Please Note:

Integrations Guides
CTE Agent AIX Integration Guides
- Using CTE with Oracle
  - CTE on Oracle ACFS Overview
  - Creating an Oracle ASM Disk Group for Guarding
  - Oracle RAC ASM
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Basic Troubleshooting Techniques
- Using CTE with PowerTech Antivirus
CTE Agent Linux Integration Guides
- Installing CTE on Hadoop
  - Overview
  - Implementing CTE on HDFS
    - Create an Encryption Zone in HDFS Name Space for AWS EMR
    - Using the Original Information from HDFS
    - Create an HDFS Host Group and GuardPoint in CipherTrust Manager
    - Adding a New DataNode to a CTE-protected HDFS
    - Configure NameNodes
    - Take a DataNode Offline and Perform Data Transformation
    - Implementing CTE on HDFS on a Single Host
  - Deploy Cloudera Hadoop on CTE
  - HDFS Upgrade with CTE
    - Configure the Hadoop Cluster for CTE
    - Create a CipherTrust Configuration Group
    - Update the Hadoop-env Template with CTE Settings
    - Modify the HDFS IOCTL
    - Change the HDFS File Rename Check
    - User Information Push
    - Uninstalling CTE for the Hadoop Cluster
  - CTE Installation and Configuration
    - Configuring Hadoop to Use CTE
  - Deleting Metadata in HDFS when Migrating Out of LDT
- Integrating File Activity Monitoring (FAM) with CTE Linux
- Using CTE with Oracle
  - Basic Troubleshooting Techniques
    - Verifying Database Encryption
  - Using CTE LDT with Oracle
  - Oracle RAC ASM and ASMLib
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - Oracle RAC ASMLib Multi-Disk Online Method
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Using CTE with Oracle ASM Filter Driver
    - Audience
    - Enable Oracle ASMFD for CTE
    - Configure CTE and create a guarded Oracle ASMFD
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Offline method
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Online method
    - Uninstall/ Upgrade CTE with active ASMFD Setup
  - Using Oracle with CTE-U
- Integrating and Configuring EDB
- Integration with Pacemaker
  - Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup
  - Using CTE with Pacemaker
- Using CTE with SQL Server on Linux on Red Hat 8
- Configuring Support for SAP HANA
- Using CTE with GlusterFS
- NetApp Snapshot Directory
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
  - Stop secfs Before Upgrading StorNext LAN Clients
- Using CTE with McAfee Endpoint Security for Linux Threat Prevention
- Using CTE and Database Activity Monitoring (DAM) Simultaneously
- Using CTE with Trend Micro Deep Security Software
- CTE for Cloud Object Storage
  - COS Overview and Requirements
  - CTE COS S3 Installation Overview
  - Configure the AWS CLI to use the COS Root CA Certificate
  - Guard an AWS Bucket
  - Using a COS Proxy Root CA Certificate Information
  - Protecting Python Programs with CTE
  - Enable COS on an Agent with no COS Service
  - Creating a COS Policy
- CTE with Teradata Database Appliances
  - IDT-Capable GuardPoints and Teradata Database Appliances
  - Requirements and Considerations
  - Guarding a Teradata Database Device
    - Install CTE on the Teradata Database Appliance
    - Identify Devices to be Guarded with IDT-Capable GuardPoints
    - Select the Initial Configuration Method
    - Initialize and Guard the Database Devices Using the Standard Initialization Method
    - Automating and Reducing the Duration of Initial Data Transformation
    - Automating and Reducing the Duration of the Subsequent Data Transformations
    - Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method
  - Changing the Encryption Key on Teradata Devices
  - Access Rules to Apply on the Teradata Database Appliance
  - Replication of IDT Metadata Files Across Members of a Clique
  - Best Practices
  - Uninstalling CTE from the Teradata Cluster
  - Alerts and Errors
  - Generating IDT-capable Metadata for Teradata Storage Expansion
- Integrating with Intel® Tiber™ Trust Services and Intel TDX, NVidia H100 or AMD SEV-SNP for Confidential Computing
CTE Agent Windows Integration Guides
- Using CTE with Microsoft SQL AlwaysOn and SQL File Tables
  - Using CTE with Microsoft SQL
    - Using CTE with SQL
    - Using CTE with SQL FileTables
      - Supported FileTables Use Cases
      - Unsupported FileTables Use Cases
    - Installing CTE on Microsoft SQL AlwaysOn
    - Data Transformation (Encryption in place)
    - Copy/Restore
    - SQL Server Policy Tuning
  - Using LDT with Microsoft SQL
    - Using LDT with SQL AlwaysOn
    - Using LDT with SQL FILESTREAM
- Integrating Imperva File Activity Monitoring (FAM) with CTE Windows
- CTE with Microsoft DFSR
  - Overview
  - Terminology and Topology
  - Configure DFS(R)
  - CTE Configuration Workflow
  - Creating Required DFS(R) Policy Components
  - Using the Standard Encryption Method
    - Creating Standard Policies for DFS(R)
    - Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology
    - Creating Standard GuardPoints with the DFS(R) Full Mesh Topology
  - Using the LDT Encryption Method
    - Creating an LDT Policy for DFS(R)
    - Creating a LDT GuardPoint for DFS(R)
    - CTE QoS Throttling and Rekey Scheduling
  - Troubleshooting
  - CTE Client Groups
- Encrypt Active Directory Database with Secure Start
  - Secure Start Overview
  - Prerequisites
  - Encrypt by Moving the AD Service into a Guarded Directory
  - Encrypt Data in Place with Offline Transformation
  - Encrypt with an LDT Transformation Policy
  - Configure the Time Out Failure
  - Recover a Server After it Loses Connection to the Key Manager
  - Other Use Cases
  - Best Practices for Encrypting and Protecting the AD Service
- Exchange DAG
  - Exchange DAG Overview
  - CTE Policies for Exchange DAG
    - Creating a Policy for LDT Encryption with CipherTrust Manager
    - Creating Policies for Standard Encryption with CipherTrust Manager
  - Encrypting with LDT in an Exchange DAG Environment
  - Encrypting with a Standard CTE Policy in the Exchange DAG Environment
  - Decrypting with LDT in an Exchange DAG Environment
- Storage Spaces Direct
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
- Setting up Microsoft DPM with CTE

Integrating File Activity Monitoring (FAM) with CTE Linux

Note

This feature is not compatible when using CipherTrust Transparent Encryption with CipherTrust Data Security Platform Services (CDSPaaS).

Software Requirements

Software	Minimum Version Required
CipherTrust Transparent Encryption	7.8.0.75
CipherTrust Manager	2.19 or subsequent versions

Overview of FAM on CTE agents

File Activity Monitoring (FAM) catalogs, monitors, and secures unstructured data (files). Unstructured data refers to any data that is not stored in databases. You can find these files locally, on the network, or in the cloud. FAM provides insights into data location, ownership, access history, permissions, protection, sharing, and sensitivity, enabling informed decisions about data protection.

For more information on FAM, see the Introduction to the File Activity Monitoring User Guide

CTE agents enabled with both File System Encryption and FAM capabilities can perform file system monitoring and audit file operations, as per the requirements of the Data Security Fabric (DSF) policies.

Scope of FAM on CTE host

Enabling FAM will also monitor activity on files outside of CTE GuardPoints.

Note

FAM will not monitor activity on canary files with CTE RWP feature enabled

File Monitoring

The CTE agents monitor and audit user and application access to all files. Monitoring is not limited to files inside of CTE GuardPoints. Files outside of CTE GuardPoints are also monitored, except for those in the following directories:

Linux

/dev
/roc
/sys
/media
/opt/vormetric 
/CTE-custom-install-location

Windows

\BOOT
\Windows
\Program Files*
\Users\*\APPDATA\ROAMING\MICROSOFT\WINDOWSAPPDATA\ROAMING\MICROSOFT\WINDOWS*
\Users\*\APPDATA\LOCAL\MICROSOFT\*
\Users\*\APPDATA\LOCAL\TEMP\*
\Users\*\APPDATA\LOCAL\PACKAGES\*
\Users\*\APPDATA\LOCAL\GOOGLE\CHROME\*
\PROGRAMDATA\MICROSOFT\*
\PROGRAMDATA\DELL\*

Also excluded from monitoring:

VSS volumes
DFSR private folders
CSV volumes
File operations performed by:
- CTE internal processes
- Thales Data Discovery and Classification processes
- CTE-managed internal system operations
- Metadata files

FAM Policies vs CTE Policies

FAM policies, which are similar to CTE policies with respect to security rules, allow you to monitor activity on specific data locations and/or by specific users. FAM policies only allow audit rules to specify/filter the content to be monitored. They do not impact access to the file.

Note

FAM policies are associated with the entire client, as compared to CTE policies which are limited to a particular GuardPoint path.

Performance Impact of FAM on CTE

File activity monitoring and audits consume system resources. This can potentially affect the performance of system and critical applications running on CTE agents. You can reduce the performance impact on the DSF management console by modifying the monitoring rules of the FAM policy applied to the CTE agent. For example:

File operations, such as reading file attributes, are operations that are performed very frequently by applications and system utilities.
If the CTE GuardPoint has policy rules with audit enabled, then with FAM also enabled, there may be additional overhead/performance impact due to the additional FAM policy evaluation and logging. However, the policy has no impact on file access/permissions.

Adjustments in the FAM policy to reduce, or eliminate highly frequent operations, can decrease the impact of FAM. Consult the FAM documentation for information on adjusting the FAM policy.

Enabling FAM on CTE Agent

You can enable FAM on CTE agent during CTE registration, or through the API.

Enable during Registration <!---link to cte-u install>

After installing CTE, you enable FAM when registering, or re-registering, to CipherTrust Manager. During registration, you are prompted with the following two questions:

Do you want this host to have Filesystem encryption support enabled on the server?  (Y/N) [Y]: Y

Do you want this host to have File Activity Monitoring support enabled?  (Y/N) [N]: Y

Make sure that you answer Y to both questions.

Restart Secfs

For CipherTrust Manager v2.19 on Linux, post registration, you must restart secfs. This is not required for CipherTrust Manager v2.20 and subsequent versions. To restart secfs:

Type:
```
/etc/vormetric/secfs stop
```
Type:
```
/etc/vormetric/secfs start
```

Enable through the CM API

You can enable FAM on CTE, post registration:

As part of the CTE upgrade on reboot process.
Through the CM API available for CM 2.20 and subsequent versions. See the API documentation available through the CipherTrust Manager software.
Through the DSF management console. Refer to DSF documentation for more information.

Disabling FAM on CTE

For CipherTrust Manager v2.19, you cannot completely disable FAM once enabled. However, you can remove the FAM policy associated with the client to temporarily disable FAM audit logging/monitoring.
For CipherTrust Manager v2.20, you can disable FAM on CTE agent through the DSF management console or through the CM API. Refer to DSF documentation for disabling FAM on CTE agents.

Voradmin Support for FAM

The voradmin utility allows you to gather statistics and administer CTE on a host/client. It has slightly different syntax and command capabilities depending on whether the host/client is running in Linux or Windows. The voradmin command provides minimal support for FAM administration on CTE agents. You can check the state of FAM and the FAM policy name applied to the CTE host.

The following command reports the state of FAM, the FAM policy name applied to the CTE host, and the DSF GW configuration for forwarding FAM audits to the DSF GWs.

voradmin fam show config

FAM Output when policy not applied

Example

    # voradmin fam show config

Response

    FAM_STATE  : DISABLED
    FAM_POLICY : Not Applied

FAM Output when policy applied

Example

    # voradmin fam show config

Response

    FAM_STATE  : ACTIVE
    FAM_POLICY : fam-all-ops-policy

Limitation

File path names included in the FAM audits that are generated from file operations performed inside Linux containers, or namespaces, under chroot enforcement, are relative to the directory created by the chroot, or container, as the root directory.
CTE enforces a limit of 128 characters in the FAM policy names. FAM audits resulting from policies exceeding this limit, will have the policy name trimmed to the this limit.

Suggest A Change

Integrating File Activity Monitoring (FAM) with CTE Linux

Software Requirements

Overview of FAM on CTE agents

Scope of FAM on CTE host

File Monitoring

FAM Policies vs CTE Policies

Performance Impact of FAM on CTE

Enabling FAM on CTE Agent

Enable during Registration <!---link to cte-u install>

Restart Secfs

Enable through the CM API

Disabling FAM on CTE

Voradmin Support for FAM

FAM Output when policy not applied

FAM Output when policy applied

Limitation

On this page