Please Note:

User Guides
CTE Agent Linux and Windows Quick Start Guide
- Installation Prerequisites
- Installing and Registering CTE
  - Installation and Registration on Linux
  - Installation on Windows
  - Registration with Windows
- Guarding a Device with CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Create an Encryption Key
  - Create a Standard Policy
  - Create a GuardPoint
- Using and Renewing Certificates
- Protecting Data with CTE
- Ransomware Protection
CTE Agent Linux Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Linux
  - Additional Considerations
  - CTE Agent Installation with UEFI Secure Boot
  - Linux Package Installation for Linux Distributions
    - Linux Package Installation for RHEL
    - Linux Package Installation for SLES
    - Linux Package Installation for Ubuntu
  - Verifying Kernel Compatibility
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Linux with CipherTrust Manager
    - Installation Prerequisites
    - Interactive Installation on Linux
    - Silent Installation for CTE or CTE-U on Linux
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Installation and Registration Options
    - Guarding a Device with CipherTrust Manager
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Using Keycloak for Multifactor Authentication for CTE GuardPoints
    - Exempting some users from authentication with a Whitelist
    - Setting up Multifactor Authentication with a One-Time-Password
    - Setting up Multifactor Authentication with a Time Out
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Container Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- CTE and systemd
  - Overview of CTE and systemd
  - CTE Agent Control Changes on systemd
  - CTE Configuration Changes Required on systemd
    - About systemd Dependency Changes for Unit Configuration Files
    - Location of Application Unit Configuration Files
    - Adding Dependencies to systemd Unit Configuration Files
    - Adding Applications to the secfs-fs-barrier.service File
    - Drop-in Files for systemd
    - Adding Dependencies to the `saslauthd.service` File
  - SystemD Protection
  - Manually Stopping Application or Service
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - fsfreeze and xfs_freeze
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - User Cache Lookup Improvements
  - vmutil
  - vmd utility
  - vmsec Utility
- CipherTrust in-Place Data Transformation for Linux
  - Introduction to in-Place Data Transformation (IDT)
  - Requirements for IDT-Capable GuardPoints
  - The CTE Private Region and IDT Device Header
  - IDT-Capable GuardPoint Encryption Keys
  - Guarding an IDT-Capable Device on Linux
    - Initializing an IDT-Capable Device
    - Guard the Linux Device with an IDT-Capable GuardPoint
    - Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
  - Changing the Encryption Key on Linux IDT-Capable Devices
  - Guarding an IDT-Capable Device with Multiple IO Paths on Linux
  - Linux System and IDT-Capable GuardPoint Administration
  - Resizing Guarded IDT Devices
    - Resizing Guarded IDT Devices
  - Alerts and Errors on Linux
- Upgrading CTE on Linux
- Uninstalling CTE from Linux
- Migrating Agents from CTE-U to CTE
CTE Agent Windows Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Windows
  - Installation Workflow
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Windows with CipherTrust Manager
    - Interactive Installation on Windows
    - Silent Installation on Windows
      - Silent Installation Using the exe File
      - Silent Installation Using the MSI File
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Registering CTE After Installation is Complete
    - Setting the CM log for Ransomware Protection
    - Guarding a Device with CipherTrust Manager
    - Installation Prerequisites
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Compatible MFA Providers
      - Using STA for Multifactor Authentication for CTE GuardPoints
      - Using Okta for Multifactor Authentication for CTE GuardPoints
      - Using Keycloak for Multifactor Authentication for CTE GuardPoints
      - Using Cisco DUO for Multifactor Authentication for CTE GuardPoints
      - Using Microsoft Azure Entra ID Multifactor Authentication for CTE GuardPoints
    - Use Cases for MFA on CTE
    - Exempting some users or processes from authentication with a Whitelist
    - Remote Authentication for Multifactor Authentication
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
  - Choosing a Login Name Type
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Guarding Data on CIFS Servers and Clients
- Special Cases for CTE Policies
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - FileTable Support on Windows
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Return Codes
  - agentinfo Utility
  - Backup Utility
  - voradmin secfs Commands
  - vmsec Utility
  - vmutil
- Upgrading CTE on Windows
  - Silent Upgrade
  - CTE Scheduled Upgrade
  - Workaround for MSI CTE Typical, Silent, and Scheduled Upgrades
- Uninstalling CTE from Windows
- Troubleshooting and Best Practices
CTE Agent AIX User and Configuration Guide
- Overview
- Getting Started with CTE for AIX
  - Installation Workflow
  - AIX Package Installation
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for AIX with CipherTrust Manager
    - Installation and Registration Options
    - Installation Prerequisites
    - Interactive Installation on AIX
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Silent Installation on AIX
    - Guarding a Device with CTE and CipherTrust Manager
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Backing up DB2 Databases after Encryption
  - Blocking ptrace system calls to prevent process injection attacks
- Logs
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - secfsd and Raw Devices
  - Using Client Settings with Shell Scripts
  - vmsec Utility
    - vmsec Examples
    - Configuring Dynamic Host Settings for AIX
  - vmutil
  - vmd utility
- Upgrading CTE on AIX
- Uninstalling CTE from AIX
CTE Agent Data Transformation
- Data Transformation Overview
  - The Data Transformation Process
  - CTE Terminology
  - CTE Components
  - CTE Policies
  - Considerations with Bulk Data Transformation
  - Data Transformation Techniques
    - Copy and Restore Transformation Method
    - The CTE dataxform Utility Transformation Method
  - CTE Protection Policies
  - Overview of the dataxform Utility
    - Multithreading in the dataxform Utility
    - dataxform Space Requirements
    - dataxform Execution Time
    - dataxform and Sparse Files
    - dataxform and Linked Files
  - Automatic Data Transformation
  - Best Practices When Using dataxform
  - Summary
- Initial Data Encryption
  - Data Encryption Overview
  - Using the Copy or Restore Encryption Method on File Systems
  - Using the Copy or Restore Encryption Method on Block Devices
  - Using dataxform to Encrypt Your Data with CipherTrust Manager
- Rekeying
  - Rekeying Overview
  - Rekeying with dataxform
  - Rekeying Using the Manual Copy Method
- Appendix A: DataXform Reference
  - Common Dataxform Examples
    - Verifying that a Guarded Directory Can be Rekeyed with Data Transformation
    - Estimating the Data Transformation Runtime Period
    - Manually Running Data Transformation on Specific Files
    - Running Automatic Data Transformation
  - Cleaning Up a Previous dataxform Session
  - Checking for Hard-Link Files Inside the GuardPoint with dataxform
  - Monitoring Data Transformation
    - Data Transformation Logs
    - Using the Message Log Window
    - Using vordxf Files
    - Using dataxform_status Files
    - Using dataxform_auto_config
    - Using dataxform_auto_lock
  - Recovering a Failed or Incomplete dataxform Session
  - Automatic and Manual GuardPoints
  - Data Transformation Examples and Full Command Syntax
    - Data Transformation Command Syntax Examples
    - Data Transformation Command Parameters
  - Unencrypting Data
CTE Agent Live Data Transformation
- Introduction to LDT
  - Overview of LDT
  - Keys in LDT (Versioned Keys)
  - LDT Policies
  - LDT Runtime Flow
  - LDT Administrator Roles
  - Resiliency
- Getting Started
  - Using LDT
  - Backup/Restore
  - Restrictions
- Installing LDT
  - System Requirements
  - Installing the LDT License
  - Installing and Registering the CTE Agent Software on Linux
  - Installing and Registering the CTE Agent Software on Windows
  - Setting the Linux Kernel Time Zone
  - Enabling LDT on a Protected Host
- Using LDT
  - Creating and Viewing Versioned Keys
  - Creating LDT Policies
  - Quality of Service
    - How to Set QoS
    - QoS Best Practices
      - General Best Practices for QoS
      - Select and Set Rekey I/O Rate
  - Creating an LDT GuardPoint
  - Rotating Encryption Keys (Rekey)
    - Manual Key Rotation
    - Creating a Key Rotation Schedule
    - Checking the Rekey Status
    - Obtaining Information About Keys Applied to Files
    - Showing GuardPoints During Rekey (Linux)
    - Suspending and Resuming Rekey and/or Scan Phase
    - Automatic Suspend and Resume of LDT Operations Due to Insufficient Disk Space
    - Rotating Encryption Keys While a Rekey is in Progress (Relaunch)
  - File System Operations
    - Renaming Files and Directories
      - Renaming Directories on Linux
      - Caveats
      - Example
      - Considerations
    - Deleting a File
    - File Handling (Windows Only)
    - Enabling GuardPoints in Read-Only mounted file systems (Linux)
    - Copying Files Into a GuardPoint
    - Behavior of Hard Links Inside and Outside of GuardPoints (Windows)
  - Excluding Files or Directories from Rekey
    - About the Exclusion Attribute for Files Matching an Exclusion Key Rule
    - Requirements for Exclusion Key Rules
    - Usage Notes and Limitations for Configuring Exclusion Key Rules
    - Examples of Exclusion Key Rules
    - Listing All Files Included in an Exclusion Key Rule (Linux)
    - Listing All Files Included in an Exclusion Key Rule (Windows)
    - Dynamic Resource Sets
  - Using LDT with SAP HANA Fibre Channel Systems (Linux Only)
- LDT Administration
  - LDT Metadata in Extended Attributes
    - Listing Extended Attributes
    - MDS File (Linux)
    - Planning for LDT Attribute Storage
    - Using voradmin To Estimate Disk Space Required for LDT
    - Displaying Metadata
    - Verifying Metadata (Windows only)
  - DFS(R) and Replication (Windows)
  - Backing Up and Restoring LDT GuardPoints
    - Clear Text Backup and Restore
    - Encrypted Backup and Restore
    - LDT Policy for Encrypted Backup and Restore
    - Backup/Restore of Metadata Store File in GuardPoints Undergoing Rekey
    - Restore an Encrypted Backup
    - Restoring Non-LDT Backup Data to an LDT GuardPoint
    - Using fsfreeze (Linux only)
    - LDT Backups Using a File System or Storage-Level Snapshot Tool
    - Windows Backup and Snapshots
    - LDT Backup and Restore Troubleshooting
  - LDT Command-Line Administration: voradmin command
  - Migrating a GuardPoint to a Different LDT Policy
  - Removing LDT and Security Encryption
    - Migrating a GuardPoint Out of LDT
    - Deleting LDT Metadata (Linux)
    - Deleting LDT Metadata (Windows)
    - Removing LDT from a Host
  - Uninstalling the Agent while LDT is Rekeying GuardPoints
  - Detecting Loss of NAS connection to an LDT GuardPoint Group
- Using LDT with CIFS/NFS shares
  - Introduction to LDT over CIFS
  - LDT over CIFS/NFS High-Level Overview
  - LDT Communication Groups and LDT GuardPoint Groups
    - Designation of Primary role and Primary Set in an LDT GuardPoint Group
    - Responsibilities of the Primary host
    - Failover for the LDT Communication Group Master and the LDT GuardPoint Group
    - LDT GuardPoint Group Commands
  - Sharing LDT NFS/CIFS GuardPoints between Linux and Windows
  - Limitations
  - Prerequisites
    - Supported Versions
  - Administrating LDT over CIFS/NFS with CipherTrust Manager
    - Adding a CIFS Connector for CipherTrust Manager
    - LDT AccessOnly nodes
      - CTE Windows Deployment for LDT AccessOnly nodes
      - Configuring LDT for CIFS shares Mapped to Multiple IP addresses
    - Policy and GuardPoint Management
      - Creating a GuardPoint on a CIFS Share Drive on CipherTrust Manager
      - Pausing and Resuming LDT per host and per GuardPoint
      - Migrating GuardPoints over NFS from or to an LDT Policy
      - Multiple GuardPoint Pathnames
    - Key Rotation Commitment
    - LDT Metadata Management Over NFS/CIFS Shares
    - Backup and Restore LDT on NFS GuardPoints
  - Upgrading CTE agent in an LDT Communication Group
    - Upgrading the LDT Agents in an LDT Communication Group from 7.2.0 to 7.3.0
    - New Terminology
    - Upgrading CTE agents in an LDT Communication Group from 7.4.0 to 7.5.0 and post 7.5.0
  - Quality of Service
  - Alerts
  - Troubleshooting
- Troubleshooting LDT
  - Monitoring and Statistics
    - Obtaining Statistics with GuardPoint Status
    - Obtaining LDT Statistics at the Command Line
    - Obtaining a Rekey Report
    - Monitoring Ongoing LDT Operations at the Command Line (Windows only)
  - Protecting LDT GuardPoints against Failure in Underlying File Systems (Linux)
    - Recovery Alerts
  - Alerts Playbook
    - Failure to Enable GuardPoints
    - Failure to Suspend or Resume LDT Operation
    - Insufficient Resources
    - Failed to Update LDT Attribute
    - Rekey Stopped
    - Incomplete Key Rotation
    - Skipped Key Rotation
    - Failed to Update LDT Metadata During Scan Phase
    - File system inconsistencies after system crash
  - Error Messages
  - Warning and Info Messages
  - Recommendations and Considerations
    - All Platform Recommendations and Considerations
    - Windows Recommendations and Considerations
CTE Terminology

Dynamic Resource Sets

The Dynamic Resource Set feature has been modified in CTE v7.7.0, with the inclusion of new key rules, when registered with CipherTrust Manager v2.17, or subsequent versions. The Dynamic Resource Set feature is also now available with Local File Systems, as well as NFS GuardPoints. Support for NFS is available starting with the patch release of CTE v7.7.100.

With Dynamic Resource Sets, you can now add a new key rule to a resource set that includes files that are not encrypted under the dynamic resource style policy. This results in the inclusion of those files for rekey and encryption. LDT launches rekey operations on the affected GuardPoints to encrypt the files associated with the resource set in the newly added key rule. Before inclusion of the key rule, those files associated with the resource set were in clear-text.

Following is an example of a policy applied to GuardPoint /oxf-fs1/gp1 which includes subdirectories dir1, dir2, dir3, dir4. Applying this policy to /oxf-fs1/gp1 will launch and rekey the files under /oxf-fs1/gp1/dir1 and oxf-fs1/gp1/dir2 using the specified key, while the remaining files in /oxf-fs1/gp1 remain in clear-text. To rekey the files under /oxf-fs1/gp1/dir3 and /oxf-fs1/gp1/dir4, you can update the policy as follows:

New resource sets were created for dir3 and dir4 before adding the new key rules in the policy. Once the updated policy is applied to the GuardPoint, the rekey is launched to encrypt the files associated with /oxf-fs1/gp1/dir3 and /oxf-fs1/gp1/dir4 using the encryption keys LDT-KEY2 and LDT-KEY3, respectively. Remaining files in the GuardPoint remain unchanged.

New Key Rule

Files associated with resource sets are encrypted with the key specified in the corresponding key rule. Unlike files associated with the exclusion key rules, files not associated with any key rules are normally not encrypted, and not excluded from rekey, except under the few cases described below.

Following is an example of a policy applied to GuardPoint /oxf-fs1/gp1 which includes subdirectories dir1, dir2 and dir3. In this policy resource set, dir1 has an exclusion key rule and resource set dir2 has a key rule to encrypt from clear to LDT-KEY-1. Other subdirectories under /oxf-fs1/gp1, such as dir3, are not associated with any key rule.

Applying this policy to /oxf-fs1/gp1 launches and rekeys the files under /oxf-fs1/gp1/dir1 and /oxf-fs1/gp1/dir2 using the specified key, while the files in /oxf-fs1/gp1/dir3 remain in clear-text due to them not being associated with any key rule. This is reflected in the following examples for rekey statuses:

Example 1

voradmin ldt attr get /oxf-fs1/gp1/dir1/foo.txt

Example Response

LDT attributes: rekeyed_size=0, rekey_status=rekey_excluded
    Key:    name=AES256, version=none

Example 2

voradmin ldt attr get /oxf-fs1/gp1/dir2/foo.txt

Example Response

LDT attributes: rekeyed_size=10485760, rekey_status=none
    Key:    name=LDT-KEY-1, version=0

Example 3

voradmin ldt attr get /oxf-fs1/gp1/dir3/foo.txt

Example Response

LDT attributes: rekeyed_size=0, rekey_status=rekey_no_keyrule
        Key:    name=clear_key, version=none

Rekeying

To rekey the files under /oxf-fs1/gp1/dir3 you can update the policy as follows:

Once the updated policy is applied to the GuardPoint, the rekey launches to encrypt the files associated with /oxf-fs1/gp1/dir3 using the encryption key LDT-KEY2. The remaining files in the GuardPoint remain unchanged.

Example

voradmin ldt attr get /oxf-fs1/gp1/dir3/foo.txt

Example Response

LDT attributes: rekeyed_size=10485760, rekey_status=none
    Key:    name=LDT-KEY-2, version=0

As depicted above, the files previously marked as rekey_no_keyrule due to their association with a no rekey rule, were encrypted/rekeyed after adding the new key rule with the resource set that includes those files. Note that moving any of those files to other directories associated with key rule(s) for encryption will associate those files with the key rule corresponding to the target location, and consequently, encrypting those files in the new location under different key rules. Refer to the section below for the effect of operations, such as renaming files or directories or restoring files, to the association of the file with the resulting key rule.

Effect of Adding a New Key Rule Resulting in Rekey

Addition of a new key rule for encrypting the files associated with a resource set will increment the policy key version resulting in rekey launch on the affected GuardPoints.

Following is an example of a policy applied to GuardPoint /oxf-fs1/gp1 which excludes subdirectory dir1 and includes subdirectory dir2 before adding a new key rule. The Policy Key Version is 19, before adding a new key rule.

Example

voradmin ldt attr get /oxf-fs1/gp1

Example Response

LDT stats: version=7, rekey_status=rekeyed
Number of times rekeyed:                1 time
Rekey start time:                       2024/10/01 14:52:25
Last rekey completion time:             2024/10/01 14:52:25
Estimated rekey completion time:        N/A
Policy key version:                     19
Pushed Policy key version:              19
Policy ID:
        5e128f2c-3789-4985-85eb-b392c3108e25
Data stats:
        total=30.0MB, rekeyed=10.0MB
        truncated=0.0MB, sparse=0.0MB
File stats:
        total=3, rekeyed=1, failed=0
        passed=0, skipped=0, created=0, removed=0, excluded=2

After adding a new key rule resulting in launching rekey on the GuardPoint, the Policy Key Version of the GuardPoint changes to 20.

Example

voradmin ldt attr get /oxf-fs1/gp1

Example Response

LDT stats: version=7, rekey_status=rekeyed
Number of times rekeyed:                2 times
Rekey start time:                       2024/10/01 14:54:57
Last rekey completion time:             2024/10/01 14:54:57
Estimated rekey completion time:        N/A
Policy key version:                     20
Pushed Policy key version:              20
Policy ID:
        5e128f2c-3789-4985-85eb-b392c3108e25
Data stats:
        total=30.0MB, rekeyed=10.0MB
        truncated=0.0MB, sparse=0.0MB
File stats:
        total=3, rekeyed=1, failed=0
        passed=1, skipped=0, created=0, removed=0, excluded=1

Feature changes for Dynamic Resource Sets after upgrading CipherTrust Transparent Encryption or CipherTrust Manager

CTE v7.6 does not differentiate between files that are not associated with any key rules, and with those associated with an exclusion key rule. As the result, files not associated with key rules are flagged as rekey_excluded, instead of rekey_no_keyrule. This behavior extends into CTE v7.7 if the CTE client is registered with CipherTrust Manager v2.16. Registering CTE v7.7, or a subsequent version, to CipherTrust Manager v2.17 or a subsequent version, enables CTE to differentiate between files associated with an exclusion key rule and those not associated with any key rule.

The following sections describe the effect of upgrading CipherTrust Transparent Encryption v7.6 and registration of a CTE client with CipherTrust Manager v2.16 and v2.17, and the new behavior when using Dynamic Resource Sets with CipherTrust Transparent Encryption v7.7.0 and CipherTrust Manager v2.17.

Scenario #1: CTE v7.6 client registers with CipherTrust Manager v2.16

When a CTE v7.6 client registers with CipherTrust Manager v2.16, or a previous version, and then CTE is upgraded to CTE v7.7, the behavior remains the same as in CTE v7.6. Note that the behavior in this scenario is that files not associated with key rules are marked as rekey_excluded instead rekey_no_keyrule.

Scenario #2: CTE v7.6 client registers with CipherTrust Manager v2.17 and then upgrades to CTE v7.7

Prior to upgrading CTE to v7.7, the files not associated with any key rule have already been marked with a rekey_excluded flag. As the rekey_excluded flag indicates exclusion from rekey, those files set to rekey_excluded must be reset to rekey_no_key_rule status after the upgrade.

If the user adds a new key rule immediately after upgrading CTE, before resetting the rekey_excluded flag, the files associated with the new key rule skip rekey. To avoid this, after CTE is upgraded to v7.7, run the voradmin admin command with the option update-nokeyrule to replace the rekey_excluded with rekey_no_keyrule.

Resetting `rekey_excluded` to `rekey_no_keyrule`

To reset the rekey_excluded to rekey_no_keyrule on the GuardPoint, type:

voradmin ldt attr update-nokeyrule ${gp}

Following is an example of a policy applied to GuardPoint /oxf-fs1/gp1, on a host with CTE v7.6, which excludes subdirectory dir1 and includes subdirectory dir2.

In the following example, the file in /oxf-fs1/gp1/dir3 remains in clear-text and rekey_excluded:

voradmin ldt attr get /oxf-fs1/gp1/dir3/foo.txt

Example Response

LDT attributes: rekeyed_size=0, rekey_status=rekey_excluded
    Key:    name=clear_key, version=none

The file continues to remain in clear-text but is now marked as rekey_no_keyrule:

voradmin ldt attr get /oxf-fs1/gp1/dir3/foo.txt

Example Response

LDT attributes: rekeyed_size=0, rekey_status=rekey_no_keyrule
    Key:    name=clear_key, version=none

Scenario #3: CTE v7.7 client registers with CipherTrust Manager v2.16, and then CipherTrust Manager is upgraded to v2.17, or a subsequent version

After upgrading CipherTrust Manager to v2.17 , you must perform a capability synchronization between the CipherTrust Manager and all registered CTE agents.

To initiate a capability synchronization:

Go to CipherTrust Manager.
Click Transparent Encryption > Settings > Client Information and Capabilities > Get Capability

After the CipherTrust Manager upgrade is complete, the behavior remains the same as described above for CTE v7.7 with CipherTrust Manager v2.17 and subsequent versions.

File Operations Causing Key Rule Changes

Some file operations may result in changing the association of target files to a different key rule. For example, renaming a file associated with a key rule can result in changing the association. Renaming a directory can have the same result in a wider scope where all, or a subset of files, under the renamed subdirectory may share the resource set and be associated with the key role of the resulting resource set. Another example is backing up and restoring files. Restoring a file into a different location in a GuardPoint will also change the association of the restored file to the key rule of the target location. Such operations will not only change the key rule association, but they may also change the rekey status and result in encrypting or decrypting data in the target file.

Files under an LDT policy are accessed based on their LDT attribute. As LDT attributes specify the rekey status and the encryption key applied to the data in target file, this information may not agree with the key rule associated with the file in the LDT policy.

Note

Be sure to understand the consequence of changing the association of target files to different key rules.

Restoring files Causing Key Rule Changes

As noted, restoring a file into a different location in a GuardPoint will change the association of the restored file to the key rule of the target location, as well as change the rekey status and data in the target file. The following table indicates how restoring files affects the key status and the key applied to the restored files.

Source Key Rule: Key rule of the file at the time of backup
Target Key Rule: Key rule of the file restored into the GuardPoint

Source Key Rule	Target Key Rule	Effect	Comment
rekey_excluded (Key A)	Encrypted Key B	rekey_excluded (Key A)
rekey_excluded (Key A)	rekey_no_keyrule	rekey_no_keyrule (Key A)	Note 1
rekey_excluded (Key A)	rekey_excluded (Key A)	rekey_excluded (Key A)
rekey_excluded (Key A)	rekey_excluded (clear_key)	rekey_excluded (Key A)	Note 2
rekey_excluded (clear_key)	Encrypted (Key B)	rekey_excluded (clear_key)	Note 3
rekey_excluded (clear_key)	rekey_no_keyrule	rekey_no_keyrule (clear_key)	Note 4
rekey_excluded (clear_key)	rekey_excluded (Key A)	rekey_excluded (clear_key)	Note 3
rekey_excluded (clear_key)	rekey_excluded (clear_key)	rekey_excluded (clear_key)
rekey_no_keyrule	Encrypted (Key A)	rekey_no_keyrule, Encrypted Key A	Note 5
rekey_no_keyrule	rekey_no_keyrule	rekey_no_keyrule
rekey_no_keyrule	rekey_excluded (clear_key)	rekey_excluded (clear_key)
rekey_no_keyrule	rekey_excluded (Key A)	rekey_excluded (clear_key)	Note 3
Encrypted (Key A)	rekey_no_keyrule	rekey_no_keyrule (Key A)	Note 6
Encrypted (Key A)	Encrypted (Key A)	Encrypted (Key A)
Encrypted (Key A)	rekey_excluded (Key B)	rekey_excluded (Key A)	Note 7
Encrypted (Key A)	rekey_excluded (clear_key)	Local - rekey_excluded (clear_key) NFS – rekey_excluded (Key A)	Note 8

Note

rekey_excluded: Status not preserved and changes to rekey_no_keyrule.
rekey_excluded: Status preserved, data remains encrypted.
rekey_excluded: Status preserved; however, data remains clear despite the key rule associated with the target location.
rekey_excluded: Status is not preserved.
rekey_no_keyrule: Status preserved on the restored file; however, the file will be encrypted during the next rekey process.
rekey_no_keyrule: Status preserved on the restored file; however, data in the file remains encrypted.
rekey_excluded: Status preserved; however, data remains encrypted to the same key despite the key rule associated with the target location.
Different results between GuardPoints on local and NFS.

Renaming files and shared key rules

The following table displays the results of renaming files affecting the key status and the key applied to the file under the new name. Note that renaming files may change the association of the file to another resource set.

Source Key Rule	Target Key Rule	Effect	Comment
Encrypted (Key A)	rekey_excluded (clear_key)	rekey_excluded (clear_key)
Encrypted (Key A)	rekey_no_keyrule	rekey_no_keyrule (clear_key)
Encrypted (Key A)	rekey_excluded (Key A)	rekey_excluded (Key A)
Rekey_excluded (clear_key)	Encrypted (Key A)	Rekey_excluded (clear_key)
Rekey_excluded (clear_key)	rekey_no_keyrule	Rekey_excluded (clear_key)
Rekey_excluded (clear_key)	rekey_excluded (Key A)	Rekey_excluded (clear_key)
Rekey_excluded (Key A)	Encrypted (Key A)	Rekey_excluded (Key A)
Rekey_excluded (Key A)	rekey_no_keyrule	Rekey_excluded (Key A)
Rekey_excluded (Key A)	Rekey_excluded (clear_key)	Rekey_excluded (Key A)
Rekey_no_keyrule	Encrypted (Key A)	Rekey_no_keyrule Encrypted (Key A)	Note 1
Rekey_no_keyrule	Rekey_excluded (Key A)	Rekey_no_keyrule	Note 2
Rekey_no_keyrule	Rekey_excluded (clear_key)	Rekey_no_keyrule

Note

rekey_no_keyrule: Preserved after file rename; however, the file will be encrypted during the next rekey process.
rekey_no_keyrule: Preserved after file rename; however, data remains clear despite the key rule associated with the target location.

Renaming directories and shared key rules

The following table indicates the result of renaming directories affecting the key status and the key applied to each file under the new directory pathname. Note that renaming files may change the association of the file to another resource set.

Source Key Rule	Target Key Rule	Effect	Comment
Encrypted (Key A)	rekey_excluded (clear_key)	Encrypted (Key A)	Note 1
Encrypted (Key A)	rekey_no_keyrule	Encrypted (Key A)	Note 1
Encrypted (Key A)	rekey_excluded (Key A)	Encrypted (Key A)	Note 1
Rekey_no_keyrule	Encrypted (Key A)	Rekey_no_keyrule Encrypted (Key A)	Note 2
Rekey_no_keyrule	rekey_excluded (clear_key)	Rekey_no_keyrule
Rekey_no_keyrule	rekey_excluded (Key A)	Rekey_no_keyrule	Note 3

Note

rekey_status and encryption key: Do not immediately change after rename. During the next rekey process, LDT will decrypt the data in the renamed directory and set the rekey_status=rekey_excluded or rekey_status=rekey_no_keyrule to match the rekey status of the target key rule.
rekey_status and encryption key: Do not immediately change after rename. During the next rekey process, LDT will encrypt the data in the rename directory.
rekey_no_keyrule :Preserved after directory rename; however, data remains clear despite the key rule associated with the target location.

Dynamic Resource Sets

New Key Rule

Example 1

Example 2

Example 3

Rekeying

Example

Effect of Adding a New Key Rule Resulting in Rekey

Example

Example

Feature changes for Dynamic Resource Sets after upgrading CipherTrust Transparent Encryption or CipherTrust Manager

Scenario #1: CTE v7.6 client registers with CipherTrust Manager v2.16

Scenario #2: CTE v7.6 client registers with CipherTrust Manager v2.17 and then upgrades to CTE v7.7

Resetting `rekey_excluded` to `rekey_no_keyrule`

Scenario #3: CTE v7.7 client registers with CipherTrust Manager v2.16, and then CipherTrust Manager is upgraded to v2.17, or a subsequent version

File Operations Causing Key Rule Changes

Restoring files Causing Key Rule Changes

Renaming files and shared key rules

Renaming directories and shared key rules

On this page

Suggest A Change

Dynamic Resource Sets

New Key Rule

Example 1

Example 2

Example 3

Rekeying

Example

Effect of Adding a New Key Rule Resulting in Rekey

Example

Example

Feature changes for Dynamic Resource Sets after upgrading CipherTrust Transparent Encryption or CipherTrust Manager

Scenario #1: CTE v7.6 client registers with CipherTrust Manager v2.16

Scenario #2: CTE v7.6 client registers with CipherTrust Manager v2.17 and then upgrades to CTE v7.7

Resetting rekey_excluded to rekey_no_keyrule

Scenario #3: CTE v7.7 client registers with CipherTrust Manager v2.16, and then CipherTrust Manager is upgraded to v2.17, or a subsequent version

File Operations Causing Key Rule Changes

Restoring files Causing Key Rule Changes

Renaming files and shared key rules

Renaming directories and shared key rules

On this page

Resetting `rekey_excluded` to `rekey_no_keyrule`