Restrictions
Remember the following restrictions when using CTE-LDT:
-
CTE-LDT does not support nested GuardPoints, where a GuardPoint is contained inside another GuardPoint.
-
For HA clusters, CTE-LDT only supports the Asymmetric (active/passive) configuration. CTE-LDT does not support Symmetric (active/active) configuration.
-
If you want to create CTE-LDT GuardPoints on Linux NFS shares or Windows CIFS shares, you must register the host with CipherTrust Manager and add the host to an LDT communication group.
Windows Only Limitations
CTE-LDT supports GuardPoints on CIFS network shared directories with the following restrictions:
-
If any files are opened exclusively by another application, CTE-LDT cannot rekey those files until the other applications have released the lock.
-
If a backup is taken at the snapshot level, CTE metadata is also backed up. If a restore operation tries to restore CTE metadata, CTE agent does not allow this operation and the metadata restore fails. Do not restore the CTE metadata, or ignore the error from the restore utility, if the CTE metadata restore fails.
-
CTE-LDT on a ReFS file system runs slowly because of limited support from the Extended Attributes on the ReFS file system.
Note
Customers running older versions of ReFS.sys on Windows Server 2012 R2 should be aware of the memory growth issue encountered by the Thales engineering team. This issue seems to occur only when CTE-LDT is running on a large number of files. As the system memory consumption by REFS file system increases, it can eventually make the system unresponsive. This issue does not occur with the recent versions of ReFS file system drivers available on Windows Server 2016. After consulting with Microsoft, they suggest that all customers migrate to Windows Server 2016 if they are using ReFS file.
Protecting local directories and CIFS shares Simultaneously with LDT policies
-
Ensure that CTE Windows is running with the
VMLFS
driver. -
To check the currently installed drivers, type:
fltmc
-
If the output table contains
vmlfs
, the driver is set properly. If not, type the following, in an administrative command prompt, to switch to theVMLFS
driver:voradmin config enable vmlfs
Note
-
The above command requires all directories to be unguarded before switching the driver
-
The system requires a reboot after the driver has been changed
-
Linux Only Limitations
-
CTE-LDT does not support Linux auto-mounted file systems.
-
CTE-LDT support is limited to
ext3
,ext4
, andXFS
file systems whenuser_xattr
mount option is enabled. -
CTE-LDT does not support system hibernation (
pm-hibernate
) on Linux hosts where CTE-LDT is in use. -
You cannot use CTE-LDT and Docker container on the same host.
-
You cannot use CTE-LDT and OpenShift container on the same host.