Backup Utility
When a backup is performed, certain files and directories may be protected against access. Therefore, those files and directories are not written to the backup repository. These include files located in Data Transformation GuardPoints or files in GuardPoints with appropriate policies. Additionally, the following files are locked by default by CTE agent:
/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/.access
/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/etc/*
/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/pem/*
The following describes how to bypass the issue for multiple scenarios:
Agent is installed in the default location
-
Stop SecFS, type:
/etc/vormetric/secfs stop //Linux /etc/rc.d/rc2.d/S99secfs stop //AIX
-
Run the backup application with the desired arguments.
-
Restart SecFS, type:
/etc/vormetric/ start
Using a backup image to install to other agents or restore to a different system
When the image is used to reinstall the system, the agent will automatically start at system boot and will attempt to connect to the key manager to which it was originally registered.
To prevent multiple systems with the same agent ID, you must uninstall CTE from the system before running the backup application. The restore/install from the backup will not have an agent running.
-
Uninstall the agent, type
/opt/vormetric/DataSecurityExpert/agent/secfs/bin/uninstallsfs
-
Run the backup application with the desired arguments.
-
Re-install CTE agent.
Performing a backup while the agent is running
Before running the backup application, add the files that are protected by the agent to the exclusion rules to exclude them from the backup:
/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/.access
/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/etc/*
/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/pem/*
The GuardPoint policy may implement access restrictions which would also cause the backup application to generate error messages. These GuardPoint/directories will also need to be added to the exclusion rule method to exclude them from the backup. Alternatively, you can temporarily unguard them while the backup application is running.
If the CTE agent reports a status of incomplete in the backup application and does not start properly, or partially starts but generates error messages at system boot time, then uninstall and reinstall the agent. The restore/clone image contains everything needed to uninstall the agent. Use the following command to perform this operation:
/opt/vormetric/DataSecurityExpert/agent/secfs/bin/uninstallsfs
Backing up Databases after Encryption
After encrypting a database, CipherTrust Transparent Encryption cannot make a backup of the database. Both scheduled and manual backup fail. The problem was the user's policy. A policy used in this scenario must follow a few rules.
With a CBC_CS1 key, a guarded file is modified to have a 4096 byte header holding key information. When an Apply Key effect is specified, the CipherTrust Transparent Encryption code adjusts the length and file offset for this header. Without an Apply Key effect, the size and access of the offset include the CBC_CS1 header.
Thales recommends that you modify the first rule of your policy. Remove the action entry for f_rd_att
from the first rule and add a new rule before it:
**action**: f_rd_att
**effect**: Permit, Apply Key
Policy processing starts with the first rule and continues until a matching rule is found. The effect for the matching rule is then applied.
For the f_rd_att
action, this results in the secfs code including the CBC_CS1 key header and adjusts the file size value. Without the Apply Key effect, the file size includes the CBC_CS1 header size and the file appears as 4096 bytes larger than its real size.