LDT over CIFS/NFS High-Level Overview
As mentioned, the LDT operation for transformation of data over CIFS/NFS is almost the same as for GuardPoints in local file systems. LDT uses the same workflow for transforming data in files and GuardPoint management. The difference between local file systems and NFS/CIFS shares is the number of hosts involved in the transformation of GuardPoints. As multiple hosts can access the same GuardPoint over NFS/CIFS, LDT operations for transforming files in shared a GuardPoint must be coordinated across the CTE hosts enabling the GuardPoint. Coordination entails multiple file-level and LDT operations to ensure the data transformed from the previous key to the new key is not accessed by any other application on any hosts on which the GuardPoint is enabled.
LDT support for NFS shares is restricted to Linux, and LDT support for CIFS shares is restricted to Windows. This means that CTE-LDT on Linux does not support LDT protected GuardPoints on CIFS shares, and similarly, CTE-LDT On Windows does not support LDT protected GuardPoints on NFS shares.
LDT architecture for supporting NFS/CIFS shares is based on a distributed architecture. In this architecture, a single CTE host is delegated the responsibility for transforming the entire dataset in a GuardPoint. Other CTE hosts, sharing access to the same GuardPoint, participate in the data transformation process by the transforming host. The transforming host is referred to as the LDT GuardPoint Group primary host, and the participating hosts in the data transformation process are LDT GuardPoint Group secondary hosts. In this architecture, an LDT GuardPoint Group is composed of at least three or more CTE hosts (all Linux or Windows) sharing access to the same LDT protected GuardPoint (over NFS or CIFS shares, respectively).
Within an LDT GuardPoint Group, the LDT primary host executes the same operations for data transformation as those executed on GuardPoints in a local file system. The extended architecture of LDT over NFS/CIFS involves the secondary hosts in the group for execution of LDT operations initiated by primary host. For example, when a file is selected and initialized for rekey, the selection and initialization process is not local to the primary host. The primary host performs an extended selection and initialization operation across the members of the group. Once the operation is successfully performed and acknowledged by each member, the primary host proceeds with the next step in the transformation process on the selected file. Below are other extended LDT operations performed by the primary host in conjunction with members of the LDT GuardPoint Group:
-
Locking/unlocking data for rekey.
-
Suspending/resuming LDT.
-
Applying a new key to the GuardPoint.
-
Launching LDT, or concluding LDT, on the GuardPoint associated with the LDT GuardPoint Group.
-
Certain file operations, initiated on a secondary host, that change LDT metadata. For such operations, the secondary host performing the file operation notifies the primary host to update and commit all metadata changes for the operation.