Creating and Viewing Versioned Keys
For CTE-LDT, you create a versioned key that you can add to any number of Live Data Transformation policies. When you add a new key version, CipherTrust Manager pushes the new version to every CTE client that is associated with any of they Live Data Transformation policies that contain that key.
Use the Keys & Access Management application in the CipherTrust Manager Applications Page when creating or viewing versioned keys.
Make sure that all keys you create for CTE-LDT are Symmetric. CTE-LDT does not support asymmetric keys.
Creating a Versioned Key
-
Log into the CipherTrust Manager Console as an administrator.
-
From the Products page in the CipherTrust Manager Console, click Keys in the left hand pane.
To navigate to the Products page from anywhere in the CipherTrust Manager Console, click the App Switcher icon in the top left corner.
-
Above the Key table, click Create a New Key.
-
Enter a Key Name so that you will be able to find this key easily when you want to rotate it. For example, LDT-Key-1.
• When CipherTrust Manager displays the list of available keys, you cannot filter the list by versioned vs. non-versioned. Therefore, it is especially important to name the key in such a way that you can easily search for it by name.
• Using a standard naming convention will also help if you want to create an automatic key rotation schedule for all your CTE-LDT keys. -
In the Key Metadata > Groups for Key sharing section, do the following:
-
In the Search box, type "cte".
-
Add CTE Admins and CTE Clients to the key sharing groups by clicking the green Add button. The Key Shared? check box is automatically selected and the Add button changes to a Remove button.
-
Below the Groups table, click the CTE Key Properties check box.
CipherTrust Manager displays the following options for CTE keys:
-
CTE Versioned: Specifies that this is a versioned key. Make sure this option is selected.
-
Persistent on Client: Specifies whether the key is stored in persistent memory on the client.
If this option is selected, the key is downloaded and stored (in an encrypted form) in persistent memory on the client.
If this option is not selected, the key is downloaded to non-persistent memory on the client. Every time the key is needed, the client retrieves it from the CipherTrust Manager. This is the default setting.
-
Encryption Mode: Encryption mode of the key. Choose one of the following for CTE-LDT keys:
-
CBC
-
CBC-CS1
-
Encryption using CBC-CS1 keys is known as enhanced encryption. For details, see the CTE Agent for Linux Advanced Configuration and Integration Guide or the CTE Agent for Windows Advanced Configuration and Integration Guide.
XTS encryption is not supported for protecting directory-based GuardPoints. Do not select XTS as your encryption mode.
-
-
-
In the Key Behaviors section at the bottom of the page, clear the Prevent this key from being exported check box. If the key cannot be exported, the key will not appear in the keys list when you add the key rule to the policy.
If want the option to delete this key later on, clear the Prevent this key from being deleted check box. Use caution when deleting keys, as any data encrypted with that key will be inaccessible if you delete the encryption key.
-
Click Create. The new key appears in the Keys table.
Viewing Versioned Key Information
-
Log into the CipherTrust Manager Console as an administrator.
-
Open the Keys & Access Management application.
-
Click the Latest Version Only check box to show only one entry for each versioned key.
-
Find the key in the Keys table.
You can filter the list by key name using wildcard searches. For example, if you know that the key name contains "LDT", you can search for
*ldt*
. The search is not case sensitive.If the Version for a key is 0, then this is the first version of the key and no key rotation has taken place. If the Version is greater than 0, the key has been rotated.
-
To find all versions of a key, click the name of the key in the Key Name column. CipherTrust Manager displays the ID, version number, state, and date created information for each version of the key.
Modifying Key Rules
CTE v7.4, and subsequent versions, allows users to modify the Key Rules while an LDT policy is active and enforced on a client. Users can add new rules and modify the existing rules. The following use case is addressed with this change:
-
Users can prioritize and plan the encryption of large files inside a GuardPoint.
-
User can transform the excluded files by adding new Key Rules.
While making Key Rule changes, you cannot change the order of the rules, or the encryption key rules applied to the file. If the data encryption keys are mismatched, it may result in data corruption.