Using CTE-LDT
• If you are new to CTE and CTE-LDT, read the CipherTrust Manager documentation first to familiarize yourself with the concepts of GuardPoints and Policies.
• Before installing CTE-LDT, see the Linux Kernel Support to verify that your version of Linux is supported.
The following list contains the steps for successfully setting up and using CTE-LDT.
-
Install the CTE-LDT License on the CipherTrust Manager.
CipherTrust Transparent Encryption - Live Data Transformation is a separately-licensed feature of CTE. Before you can use it, you have to install the license to activate it. CTE-LDT is licensed for a specific number of hosts.
For details about licensing, see the CipherTrust Manager documentation.
-
Install the CTE Agent and select the CTE-LDT feature during the install. For more information, see Installing and Registering the CTE Agent Software on Linux or Installing and Registering the CTE Agent Software on Windows.
If the client is already registered with CipherTrust Manager, you can enable CTE-LDT on the client through the CipherTrust Manager Console. For more information, see Enabling CTE-LDT on a Protected Host.
-
Create Versioned Keys.
CTE-LDT uses versioned keys. A versioned key rotates to the next version of the key generating new key material automatically without policy change. CTE-LDT encrypts data with keys that use encryption standards like AES-256. This allows data to be re-encrypted without users having to edit the policy.
For more information, see Keys in CTE-LDT (Versioned Keys) and Creating and Viewing Versioned Keys.
-
Optionally create a Key Rotation Schedule that will automatically rotate the versioned keys periodically. For more information, see Creating a Key Rotation Schedule.
-
Create CTE-LDT Policies.
CTE-LDT uses a single Live Data Transformation policy to address both initial encryption and subsequent rekeying. The same policy applies to production access and security rules without restricting user or application access to data. Applications have continuity of access to GuardPoint data during CTE-LDT.
For more information, see Creating CTE-LDT Policies.
-
Set QoS Settings.
QoS enables administrators to manage and control CTE-LDT impact to application workloads by monitoring and controlling the use of host system resources, such as memory or I/O utilization, during CipherTrust Transparent Encryption - Live Data Transformation. Administrators can also choose schedules for data transformation, or manually pause or resume transformation operations.
For more information, see Quality of Service.
-
Create GuardPoints and apply CTE-LDT policies to the GuardPoints.
A GuardPoint is a directory in the file system hierarchy, where its contents have a CipherTrust data protection policy applied to it. The CTE Agent intercepts any attempt to access anything in the GuardPoint and uses the policies obtained from the CipherTrust Manager to grant or deny the access attempt. Typically data copied into a GuardPoint is encrypted, and only authorized users can decrypt and use that GuardPoint data.
For more information, see Creating a CTE-LDT GuardPoint.