Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Use Cases involving in-Place Data Transformation GuardPoints

Use Case 4: Using CTE-IDT with LVM

search

Please Note:

Use Case 4: Using CTE-IDT with LVM

Security rules for access control enforcement on I/O operations are based on the context of real users and/or processes requesting the I/O operations. For IDT devices, security rules are checked and enforced at the CTE secvm layer. If the context of the real user or process that requested the I/O operation is not available at the secvm layer, then the enforcement of access rules is invalid and may have unpredictable results and potentially cause system failures.

The previous use cases have described environments where CTE can get the context of the real users or processes requesting I/O operations at the secvm layer and can properly enforce the access rules in those environments. For example, as described in Use Case 3: Directory-Level GuardPoints, CTE can detect when an IDT device is mounted with a file system and it can apply the access rules in the policy on the IDT device without enforcing the rules on I/O operations from the file system layer.

However, there are other environments where CTE cannot determine how the IDT device is actually used and whether a real user or process context is available at the secvm layer. In these environments, CTE cannot properly enforce the access control rules on the IDT device. An example of such an environment is Linux LVM (Logical Volume Manager). A physical device under LVM control is a shared storage resource that can be fully or partially allocated to a logical volume. Adding an IDT device as a physical device to LVM is fully supported for data encryption but not for access control enforcement. In this case, access rules cannot be enforced because when the logical volume with file system is mounted, the mount operation is on the logical volume, not the IDT device. Consequently, CTE cannot determine that the IDT device is part of mounted file system, and therefore, it cannot get the real user or process context for applying access rules.

In order to use CTE in an environment like LVM, the CTE system administrator needs to explicitly tell CTE whether or not it should enforce the access rules for I/O operations on the device when they initialize the device using the voradmin idt config command. As described in Initialize a New Linux Device, this initialization must be done before the device is guarded as an in-Place Data Transformation GuardPoint for the first time.

In addition, for LVM specifically, the device must be a new device with no existing data. Existing LVM disks cannot be used with CTE unless CTE can get the proper context at the secvm layer.

When you initialize the new device, use the voradmin idt config –noacc new [-c <n>] <device-name> command where:

  • -noacc (required) tells CTE to disable access control rules on this device at the secvm layer level.

  • new (required) indicates that the device contains no data (it is a new disk).

  • <device-name> (required). Specifies the device name. For example, /dev/sdh.

For example, if you want to initialize a new LVM Linux disk named /dev/sdh, type:

voradmin idt config -noacc new /dev/sdh
caution

Caution

When you use -noacc, CTE will not perform any access checks on read/write operations to the specified device, even if the policy for guarding the device includes security rules enforcing read and/or write access checks. Before you use this option, make sure that your environment requires it. You should always use the options described in the first three use cases if at all possible, so that CTE can apply access controls to all I/O operations and therefore perform all required read/write access checks.

The following example shows the steps for initializing and guarding the device /dev/sdb, then adding or using the guarded device under LVM to create a file system.

  1. Initialize the device using the -noacc option:

    voradmin idt config -noacc new /dev/sdb

  2. Guard the device as described in Guard the Linux Device with an in-Place Data Transformation GuardPoint.

  3. Create and mount the file system.

    pvcreate /dev/secvm/dev/sdb
vgcreate secvm_sdb_vg /dev/secvm/dev/sdb
lvcreate -y -l 100%FREE -n my_volume
mkfs.xfs /dev/mapper/my_volume
mount /dev/mapper/my_volume /mnt

On this page