Creating an LDT Policy for DFS(R)
-
Log into the CipherTrust Manager Console and switch to the correct domain if required.
-
If you do not know which versioned key you want to use to encrypt the data, or you want to create a new key to use for the DFS(R) namespace, launch the Keys & Access Management application and locate an existing versioned key, or create a new versioned key. For details on creating a versioned key for LDT, see Creating an Encryption key.
-
Launch the Transparent Encryption application.
-
In the left-hand menu bar, click Policies.
-
Click Create Policy.
-
Enter a name for the policy in the Name field.
-
In the Policy Type field, select Live Data Transformation.
-
Click Next.
-
On the Security Rules page, make sure there is a security rule with the action key_op and the effect permit,applykey. If CipherTrust Manager does not ad this security rule automatically, go back to the General Info page and make sure that the policy type is set to Live Data Transformation.
-
On the Security Rules page, click Create Security Rule and add the following security rule:
-
In the User Set field, select the user set you created that contains NT AUTHORITY. For details, see Creating Required DFS(R) Policy Components.
-
In the Process Set field, select the process set you created that contains the required DFS(R) processes
dfsrs.exe
andntoskrnl.exe
. -
In the Action field, select
all_ops
. -
In the Effect field, select
Permit
.
-
-
When you are finished, click Add to save the security rule.
-
Add any other security rules that you need to your policy. When you are finished, click Next.
-
On the Key Rules page, click Create Key Rule and add the following key rule:
-
In the Current Key field, select
clear_key
.Caution
In a DFS(R) environment, you must apply the LDT policy on unencrypted data ONLY (the current key must be set to
clear_key
). If your data is already encrypted, you must decrypt it and remove the existing GuardPoints before re-encrypting the data with a new key. -
In the Transformation Key field, select the LDT versioned key that you want to use to encrypt the data.
-
-
When you are finished, click Add to save the key rule.
-
Click Next.
-
Verify the policy information and click Save to save the LDT policy.