Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Guarding a Teradata Database Device

Automating and Reducing the Duration of the Subsequent Data Transformations

search

Please Note:

printsuggest an editpdf paneldownload

Automating and Reducing the Duration of the Subsequent Data Transformations

You can use the cte-idt-rekey.sh script to perform subsequent rekey operations using embedded metadata on a set of IDT-Capable devices configured with external metadata. This reduces the time needed to rekey the devices, as the external metadata is a bottleneck when performing rekey on multiple concurrent devices. The script works by converting each device to IDT with embedded metadata before launching rekey. Embedded IDT metadata makes rekey operations significantly faster. The process of converting to embedded metadata is accomplished by:

  1. Saving the first 63 MB of the device.

  2. Copying the external metadata into the first 63 MB of the device.

  3. Renaming the external metadata file to disable the use of external metadata.

  4. Upon completion of rekey, the script then copies the first 63 MB out of the new external metadata file, and then restores the original 63 MB of the device that had been the backup, before the device converted it to IDT with the external metadata.

Note

  • This script is only compatible with CTE v7.7.0.100 and subsequent versions.

  • This script only works for subsequent rekey operations. Use the script: cte-pdisk-idt.sh for the initial data transformation.

  • Thales recommends that you backup the data on the devices before starting the transformation process.

copy link to clipboardPrerequisites

  • Your policy for the external metadata directory must allow read/write access for the dd, mv, rm, and stat binaries.

  • Your policy for the raw device must allow read/write access with apply key effect for the dd binary.

copy link to clipboardApplying the Script

The following steps describe how to use the script for a set of devices in a clique with one, or multiple, nodes. In a multi-node clique, each node should perform the same steps with a different set of disks so that the work of rekeying all of the disks in the clique is distributed across the members.

Note

Do not run the script on Hot Standby Nodes (HSNs).

  1. Copy the /root/cte-idt-rekey.sh from /opt/teradata/vormetric/agent/secfs/.sec/bin to /root.

  2. Shutdown Teradata.

  3. Create a list of the disks on which to perform subsequent rekey operations. The path to the disks must be the same as the disks that the GuardPoints are set on.

  4. Create a directory, /var/opt/teradata/vormetric/backup, for the backups for the first 63 MB to be saved.

  5. Apply a GuardPoint to that directory with a standard policy that encrypts the data and allows read/write access.

  6. Modify the policy set on the external metadata directory, /var/opt/teradata/vormetric/vte-metadata-dir, and the devices, to allow read/write access so that the script can manipulate the external metadata files.

  7. Prepare an alternate policy if needed.

    If using a new policy to rekey the device, create a new policy with the current key set to the transformation key from the existing policy, and a new XTS key as the transformation key. For example, if the current policy encrypts from clear to XTS-key1; the new policy should encrypt from XTS-key1 to XTS-key2. The new policy must also allow dd read/write access. You can remove this access from the policy after all of the steps have been completed.

  8. Run the script with the backup option and pass in the disk list:

    /root/cte-idt-rekey.sh backup /<path/to/disks>.list

  9. Wait for the script to finish the backup on all of the nodes in the clique.

  10. Unguard all of the IDT device GuardPoints.

  11. Alter the policy to use the new key (unless using a new alternate policy from step 8).

  12. Re-guard all of the devices with manual GuardPoints.

  13. Run the script with the rekey option and pass in the disk list:

    /root/cte-idt-rekey.sh rekey /<path/to/disks>.list

  14. Follow the on-screen prompts to enter the number of threads desired for rekey.

  15. Wait for the script to finish rekey on all of the nodes in the clique.

  16. Ensure that the external metadata files on all of the nodes in the clique are identical to the files on the node that ran the script. Verify this by running the command: md5sum <file> for the metadata files on all of the nodes within a clique to verify their consistency. If there is a discrepancy, overwrite the inconsistent metadata file with the file from the node used to rekey the device.

  17. Remove the manual GuardPoints set in step 12 and re-guard with autoguard GuardPoints in the same manner as the original configuration.

  18. Verify the data and access to the device(s) with the command: verify_pdisks.

  19. Undo the modifications to the policy on the external metadata directory: /var/opt/teradata/vormetric/vte-metadata-dir.

  20. Unguard and remove the backup directory /var/opt/teradata/vormetric/backup.

  21. Start Teradata.

On this page