Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Using the Standard Encryption Method

Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology

search

Please Note:

printsuggest an editpdf paneldownload

Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology

Hub-and-spoke is the only topology that allows for encrypting the folders that need protection on each individual server, sequentially, starting with the Hub (think of it as the primary active node).

If you are using the hub and spoke DFS(R) topology, you should encrypt the data on the hub and then encrypt the data on the spokes. After you have encrypted the data on the hub server, you have two options for the data on the spoke servers:

  • Option 1: Delete the existing spoke server data and allow DFS(R) to replicate the encrypted hub data to all of the spoke servers.

    The advantage to this method is that you only need to encrypt the data on the hub. The disadvantage is that it will take time to replicate the data to all of the spoke servers.

  • Option 2: Encrypt each Spoke server using the same encryption process as you use on the hub server.

    The advantage to this method is that you do not need to wait for the full data replication process across the network. The disadvantage is that you must run the encryption process on all Spoke servers.

copy link to clipboardPrerequisites

  • Make sure you have a valid backup of the data you plan to encrypt.

  • Make sure you know what devices or directories you plan to protect.

  • Make sure you understand how data transformation GuardPoints are created.

  • Make sure you have an initial encryption and a production policy as described in Creating Standard Policies for DFS(R).

Note

The following procedures assume you are using dataxform to encrypt the data in place.

copy link to clipboardProcedure for Option 1: Use DFS(R) to Replicate the Encrypted Data

  1. Disable user and application access to all devices and directories, on the hub server and all spoke servers, in the namespace, you intend to encrypt so that no users can add or change the data during the transformation process.

    Note

    You do not have to disable the namespace.

  2. On the hub server:

    1. Stop the DFS(R) service.

    2. In your key manager, create the GuardPoints that you want to encrypt and apply the initial encryption policy to those GuardPoints.

      Note

      Make sure that all GuardPoints are at, or above, the level of the DFS(R) replication point. For example:

      • If the replication point is D:\, the CTE GuardPoint must also be at D:\. Adding a GuardPoint on a directory in D:\, such as D:\data\, fails.

      • If the replication point is D:\data\, you can add a GuardPoint at D:\data\ or D:\, but you cannot add a GuardPoint on a subdirectory of D:\data\ such as D:\data\HR-files\.

      • Do not create GuardPoints for the DfsrPrivate directories yet.

    3. On the hub server, run the dataxform utility as described in the CTE Data Transformation Guide.

    4. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and guard them using the production DFS(R) policy.

    5. If any of your GuardPoints are at the directory level, create a GuardPoint for the <dir name>\DfsrPrivate directory that goes with that GuardPoint. For example, If the GuardPoint is D:\data\, the private directory would be D:\data\DfsrPrivate. Make sure that you use the same production policy for the DfsrPrivate directory that you used for the main directory.

    Warning

    Do not start the DFS(R) service yet.

  3. On each spoke server:

    1. Stop the DFS(R) service on the spoke server.

    2. Delete the data in all devices and directories that you added GuardPoints for on the hub server.

    3. In your key manager, create the same GuardPoints on the spoke server that you created on the hub server, making sure that you apply the same standard policy to each GuardPoint on the spoke server that you applied on the hub server.

      Make sure you also create the same DfsrPrivate GuardPoints on the spoke server that you created on the hub server.

    Note

    Because the directories are empty, you do not need to use the initial encryption policy or the dataxform utility on the spoke servers. You can just guard the empty directory and the private directories directly using the production policy.

    1. Start the DFS(R) service on the spoke server.

  4. Repeat the previous step for each spoke server in the configuration.

  5. When every spoke server has the exact same production GuardPoints as the hub server, return to the hub server and do the following:

    1. Start the DFS(R) service on the hub.

    2. Force replication from the hub to the spokes.

  6. When replication is complete for all spokes in the configuration, re-enable user and application access to the devices and directories that you encrypted.

copy link to clipboardProcedure for Option 2: Encrypt the Data on All Servers

  1. Disable user and application access to all devices and directories that you intend to encrypt so that no users can add or change the data during the transformation process. This must be done on the hub server and all spoke servers in the namespace.

    Note

    You do not have to disable the namespace.

  2. On the hub server:

    1. Disable access to the hub server so that no one can change the data during the transformation process.

    2. Stop the DFS(R) service on the hub.

    3. In your key manager, create the GuardPoints that you want to encrypt and apply the initial encryption policy to those GuardPoints.

      • Make sure that all GuardPoints are at or above the level of the DFS(R) replication point.

      • Do not create GuardPoints for the DfsrPrivate directories yet.

    4. Run the dataxform utility on the hub server as described in the CTE Data Transformation Guide.

    5. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and re-guard them using the production DFS(R) policy.

    6. If any of your GuardPoints are at the directory level, create a GuardPoint for the <dir name>\DfsrPrivate directory that resides with that GuardPoint. For example, If the GuardPoint is D:\data\, the private directory would be D:\data\DfsrPrivate. Make sure you use the same production policy for the DfsrPrivate directory that you used for the main directory.

    7. Restart the DFS(R) service on the hub server.

  3. On each spoke server:

    1. Stop the DFS(R) service on the spoke server.

    2. In your key manager, create the same GuardPoints on the spoke server that you created on the hub server. Make sure that you apply the same initial encryption policy to the GuardPoints on the spoke server that you applied on the hub server.

      Warning

      Do not create the DfsrPrivate GuardPoints yet.

    3. On the spoke server, run the dataxform utility.

    4. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and re-guard them using the same production DFS(R) policy that you used for the corresponding GuardPoint on the hub server.

    5. Create the same DfsrPrivate GuardPoints on the spoke server that you created on the hub server. Make sure that you use the same production policy for the DfsrPrivate directory that you used for the main directory.

    6. Restart the DFS(R) service on the spoke server.

    7. Re-enable user and application access to the spoke server.

  4. Repeat the previous steps for each spoke server in the configuration.

  5. When data encryption is complete for all spokes in the configuration, re-enable user and application access to the devices and directories you encrypted.

On this page