Creating Standard GuardPoints with the DFS(R) Full Mesh Topology

If you are using the full mesh DFS(R) topology, you must restrict access to the data on all servers in the namespace until it has been encrypted on all servers in the namespace. That means the data will be inaccessible to users and applications until the encryption procedure has been completed on all servers.

Prerequisites

• Make sure you have a valid backup of the data you plan to encrypt.

• Make sure you know what devices or directories you plan to protect.

• Make sure you understand how data transformation GuardPoints are created.

• Make sure you have an initial encryption and a production policy as described in Creating Standard Policies for DFS(R).

Procedure

1. On all servers in the configuration:

   • Disable user and application access to all devices and directories you intend to encrypt so that no users can add or change the data during the transformation process.

   • Stop the DFS(R) service.

2. On one of the servers in the configuration:

   1. In your key manager, create the GuardPoints that you want to encrypt and apply the initial encryption policy to those GuardPoints.

      Note

      Make sure that all GuardPoints are at, or above, the level of the DFS(R) replication point. For example:

      • If the replication point is D:\, the CTE GuardPoint must also be at D:\. Adding a GuardPoint on a directory in D:\, such as D:\data\, fails.

      • If the replication point is D:\data\, you can add a GuardPoint at D:\data\ or D:\, but you cannot add a GuardPoint on a subdirectory of D:\data\ such as D:\data\HR-files\.

      • Do not create GuardPoints for the DfsrPrivate directories yet.

   2. Run the dataxform utility as described in the CTE Data Transformation Guide.

   3. After the data encryption process has completed, unguard the GuardPoints that use the initial encryption policy and re-guard them using the production DFS(R) policy.

   4. If any of your GuardPoints are at the directory level, create a GuardPoint for the <dir name>\DfsrPrivate directory that goes with that GuardPoint. For example, If the GuardPoint is D:\data\, the private directory would be D:\data\DfsrPrivate. Make sure that you use the same production policy for the DfsrPrivate directory that you used for the main directory.

3. Repeat the previous steps for each one of the servers in the configuration.

4. When you are finished, the production GuardPoints should be identical on every server in the namespace.

5. Restart the DFS(R) service on the each server in the namespace.

6. Re-enable user and application access to all devices and directories.