Migration
Before beginning the migration of a Raw Device GuardPoint to an in-Place Data Transformation GuardPoint, stop all user and application access to the Raw Device GuardPoint.
-
Backup the device if possible.
-
On the CipherTrust Manager, navigate to the client tab and select the target client Name that contains the raw device that you want to migrate.
-
In the GuardPoints tab, select the target GuardPoint and click Unguard to unguard the raw device GuardPoint.
-
On the client, run the following command to configure the device to be guarded as an in-Place Data Transformation GuardPoint, type:
voradmin idt config xform <device-name>
Make sure that you specify the native Linux device name of your device, such as
/dev/sdh
in the voradmin command, and resize the device before guarding the device using the IDT policy. -
On the CipherTrust Manager, navigate to the client tab and select the target Host Name.
-
Under the GuardPoints tab, click Guard to set a Raw or Block Device GuardPoint using the In-Place Data Transformation policy created for this device for migration. If this option is not selected, the host will not enable the device as an in-Place Data Transformation GuardPoint.
-
Click OK.
CTE begins transforming the data using the previous AES-CBC key and encrypting to the new XTS/CBC-CS1 key as soon as the device is guarded. During data transformation, the device remains inaccessible until this process completes. The length of time required to transform the data depends on the amount of existing data and the number of parallel data transformation jobs specified during the voradmin config command.
-
To see the data transformation progress, use the
voradmin idt xform status <device-name>
command. -
After transformation is completed and the device is guarded, the protected device must be accessed through the CTE device pathname that corresponds to the raw device.
For example, the Linux device pathname
/dev/sdh
becomes/dev/secvm/dev/sdh
as soon as the guard process completes.