Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

User Guides
Integrations and Solutions
CTE Use Cases
Release Notes
Patch Notes
Additional Resources
Previous Releases

All

All

CTE with Microsoft DFSR

Overview

Please Note:

Integrations and Solutions
CTE Agent AIX Integration Guides
- Using CTE with Oracle
  - CTE on Oracle ACFS Overview
  - Creating an Oracle ASM Disk Group for Guarding
  - Oracle RAC ASM
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Basic Troubleshooting Techniques
- Using CTE with PowerTech Antivirus
CTE Agent Linux Integration and Solutions Guides
- Installing CTE on Hadoop
  - Overview
  - Implementing CTE on HDFS
    - Create an Encryption Zone in HDFS Name Space for AWS EMR
    - Using the Original Information from HDFS
    - Create an HDFS Host Group and GuardPoint in CipherTrust Manager
    - Adding a New DataNode to a CTE-protected HDFS
    - Configure NameNodes
    - Take a DataNode Offline and Perform Data Transformation
    - Implementing CTE on HDFS on a Single Host
  - Deploy Cloudera Hadoop on CTE
  - HDFS Upgrade with CTE
    - Configure the Hadoop Cluster for CTE
    - Create a CipherTrust Configuration Group
    - Update the Hadoop-env Template with CTE Settings
    - Modify the HDFS IOCTL
    - Change the HDFS File Rename Check
    - User Information Push
    - Uninstalling CTE for the Hadoop Cluster
  - CTE Installation and Configuration
    - Configuring Hadoop to Use CTE
  - Deleting Metadata in HDFS when Migrating Out of LDT
- Using CTE with Oracle
  - Basic Troubleshooting Techniques
    - Verifying Database Encryption
  - Using CTE LDT with Oracle
  - Oracle RAC ASM and ASMLib
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - Oracle RAC ASMLib Multi-Disk Online Method
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Using CTE with Oracle ASM Filter Driver
    - Audience
    - Enable Oracle ASMFD for CTE
    - Configure CTE and create a guarded Oracle ASMFD
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Offline method
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Online method
    - Uninstall/ Upgrade CTE with active ASMFD Setup
  - Using Oracle with CTE-U
- Integrating and Configuring EDB
- Integration with Pacemaker
  - Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup
  - Using CTE with Pacemaker
- Using CTE with SQL Server on Linux on Red Hat 8
- Configuring Support for SAP HANA
- Using CTE with GlusterFS
- NetApp Snapshot Directory
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
  - Stop secfs Before Upgrading StorNext LAN Clients
- Using CTE with McAfee Endpoint Security for Linux Threat Prevention
- Using CTE and Imperva Database Activity Monitoring (DAM) Simultaneously
- Using CTE with Trend Micro Deep Security Software
- CTE for Cloud Object Storage
  - Overview
  - System and Software Requirements
  - Client Software Requirements
  - CTE COS S3 Installation Overview
  - Install Required Linux Packages
  - Install CTE with COS Service
  - Configure the AWS CLI to use the COS Root CA Certificate
  - Configure the AWS CLI Network Proxy
  - Configure CTE COS S3
  - Configure a CTE COS S3 Role for Guarded Buckets
    - Secure an S3 Bucket with the CTE COS S3 Role
    - Disable the CTE COS S3 Role for an S3 Bucket
  - Guard an AWS Bucket
  - Additional COS Proxy Root CA Certificate Information
  - Protecting Python Programs with CTE
  - Enable COS on an Agent with no COS Service
  - Creating a COS Policy
  - Uninstall COS from an Agent
- CTE with Teradata Database Appliances
  - IDT-Capable GuardPoints and Teradata Database Appliances
  - Requirements and Considerations
  - Guarding a Teradata Database Device
    - Install CTE on the Teradata Database Appliance
    - Identify Devices to be Guarded with IDT-Capable GuardPoints
    - Select the Initial Configuration Method
    - Initialize and Guard the Database Devices Using the Standard Initialization Method
    - Automating and Reducing the Duration of Initial Data Transformation
    - Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method
  - Changing the Encryption Key on Teradata Devices
  - Access Rules to Apply on the Teradata Database Appliance
  - Replication of IDT Metadata Files Across Members of a Clique
  - Best Practices
  - Uninstalling CTE from the Teradata Cluster
  - Alerts and Errors
  - Generating IDT-capable Metadata for Teradata Storage Expansion
- Integrating CTE with an Exasol Database
- Integrating CTE with a Couchbase Database
- Integrating CTE with an EnterpriseDB Postgres Advanced Server
- Integrating CTE with a MongoDB database
- Integrating CTE with an Apache Cassandra database
- Integrating CTE with a Neo4j Database
- Integrating CTE with a Kafka
CTE Agent Windows Integration Guides
- Using CTE with Microsoft SQL AlwaysOn and SQL File Tables
  - Using CTE with Microsoft SQL
    - Using CTE with SQL
    - Using CTE with SQL FileTables
    - Installing CTE on Microsoft SQL AlwaysOn
    - Data Transformation (Encryption in place)
    - Copy/Restore
    - SQL Server Policy Tuning
  - Using LDT with Microsoft SQL
    - Using LDT with SQL AlwaysOn
    - Using LDT with SQL FILESTREAM
- CTE with Microsoft DFSR
  - Overview
  - Terminology and Topology
  - Configure DFS(R)
  - CTE Configuration Workflow
  - Creating Required DFS(R) Policy Components
  - Using the Standard Encryption Method
    - Creating Standard Policies for DFS(R)
    - Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology
    - Creating Standard GuardPoints with the DFS(R) Full Mesh Topology
  - Using the LDT Encryption Method
    - Creating a CTE-LDT Policy for DFS(R)
    - Creating a LDT GuardPoint for DFS(R)
    - CTE QoS Throttling and Rekey Scheduling
  - Troubleshooting
  - CTE Client Groups
- Encrypt Active Directory Database with Secure Start
  - Secure Start Overview
  - Prerequisites
  - Encrypt by Moving the AD Service into a Guarded Directory
  - Encrypt Data in Place with Offline Transformation
  - Encrypt with an LDT Transformation Policy
  - Configure the Time Out Failure
  - Recover a Server After it Loses Connection to the Key Manager
  - Other Use Cases
  - Best Practices for Encrypting and Protecting the AD Service
- Exchange DAG
  - Exchange DAG Overview
  - CTE Policies for Exchange DAG
    - Creating a Policy for CTE-LDT Encryption with CipherTrust Manager
    - Creating Policies for Standard Encryption with CipherTrust Manager
  - Encrypting with CTE-LDT in an Exchange DAG Environment
  - Encrypting with a Standard CTE Policy in the Exchange DAG Environment
  - Decrypting with CTE-LDT in an Exchange DAG Environment
- Storage Spaces Direct
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
- Encrypt Microsoft OneDrive files with CTE
- Setting up Microsoft DPM with CTE

CipherTrust Transparent Encryption Agent
Integrations and Solutions
CTE Agent Windows Integration Guides
CTE with Microsoft DFSR
Overview

Overview

This section details the CipherTrust software suite and will act as an operational (run book) guide for managing the CipherTrust security environment. It contains the steps to configure CTE agent on a Windows Server host running Microsoft Distributed File System (DFS) with Replication.

Microsoft introduced the Distributed File System in Server 2003 as a value-add for customers seeking low-cost data resiliency across high-latency, low-bandwidth WAN links. DFS is a free feature included with all subsequent versions of Windows Server software. DFS uses a namespace architecture where nested data folders use a replication service to synchronize similar data directories on 2 or more servers. Architects choose this model to ensure fault tolerance, preserve active uptime and to improve access performance by spreading the workload across many servers: client requests are routed to the nearest DFS folder for a given namespace. CTE began supporting DFS(R) starting with Windows 2012 R2 and continues to do so through Windows 2022 and subsequent versions.

Use this document for guidance on encrypting DFS data depending on how it is currently deployed. It contains a number of scenarios, often highlighting important configuration considerations applicable for the project. Before encrypting any DFS data, however, Thales Support assumes that the customer has made a backup of the latest production data, has a good understanding of their own DFS(R) deployment and has a fully-developed encryption plan.

The information listed here details best practices and tool sets when using encryption for DFS data. It starts by defining the terms and layouts for this technology and ends by reviewing common problems that may compound DFS(R) encryption and troubleshooting tips.

CTE Encryption Methods

CTE supports two encryption methods:

Standard offline data transformation

Where the data is unavailable while it is being encrypted or rekeyed.
Live Data Transformation

Where the data is encrypted and rekeyed in the background while it remains accessible to users. This method requires a separate license for the LDT feature.

While DFS(R) policies have some unique required components, the basic policy and GuardPoint creation process is identical to non-DFS(R) environments. For details about offline data transformation, see the CTE Data Transformation Guide. For details about LDT, see the CTE Live Data Transformation with CipherTrust Manager.

Considerations with DFS(R)

If you are using CTE in a DFS(R) environment, keep in mind the following:

You should always back up your data prior to beginning the encryption process and you should have a full backup of the data in the hub server before you restore a spoke.
You cannot place a GuardPoint anywhere on the boot drive, so if your DFS(R) replication point is currently C:\, or a directory under C:\ such as C:\data\, you need to move that data and its replication point to a new volume on the server before you can encrypt it.
If you are backing up your DFS data, make sure that your backup software is not backing up the archive bit. File replication is triggered by file version change or a modified time stamp. As such, there is a chance that updating the archive bit may cause issues that trigger a replication storm, which will then put a heavy encryption load on the servers.
You must add the CTE GuardPoint at or above the level of the DFS(R) replication point. For example:
- If the replication point is D:\, the CTE GuardPoint must also be at D:\. Adding a GuardPoint on a directory in D:\, such as D:\data\, will fail.
- If the replication point is D:\data\, you can add a GuardPoint at D:\data\ or D:\, but you cannot add a GuardPoint on a subdirectory of D:\data\ such as D:\data\HR-files\.
When you set a replication point, Microsoft automatically creates a private directory called <dir name>\DfsrPrivate that resides with that replication point. For example, if the replication point is set on D:\, the private directory would be D:\DfsrPrivate. If the replication point is set on D:\data\, the private directory would be D:\data\DfsrPrivate.

How this private directory must be handled depends on the the encryption method that you are using.
- For Standard encryption, you must guard the private directory with the same policy that you use for the main GuardPoint. If the GuardPoint is at the root of the volume (for example, D:\), this happens automatically. But if you are guarding a specific directory, such as D:\data\, you need to create a second GuardPoint using the same policy on D:\data\DfsrPrivate.
- For LDT, you must guard the private directory with the same policy that you use for the main GuardPoint, even if the GuardPoint is at the root level. (For example, you must have a GuardPoint for both D:\ and D:\DfsrPrivate\.) In addition, you must exclude this directory from LDT processing.
The policy you specify for a DFS(R) GuardPoint cannot contain a resource set in any of the key rules included in the policy. All files in the guarded directory, and its subdirectories, must be encrypted with the same encryption key without exception. Additionally, if you rekey the GuardPoint, all files must be rekeyed with the same encryption key.
If you want to change from one encryption key to an entirely different encryption key (as opposed to rekeying the data with a new version of the existing key), you must decrypt the data and remove all existing GuardPoints so that you have a clean environment. Then you can start the CTE encryption process over from the beginning.

Caution

You cannot change from one encryption key to another if any of the existing data is still encrypted with the old key. If you attempt to do so, you may encounter data replication errors and you may need to delete the entire volume and recreate it.

When CTE encrypts data on a node, the encrypted data must be replicated to other nodes in the configuration. This may result in increased replication activity on the network.

On this page

CipherTrust Transparent Encryption Agent

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com