Encrypting with a Standard CTE Policy in the Exchange DAG Environment

Prerequisites

Before you can start the standard (offline) data encryption process, you need to:

• Decide if you will be using the copy/restore method or the CTEdataxform utility in order to perform the initial encryption. For details about these methods and their specific benefits and limitations, see the CTE Data Transformation Guide for the version of CTE that you are using.

• Create or identify the encryption key that you want to use for the initial data encryption.

• Create or identify the Standard policies that you want to use for the initial data encryption and for protecting the data in production after it has been initially encrypted. For details, see Creating Policies for Standard Encryption with CipherTrust Manager.

Procedure

1. In the Exchange Admin Center, make Exchange node 1 the primary node.

   This means that node 1 is mounted as the active node and node 2 is mounted as the passive node.

2. Make all of the databases active on Exchange node 1.

3. Go to the Exchange Database tab and suspend all database on node 2.

   Make sure that all of the exchange database services in node 2 are down and not accessing the Exchange databases. This process can take several minutes.

   Warning

   Make sure that all of the Exchange services in node 2 are down and not accessing the Exchange databases. All Exchange Services must be stopped, all databases must be suspended, and all data replication between the nodes must be stopped. Any file access on the node during the encryption process could cause data corruption.

4. When you are certain that all Exchange DAG services have been suspended on node 2, create the GuardPoints you want to use on node 2 with the appropriate Standard data transformation policy that you want to use for the initial data encryption. When you create the GuardPoints:

   • Make sure you are guarding each host individually. Do not assign the GuardPoints using a Host or Client Group because you only want these GuardPoints to exist on node 2 at this point.

   • Important: When you specify the guard path, only guard the Mailbox Database. Do not guard at a higher or lower directory. For example:

     • Correct: C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database 1088388171\

     • Incorrect: C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database 1088388171\Inbox\ — This is not correct because it's below the mailbox database directory.

   • Make sure that Secure Start is on for the GuardPoints.

   The following example shows two correctly-specified GuardPoints in CipherTrust Manager:

   

5. After all GuardPoints on node 2 have been enabled, run the dataxform utility for each GuardPoint:

   dataxform --rekey --print_stat --gp <directory>
   

6. After the data transformation is finished, unguard each mailbox on node 2, then re-guard each mailbox on node 2 with the appropriate Production policy.

   Note

   Use the same Key/Policy on both nodes.

7. In the Exchange Admin Center, go to the Exchange Database tab and resume all databases on node 2.

   After a few minutes, all nodes should become Healthy.

   Warning

   It may take a few minutes for the Exchange Service to resync. Monitor the Exchange logs on the system and make sure that replication is working. Make sure that database replication finishes and databases are in a healthy state before proceeding.

8. In the Exchange Admin Center, try to move a database from node 1 to node 2. If the data move is successful this means that node 2 is mounted as the active node and node 1 is mounted as the passive node.

9. Create the same GuardPoints on node 1 that you created on node 2. Make sure that all GuardPoints on node 1 are identical to those on node 2.

   Warning

   You must guard the same databases with the same Standard Policy and the same encryption key on both nodes.