CTE-LDT Policies
In CTE-LDT, you define a single policy for initial data encryption and subsequent rekeying. The policy specifies:
-
Current key
Associated with data that you want to protect using CTE-LDT. This is either a non-versioned key from an earlier policy, orclear_key
, which means that the data is not currently encrypted. -
Transformation key
The versioned key that CTE-LDT applies to transform the data from the key used for initial data transformation. When the transformation key rotates, it transforms the data from a previous version of the transformation key to a new version.Transformation key and versioned key are used interchangeably throughout this document.
As soon as CTE-LDT applies the policy to a GuardPoint and enables protection for it, CTE-LDT triggers an initial transformation from the current key to the transformation key.
When the transformation key expires, it generates the next version of the versioned key with new cryptographic material. The CipherTrust Manager then pushes the policy to the hosts. The policy now contains the new version of the key. This initiates a rekey process on the GuardPoint to transform data to the new version of the transformation key specified in the policy.
Users and applications can continue accessing data without any interruption during initial encryption and subsequent key transformations.
During CTE-LDT policy creation, you must use the Apply Key effect in your policy. If you do not, then end users can see the clear text data until the file is transformed.