-LDT extended attributes.

You may choose to suspend CTE-LDT manually on the managed host using voradmin ldt suspend command or fsfreeze -f, or suspend CTE-LDT on the CipherTrust Manager.

note

Note

Be aware that suspending CTE-LDT on the CipherTrust Manager suspends CTE-LDT on the entire host.

After creating a file system snapshot, you can resume CTE-LDT processes on the GuardPoint using voradmin ldt resume, or fsfreeze -u, or resuming CTE-LDT on the CipherTrust Manager. Do not mix the use of fsfreeze and voradmin ldt suspend to pause and resume CTE-LDT. CTE suspends or resumes CTE-LDT processes during live transformation when freezing or unfreezing GuardPoint access using fsfreeze -f or -u option. See the CTE Agent for Linux Advanced Configuration and Integration Guide on the use of the fsfreeze command on a GuardPoint.

note

Note

You can make sure CTE-LDT is suspended at backup time by setting the QoS schedule

You can mount a file system snapshot for data recovery. Configuration for GuardPoints must be duplicated over the mount point of the snapshot file system. Make sure to use the same CTE-LDT policy. Enabling GuardPoints over or under the snapshot mount point provides access to the protected files for recovery. You can choose to manually resume key rotation on the GuardPoints of the snapshot file system, although this is not necessary.

Following is an example of the fsfreeze command used to freeze access to the file system /oxf-fs1 in order to create a snapshot of the file system device. This examples illustrates three GuardPoints enabled inside the file system namespace, /oxf-fs1/gp-1, /oxf-fs1/gp-2, and /oxf-fs1/gp-3. Executing the command fsfreeze -f targets any of the GuardPoints in the /oxf-fs1 mount point and suspends CTE-LDT processes on all of the GuardPoints. Then it freezes access to the file system.

fsfreeze -f /oxf-fs1/gp-1
 voradmin ldt list all
MDS_1:  type=file, nguards=1, name=/oxf-fs1/gp-3/::vorm:mds::
        Guard Table: version 1 nentries 1
        Guard 0: type=GP, state=REKEYING SUSPENDED (vadm), flags=GP LOCKED,                             gp=/oxf-fs1/gp-3
                File List: count 4308

MDS_2:  type=file, nguards=1, name=/oxf-fs1/gp-2/::vorm:mds::
        Guard Table: version 1 nentries 1
        Guard 0: type=GP, state=REKEYING DIRTY, flags=GP LOCKED, gp=/oxf-fs1/gp-2
                File List: count 4308

MDS_3:  type=file, nguards=1, name=/oxf-fs1/gp-1/::vorm:mds::
        Guard Table: version 1 nentries 1
        Guard 0: type=GP, state=REKEYING SUSPENDED (vadm), flags=GP LOCKED, gp=/oxf-fs1/gp-1
                File List: count 4308

After the file system snapshot is created, executing the fsfreeze -u command on any of the GuardPoints in the file system namespace unfreezes access to the file system and resumes CTE-LDT processes on all of the GuardPoints.

fsfreeze -u /oxf-fs1/gp-1
 voradmin ldt list all
MDS_1:  type=file, nguards=1, name=/oxf-fs1/gp-3/::vorm:mds::
        Guard Table: version 1 nentries 1
        Guard 0: type=GP, state=REKEYING DIRTY, flags=GP LOCKED, gp=/oxf-fs1/gp-3
                File List: count 4308

MDS_2:  type=file, nguards=1, name=/oxf-fs1/gp-2/::vorm:mds::
        Guard Table: version 1 nentries 1
        Guard 0: type=GP, state=REKEYING DIRTY, flags=GP LOCKED, gp=/oxf-fs1/gp-2
                File List: count 4308

MDS_3:  type=file, nguards=1, name=/oxf-fs1/gp-1/::vorm:mds::
        Guard Table: version 1 nentries 1
        Guard 0: type=GP, state=REKEYING DIRTY, flags=GP LOCKED, gp=/oxf-fs1/gp-1
                File List: count 4308

copy link to clipboardSupport for Volume Level Snapshots on NAS Shares with LDT on Linux

CTE supports volume level snapshot capabilities of NAS shares. You may choose to enable the snapshot service on an LDT-protected GuardPoint as long as the GuardPoint is enabled before the snapshot service is activated. Note that the snapshot service is deactivated before the GuardPoint is disabled. Keeping the snapshot service active when the GuardPoint is not enabled may result in data corruption or inconsistent LDT metadata at file or GuardPoint levels.

On this page