Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology

Hub-and-spoke is the only topology that allows for encrypting the folders that need protection on each individual server, sequentially, starting with the Hub (think of it as the primary active node).

If you are using the hub and spoke DFS(R) topology, you should encrypt the data on the hub and then encrypt the data on the spokes. After you have encrypted the data on the hub server, you have two options for the data on the spoke servers:

• Option 1: Delete the existing spoke server data and allow DFS(R) to replicate the encrypted hub data to all of the spoke servers.

  The advantage to this method is that you only need to encrypt the data on the hub. The disadvantage is that it will take time to replicate the data to all of the spoke servers.

• Option 2: Encrypt each Spoke server using the same encryption process as you use on the hub server.

  The advantage to this method is that you do not need to wait for the full data replication process across the network. The disadvantage is that you must run the encryption process on all Spoke servers.

Prerequisites

• Make sure you have a valid backup of the data you plan to encrypt.

• Make sure you know what devices or directories you plan to protect.

• Make sure you understand how data transformation GuardPoints are created.

• Make sure you have an initial encryption and a production policy as described in Creating Standard Policies for DFS(R).

  The following procedures assume you are using dataxform to encrypt the data in place.

Procedure for Option 1: Use DFS(R) to Replicate the Encrypted Data

1. Disable user and application access to all devices and directories, on the hub server and all spoke servers, in the namespace, you intend to encrypt so that no users can add or change the data during the transformation process.

   You do not have to disable the namespace.

2. On the hub server:

   1. Stop the DFS(R) service.

   2. In your key manager, create the GuardPoints that you want to encrypt and apply the initial encryption policy to those GuardPoints.

      • Make sure that all GuardPoints are at or above the level of the DFS(R) replication point.

      • Do not create GuardPoints for the DfsrPrivate directories yet.

   3. On the hub server, run the dataxform utility as described in the CTE Data Transformation Guide.

   4. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and guard them using the production DFS(R) policy.

   5. If any of your GuardPoints are at the directory level, create a GuardPoint for the <dir name>\DfsrPrivate directory that goes with that GuardPoint. For example, If the GuardPoint is D:\data\, the private directory would be D:\data\DfsrPrivate. Make sure that you use the same production policy for the DfsrPrivate directory that you used for the main directory.

      Do not start the DFS(R) service yet.

3. On each spoke server:

   1. Stop the DFS(R) service on the spoke server.

   2. Delete the data in all devices and directories that you added GuardPoints for on the hub server.

   3. In your key manager, create the same GuardPoints on the spoke server that you created on the hub server, making sure that you apply the same standard policy to each GuardPoint on the spoke server that you applied on the hub server.

      Make sure you also create the same DfsrPrivate GuardPoints on the spoke server that you created on the hub server.

      Because the directories are empty, you do not need to use the initial encryption policy or the dataxform utility on the spoke servers. You can just guard the empty directory and the private directories directly using the production policy.

   4. Start the DFS(R) service on the spoke server.

4. Repeat the previous step for each spoke server in the configuration.

5. When every spoke server has the exact same production GuardPoints as the hub server, return to the hub server and do the following:

   1. Start the DFS(R) service on the hub.

   2. Force replication from the hub to the spokes.

6. When replication is complete for all spokes in the configuration, re-enable user and application access to the devices and directories that you encrypted.

Procedure for Option 2: Encrypt the Data on All Servers

1. Disable user and application access to all devices and directories that you intend to encrypt so that no users can add or change the data during the transformation process. This must be done on the hub server and all spoke servers in the namespace.

   You do not have to disable the namespace.

2. On the hub server:

   1. Disable access to the hub server so that no one can change the data during the transformation process.

   2. Stop the DFS(R) service on the hub.

   3. In your key manager, create the GuardPoints that you want to encrypt and apply the initial encryption policy to those GuardPoints.

      • Make sure that all GuardPoints are at or above the level of the DFS(R) replication point.

      • Do not create GuardPoints for the DfsrPrivate directories yet.

   4. Run the dataxform utility on the hub server as described in the CTE Data Transformation Guide.

   5. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and re-guard them using the production DFS(R) policy.

   6. If any of your GuardPoints are at the directory level, create a GuardPoint for the <dir name>\DfsrPrivate directory that resides with that GuardPoint. For example, If the GuardPoint is D:\data\, the private directory would be D:\data\DfsrPrivate. Make sure you use the same production policy for the DfsrPrivate directory that you used for the main directory.

   7. Restart the DFS(R) service on the hub server.

3. On each spoke server:

   1. Stop the DFS(R) service on the spoke server.

   2. In your key manager, create the same GuardPoints on the spoke server that you created on the hub server. Make sure that you apply the same initial encryption policy to the GuardPoints on the spoke server that you applied on the hub server.

      Do not create the DfsrPrivate GuardPoints yet.

   3. On the spoke server, run the dataxform utility.

   4. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and re-guard them using the same production DFS(R) policy that you used for the corresponding GuardPoint on the hub server.

   5. Create the same DfsrPrivate GuardPoints on the spoke server that you created on the hub server. Make sure that you use the same production policy for the DfsrPrivate directory that you used for the main directory.

   6. Restart the DFS(R) service on the spoke server.

   7. Re-enable user and application access to the spoke server.

4. Repeat the previous steps for each spoke server in the configuration.

5. When data encryption is complete for all spokes in the configuration, re-enable user and application access to the devices and directories you encrypted.