Initialize Linux in-Place Data Transformation Devices
When you initialize a Linux in-Place Data Transformation device, the process creates a private region on the device for CTE to write the in-Place Data Transformation header along with metadata that identifies the ES device as a guarded device. The CTE private region also contains the metadata for the initial transformation of clear-text data on device to cipher-text, and for the subsequent transformation of cipher-text on the device to another encryption key as needed.
How you initialize the device depends on whether it is a new device or an existing device that already has data that needs to be transformed into cipher-text. For details, see:
Initialize a New Linux Device
Run the voradmin idt config
new command to initialize a new device. The new option specifies that the device does not hold user data, and that CTE can reserve the first 63MB of storage on the device for the CTE private region. The remaining storage space is available for new user data. The device size reported to applications is the actual device size minus CTE private region size.
For a shared device that is accessed from multiple protected hosts, you must initialize the device only once and on only one protected host.
To configure devices with multiple IO paths for Linux, see Guarding a CTE-in-Place Data Transformation Device with Multiple IO Paths on Linux.
-
Log into the device as root.
-
Run the
voradmin idt config new [-c <n>] <device-name>
command, where:-
new
(required) indicates that the device contains no data (it is a new disk). CTE will create the CTE private region at the beginning of the disk and the rest of the disk will be available for user data. -
-c <n>
(optional). If you use this option on Linux, CTE sets the number of data transformation jobs to run in parallel to the number specified in<n>
.<n>
can be an integer between 1 and 60 (default: 8).Each data transformation job transforms 1MB worth of data and requires CPU resources in addition to three I/O operations as part of data transformation. Each job reads 1MB of data from the device, preserves the data in the CTE private region, rekeys the data to cipher-text, and writes the transformed data to the device. If you increase the number of parallel jobs, the data transformation process will complete faster but there will be an increased performance impact on the system. Only increase the
–c
option if you are certain that the system resources are available to handle the additional load.The value for the
–c
option you specify here remains in effect for all subsequent data transformations (such as any data rekeys) until you specify a new value. -
<device-name>
(required). Specifies the device name. For example,/dev/sdh
.
For example, if you want to initialize a new Linux disk named
/dev/sdh
using 10 parallel data transformation jobs, you would specify:voradmin idt config new -c 10 /dev/sdh
-
-
To verify that the disk has been initialized, run the
voradmin idt status
command.voradmin idt status /dev/sdh Device /dev/sdh is configured to guard as an in-Place Data Transformation GuardPoint.
-
At this point the Administrator can protect the device as an IDT GuardPoint through the CipherTrust Manager console. For details, see Guard the Linux Device with an ES GuardPoint.
The initialization process prepares the device to be guarded but does not actually guard it. You need to assign an ES GuardPoint to the device in the CipherTrust Manager before the device is actually protected. In addition, the initialization process is only kept in memory until the device is guarded or rebooted. If the device is rebooted before you guard it, you will need to perform the initialization procedure again.
Initialize and Resize an Existing Linux Device
If the device has existing data, you need to use the voradmin idt config xform
command to initialize the disk for CTE-in-Place Data Transformation. This command examines the current disk size and computes the size required to hold the existing data plus the CTE Private Region at the beginning of the device. After the CTE initialization is complete, you then need to resize the device before you can guard it with an ES GuardPoint.
The following procedure describes how to initialize the device for CTE. Note that the existing data is not altered in any way until after you perform this procedure and you guard the data with an ES GuardPoint. CTE does not begin transforming the data from clear-text to cipher-text until the ES GuardPoint has been applied and the encryption key has been pushed to the device through the GuardPoint Policy.
-
Log into the device as root.
-
Run the
voradmin idt config xform [-c <n>] <device-name>
command, where:-
xform
(required) indicates that the device contains existing data. CTE will transform all existing data on the device from clear-text to cipher-text as soon as you guard the device. The device will be inaccessible until the transformation is complete, and the device must remain offline during the entire transformation process. No user access will be permitted until all data has been transformed. -
-c <n>
(optional). If you use this option on Linux, CTE sets the number of data transformation jobs to run in parallel to the number specified in<n>
.<n>
can be an integer between 1 and 60 (default: 8).Each data transformation job transforms 1MB worth of data and requires CPU resources in addition to three I/O operations as part of data transformation. Each job reads 1MB of data from the device, preserves the data in the CTE private region, rekeys the data to cipher-text, and writes the transformed data to the device. If you increase the number of parallel jobs, the data transformation process will complete faster but there will be an increased performance impact on the system. Only increase the
-c
option if you are certain that the system resources are available to handle the additional load.The value for the
-c
option you specify here remains in effect for all subsequent data transformations (such as any data rekeys) until you specify a new value. -
<device-name>
(required). Specifies the device name. For example,/dev/sdh
.
For example, if you want to initialize an existing Linux disk named /dev/sdh using 10 parallel data transformation jobs, you would specify:
voradmin idt config xform -c 10 /dev/sdh Device /dev/sdh must be resized to at least 21100544 sectors (20606 MBs) before guarding as in-Place Data Transformation GuardPoint.
In this case you must manually resize the Linux disk by at least 20606 MBs before you can guard it. After you guard the disk, you can expand it again later but you cannot shrink it unless you remove the GuardPoint.
-
-
To verify that the disk has been initialized, run the
voradmin idt status
command.voradmin idt status /dev/sdh Device /dev/sdh is configured to guard as an in-Place Data Transformation GuardPoint.
-
At this point, you need to resize the device using your standard disk management tools before you can guard it. Make sure you increase the device size by at least the amount shown in the
voradmin idt config xform
message.You cannot assign an ES GuardPoint to the device until it has been resized. If you do not resize the device, the GuardPoint assignment will fail.
-
After the device has been resized, the Administrator can protect the device as an ES GuardPoint through the CipherTrust Manager console, as described in Guard the Linux Device with an ES GuardPoint.
The initialization process prepares the device to be guarded but does not actually guard it. You need to assign an ES GuardPoint to the device in the CipherTrust Manager before the device is actually protected. In addition, the initialization process is only kept in memory until the device is guarded or rebooted. If the device is rebooted before you guard it, you will need to perform the initialization procedure again.