Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

User Guides
Integrations and Solutions
CTE Use Cases
Release Notes
Patch Notes
Additional Resources
Previous Releases

All

All

Using the Standard Encryption Method

Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology

Please Note:

Integrations and Solutions
CTE Agent AIX Integration Guides
- Using CTE with Oracle
  - CTE on Oracle ACFS Overview
  - Creating an Oracle ASM Disk Group for Guarding
  - Oracle RAC ASM
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Basic Troubleshooting Techniques
- Using CTE with PowerTech Antivirus
CTE Agent Linux Integration and Solutions Guides
- Installing CTE on Hadoop
  - Overview
  - Implementing CTE on HDFS
    - Create an Encryption Zone in HDFS Name Space for AWS EMR
    - Using the Original Information from HDFS
    - Create an HDFS Host Group and GuardPoint in CipherTrust Manager
    - Adding a New DataNode to a CTE-protected HDFS
    - Configure NameNodes
    - Take a DataNode Offline and Perform Data Transformation
    - Implementing CTE on HDFS on a Single Host
  - Deploy Cloudera Hadoop on CTE
  - HDFS Upgrade with CTE
    - Configure the Hadoop Cluster for CTE
    - Create a CipherTrust Configuration Group
    - Update the Hadoop-env Template with CTE Settings
    - Modify the HDFS IOCTL
    - Change the HDFS File Rename Check
    - User Information Push
    - Uninstalling CTE for the Hadoop Cluster
  - CTE Installation and Configuration
    - Configuring Hadoop to Use CTE
  - Deleting Metadata in HDFS when Migrating Out of LDT
- Using CTE with Oracle
  - Basic Troubleshooting Techniques
    - Verifying Database Encryption
  - Using CTE LDT with Oracle
  - Oracle RAC ASM and ASMLib
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - Oracle RAC ASMLib Multi-Disk Online Method
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Using CTE with Oracle ASM Filter Driver
    - Audience
    - Enable Oracle ASMFD for CTE
    - Configure CTE and create a guarded Oracle ASMFD
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Offline method
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Online method
    - Uninstall/ Upgrade CTE with active ASMFD Setup
  - Using Oracle with CTE-U
- Integrating and Configuring EDB
- Integration with Pacemaker
  - Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup
  - Using CTE with Pacemaker
- Using CTE with SQL Server on Linux on Red Hat 8
- Configuring Support for SAP HANA
- Using CTE with GlusterFS
- NetApp Snapshot Directory
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
  - Stop secfs Before Upgrading StorNext LAN Clients
- Using CTE with McAfee Endpoint Security for Linux Threat Prevention
- Using CTE and Imperva Database Activity Monitoring (DAM) Simultaneously
- Using CTE with Trend Micro Deep Security Software
- CTE for Cloud Object Storage
  - Overview
  - System and Software Requirements
  - Client Software Requirements
  - CTE COS S3 Installation Overview
  - Install Required Linux Packages
  - Install CTE with COS Service
  - Configure the AWS CLI to use the COS Root CA Certificate
  - Configure the AWS CLI Network Proxy
  - Configure CTE COS S3
  - Configure a CTE COS S3 Role for Guarded Buckets
    - Secure an S3 Bucket with the CTE COS S3 Role
    - Disable the CTE COS S3 Role for an S3 Bucket
  - Guard an AWS Bucket
  - Additional COS Proxy Root CA Certificate Information
  - Protecting Python Programs with CTE
  - Enable COS on an Agent with no COS Service
  - Creating a COS Policy
  - Uninstall COS from an Agent
- CTE with Teradata Database Appliances
  - IDT-Capable GuardPoints and Teradata Database Appliances
  - Requirements and Considerations
  - Guarding a Teradata Database Device
    - Install CTE on the Teradata Database Appliance
    - Identify Devices to be Guarded with IDT-Capable GuardPoints
    - Select the Initial Configuration Method
    - Initialize and Guard the Database Devices Using the Standard Initialization Method
    - Automating and Reducing the Duration of Initial Data Transformation
    - Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method
  - Changing the Encryption Key on Teradata Devices
  - Access Rules to Apply on the Teradata Database Appliance
  - Replication of IDT Metadata Files Across Members of a Clique
  - Best Practices
  - Uninstalling CTE from the Teradata Cluster
  - Alerts and Errors
  - Generating IDT-capable Metadata for Teradata Storage Expansion
- Integrating CTE with an Exasol Database
- Integrating CTE with a Couchbase Database
- Integrating CTE with an EnterpriseDB Postgres Advanced Server
- Integrating CTE with a MongoDB database
- Integrating CTE with an Apache Cassandra database
- Integrating CTE with a Neo4j Database
- Integrating CTE with a Kafka
CTE Agent Windows Integration Guides
- Using CTE with Microsoft SQL AlwaysOn and SQL File Tables
  - Using CTE with Microsoft SQL
    - Using CTE with SQL
    - Using CTE with SQL FileTables
      - Supported FileTables Use Cases
      - Unsupported FileTables Use Cases
    - Installing CTE on Microsoft SQL AlwaysOn
    - Data Transformation (Encryption in place)
    - Copy/Restore
    - SQL Server Policy Tuning
  - Using LDT with Microsoft SQL
    - Using LDT with SQL AlwaysOn
    - Using LDT with SQL FILESTREAM
- CTE with Microsoft DFSR
  - Overview
  - Terminology and Topology
  - Configure DFS(R)
  - CTE Configuration Workflow
  - Creating Required DFS(R) Policy Components
  - Using the Standard Encryption Method
    - Creating Standard Policies for DFS(R)
    - Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology
    - Creating Standard GuardPoints with the DFS(R) Full Mesh Topology
  - Using the LDT Encryption Method
    - Creating a CTE-LDT Policy for DFS(R)
    - Creating a LDT GuardPoint for DFS(R)
    - CTE QoS Throttling and Rekey Scheduling
  - Troubleshooting
  - CTE Client Groups
- Encrypt Active Directory Database with Secure Start
  - Secure Start Overview
  - Prerequisites
  - Encrypt by Moving the AD Service into a Guarded Directory
  - Encrypt Data in Place with Offline Transformation
  - Encrypt with an LDT Transformation Policy
  - Configure the Time Out Failure
  - Recover a Server After it Loses Connection to the Key Manager
  - Other Use Cases
  - Best Practices for Encrypting and Protecting the AD Service
- Exchange DAG
  - Exchange DAG Overview
  - CTE Policies for Exchange DAG
    - Creating a Policy for CTE-LDT Encryption with CipherTrust Manager
    - Creating Policies for Standard Encryption with CipherTrust Manager
  - Encrypting with CTE-LDT in an Exchange DAG Environment
  - Encrypting with a Standard CTE Policy in the Exchange DAG Environment
  - Decrypting with CTE-LDT in an Exchange DAG Environment
- Storage Spaces Direct
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
- Encrypt Microsoft OneDrive files with CTE
- Setting up Microsoft DPM with CTE

CipherTrust Transparent Encryption Agent
Integrations and Solutions
CTE Agent Windows Integration Guides
CTE with Microsoft DFSR
Using the Standard Encryption Method
Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology

Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology

Hub-and-spoke is the only topology that allows for encrypting the folders that need protection on each individual server, sequentially, starting with the Hub (think of it as the primary active node).

If you are using the hub and spoke DFS(R) topology, you should encrypt the data on the hub and then encrypt the data on the spokes. After you have encrypted the data on the hub server, you have two options for the data on the spoke servers:

Option 1: Delete the existing spoke server data and allow DFS(R) to replicate the encrypted hub data to all of the spoke servers.

The advantage to this method is that you only need to encrypt the data on the hub. The disadvantage is that it will take time to replicate the data to all of the spoke servers.
Option 2: Encrypt each Spoke server using the same encryption process as you use on the hub server.

The advantage to this method is that you do not need to wait for the full data replication process across the network. The disadvantage is that you must run the encryption process on all Spoke servers.

Prerequisites

Make sure you have a valid backup of the data you plan to encrypt.
Make sure you know what devices or directories you plan to protect.
Make sure you understand how data transformation GuardPoints are created.
Make sure you have an initial encryption and a production policy as described in Creating Standard Policies for DFS(R).

Note

The following procedures assume you are using dataxform to encrypt the data in place.

Procedure for Option 1: Use DFS(R) to Replicate the Encrypted Data

Disable user and application access to all devices and directories, on the hub server and all spoke servers, in the namespace, you intend to encrypt so that no users can add or change the data during the transformation process.

Note

You do not have to disable the namespace.
On the hub server:
1. Stop the DFS(R) service.
2. In your key manager, create the GuardPoints that you want to encrypt and apply the initial encryption policy to those GuardPoints.
  - Make sure that all GuardPoints are at or above the level of the DFS(R) replication point.
  - Do not create GuardPoints for the DfsrPrivate directories yet.
3. On the hub server, run the dataxform utility as described in the CTE Data Transformation Guide.
4. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and guard them using the production DFS(R) policy.
5. If any of your GuardPoints are at the directory level, create a GuardPoint for the <dir name>\DfsrPrivate directory that goes with that GuardPoint. For example, If the GuardPoint is D:\data\, the private directory would be D:\data\DfsrPrivate. Make sure that you use the same production policy for the DfsrPrivate directory that you used for the main directory.
Warning

Do not start the DFS(R) service yet.
On each spoke server:
1. Stop the DFS(R) service on the spoke server.
2. Delete the data in all devices and directories that you added GuardPoints for on the hub server.
3. In your key manager, create the same GuardPoints on the spoke server that you created on the hub server, making sure that you apply the same standard policy to each GuardPoint on the spoke server that you applied on the hub server.
  
  Make sure you also create the same DfsrPrivate GuardPoints on the spoke server that you created on the hub server.
Note

Because the directories are empty, you do not need to use the initial encryption policy or the dataxform utility on the spoke servers. You can just guard the empty directory and the private directories directly using the production policy.
1. Start the DFS(R) service on the spoke server.
Repeat the previous step for each spoke server in the configuration.
When every spoke server has the exact same production GuardPoints as the hub server, return to the hub server and do the following:
1. Start the DFS(R) service on the hub.
2. Force replication from the hub to the spokes.
When replication is complete for all spokes in the configuration, re-enable user and application access to the devices and directories that you encrypted.

Procedure for Option 2: Encrypt the Data on All Servers

Disable user and application access to all devices and directories that you intend to encrypt so that no users can add or change the data during the transformation process. This must be done on the hub server and all spoke servers in the namespace.

Note

You do not have to disable the namespace.
On the hub server:
1. Disable access to the hub server so that no one can change the data during the transformation process.
2. Stop the DFS(R) service on the hub.
3. In your key manager, create the GuardPoints that you want to encrypt and apply the initial encryption policy to those GuardPoints.
  - Make sure that all GuardPoints are at or above the level of the DFS(R) replication point.
  - Do not create GuardPoints for the DfsrPrivate directories yet.
4. Run the dataxform utility on the hub server as described in the CTE Data Transformation Guide.
5. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and re-guard them using the production DFS(R) policy.
6. If any of your GuardPoints are at the directory level, create a GuardPoint for the <dir name>\DfsrPrivate directory that resides with that GuardPoint. For example, If the GuardPoint is D:\data\, the private directory would be D:\data\DfsrPrivate. Make sure you use the same production policy for the DfsrPrivate directory that you used for the main directory.
7. Restart the DFS(R) service on the hub server.
On each spoke server:
1. Stop the DFS(R) service on the spoke server.
2. In your key manager, create the same GuardPoints on the spoke server that you created on the hub server. Make sure that you apply the same initial encryption policy to the GuardPoints on the spoke server that you applied on the hub server.
  
  Warning
  
  Do not create the DfsrPrivate GuardPoints yet.
3. On the spoke server, run the dataxform utility.
4. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and re-guard them using the same production DFS(R) policy that you used for the corresponding GuardPoint on the hub server.
5. Create the same DfsrPrivate GuardPoints on the spoke server that you created on the hub server. Make sure that you use the same production policy for the DfsrPrivate directory that you used for the main directory.
6. Restart the DFS(R) service on the spoke server.
7. Re-enable user and application access to the spoke server.
Repeat the previous steps for each spoke server in the configuration.
When data encryption is complete for all spokes in the configuration, re-enable user and application access to the devices and directories you encrypted.

On this page

CipherTrust Transparent Encryption Agent

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com