Overview of CTE-LDT
CipherTrust Transparent Encryption - Live Data Transformation (CTE-LDT) is an optional, separately licensed feature of CipherTrust Transparent Encryption (CTE). With CTE-LDT, after enabling a GuardPoint, a Administrator can encrypt, or rekey, GuardPoint data without blocking user or application access to the data. In CTE-LDT, rekey means decrypting data with the current cryptographic key and then encrypting it with a new cryptographic key. The concept of rekey, and how CTE-LDT rekeys data, is described in this document.
After enabling GuardPoints, CTE-LDT performs initial encryption or rekeying in the background, unnoticed by users. The data stays live and available. This accelerates CTE deployments and eliminates the need to block application and user access to data during encryption or rekey operations, which can seriously inconvenience users and affect operational efficiency.
With CTE-LDT, the Administrator can create a single CTE-LDT policy for both initial encryption and subsequent rekeying. The same policy applies to production access and security rules without restricting user or application access to data. Applications have continuity of access to GuardPoint data during CTE-LDT.
To prevent data loss or corruption, you must stop all applications and users that are accessing files inside a GuardPoint before enabling a Live Data Transformation encryption policy for that GuardPoint. Terminating the applications closes all files that are currently being accessed inside the GuardPoint.
Unlike non-Live Data Transformation policies, however, you do not need to keep the GuardPoint offline while data transformation takes place. Instead, you can restart all applications as soon as the GuardPoint has been applied to the host, and CTE will perform the data encryption in the background. This is the only application service downtime required when using CTE-LDT.
While CTE-LDT is supported on platforms with SELinux enabled in enforcing mode, you may run into interoperability issues with certain SELinux policies that may be enforcing rules against CTE access. If you experience issues running CTE with SELinux enabled, contact your system administrator for assistance. Thales Technical Support will recommend that you disable or change the mode to permissive mode to rule out SELinux when investigating reported issues.
Use Cases
This section provides a summary of typical uses for CTE-LDT. The concepts mentioned in this section are described in more detail throughout the rest of this guide.
-
Encrypt unprotected data.
When protecting files in a directory, you must encrypt them. This process is called initial data encryption.
-
Convert non-CTE-LDT GuardPoints to CTE-LDT GuardPoints.
Use when you have existing GuardPoints that are protected with policies created before you started using CTE-LDT.\
-
Rekey process.
Changing the key from one version to another version of the same key provides more security. Using CTELDT, you can change the encryption keys to more secure keys.
-
Transform the encrypted data to clear data.