CTE Policies for Exchange DAG
The CTE policies you need depend on the type of encryption you will be using.
-
When you use LDT encryption, you only need to create one Live Data Transformation policy. This policy will be used for both the initial data encryption and guarding the data in production. LDT requires a versioned CBC or CBC_CS1 key in order to perform automatic key rotation.
-
When you use standard encryption, you need to create two policies:
-
The initial encryption policy specifies the current encryption key (if any) and the encryption key you want CTE to use when it encrypts the data. This policy also denies access to any other process trying to access the GuardPoint.
You apply the initial encryption policy when you first create the GuardPoint, and you leave it in place until all of the data has been encrypted. After that, you remove this policy from the GuardPoint.
-
The production policy specifies the same encryption key as the initial encryption policy along with any security rules you want to use to protect your data in production. After the initial encryption has completed, you apply the production policy to the GuardPoint and allow users and applications to access the now-protected data.
-
Note
There are no special CTE policy requirements for Exchange DAG with either LDT or Standard encryption. Therefore, you can use the same policies in an Exchange DAG environment that you use for any other CTE-protected directory.
The only special requirement for Exchange DAG is the guard path you specify when you create the GuardPoint. You must guard the Mailbox directory only. Do not guard above or below the Mailbox directory. For details, see Encrypting with LDT in an Exchange DAG Environment or Encrypting with a Standard CTE Policy in the Exchange DAG Environment.
How you create these policies depends on the key manager that you are using. For details, see one of the following: