Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

User Guides
Integrations and Solutions
CTE Use Cases
Release Notes
Patch Notes
Additional Resources
Previous Releases

All

All

Using CTE with Microsoft SQL

Installing CTE on Microsoft SQL AlwaysOn

Please Note:

Integrations and Solutions
CTE Agent AIX Integration Guides
- Using CTE with Oracle
  - CTE on Oracle ACFS Overview
  - Creating an Oracle ASM Disk Group for Guarding
  - Oracle RAC ASM
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Basic Troubleshooting Techniques
- Using CTE with PowerTech Antivirus
CTE Agent Linux Integration and Solutions Guides
- Installing CTE on Hadoop
  - Overview
  - Implementing CTE on HDFS
    - Create an Encryption Zone in HDFS Name Space for AWS EMR
    - Using the Original Information from HDFS
    - Create an HDFS Host Group and GuardPoint in CipherTrust Manager
    - Adding a New DataNode to a CTE-protected HDFS
    - Configure NameNodes
    - Take a DataNode Offline and Perform Data Transformation
    - Implementing CTE on HDFS on a Single Host
  - Deploy Cloudera Hadoop on CTE
  - HDFS Upgrade with CTE
    - Configure the Hadoop Cluster for CTE
    - Create a CipherTrust Configuration Group
    - Update the Hadoop-env Template with CTE Settings
    - Modify the HDFS IOCTL
    - Change the HDFS File Rename Check
    - User Information Push
    - Uninstalling CTE for the Hadoop Cluster
  - CTE Installation and Configuration
    - Configuring Hadoop to Use CTE
  - Deleting Metadata in HDFS when Migrating Out of LDT
- Using CTE with Oracle
  - Basic Troubleshooting Techniques
    - Verifying Database Encryption
  - Using CTE LDT with Oracle
  - Oracle RAC ASM and ASMLib
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - Oracle RAC ASMLib Multi-Disk Online Method
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Using CTE with Oracle ASM Filter Driver
    - Audience
    - Enable Oracle ASMFD for CTE
    - Configure CTE and create a guarded Oracle ASMFD
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Offline method
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Online method
    - Uninstall/ Upgrade CTE with active ASMFD Setup
  - Using Oracle with CTE-U
- Integrating and Configuring EDB
- Integration with Pacemaker
  - Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup
  - Using CTE with Pacemaker
- Using CTE with SQL Server on Linux on Red Hat 8
- Configuring Support for SAP HANA
- Using CTE with GlusterFS
- NetApp Snapshot Directory
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
  - Stop secfs Before Upgrading StorNext LAN Clients
- Using CTE with McAfee Endpoint Security for Linux Threat Prevention
- Using CTE and Imperva Database Activity Monitoring (DAM) Simultaneously
- Using CTE with Trend Micro Deep Security Software
- CTE for Cloud Object Storage
  - Overview
  - System and Software Requirements
  - Client Software Requirements
  - CTE COS S3 Installation Overview
  - Install Required Linux Packages
  - Install CTE with COS Service
  - Configure the AWS CLI to use the COS Root CA Certificate
  - Configure the AWS CLI Network Proxy
  - Configure CTE COS S3
  - Configure a CTE COS S3 Role for Guarded Buckets
    - Secure an S3 Bucket with the CTE COS S3 Role
    - Disable the CTE COS S3 Role for an S3 Bucket
  - Guard an AWS Bucket
  - Additional COS Proxy Root CA Certificate Information
  - Protecting Python Programs with CTE
  - Enable COS on an Agent with no COS Service
  - Creating a COS Policy
  - Uninstall COS from an Agent
- CTE with Teradata Database Appliances
  - IDT-Capable GuardPoints and Teradata Database Appliances
  - Requirements and Considerations
  - Guarding a Teradata Database Device
    - Install CTE on the Teradata Database Appliance
    - Identify Devices to be Guarded with IDT-Capable GuardPoints
    - Select the Initial Configuration Method
    - Initialize and Guard the Database Devices Using the Standard Initialization Method
    - Automating and Reducing the Duration of Initial Data Transformation
    - Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method
  - Changing the Encryption Key on Teradata Devices
  - Access Rules to Apply on the Teradata Database Appliance
  - Replication of IDT Metadata Files Across Members of a Clique
  - Best Practices
  - Uninstalling CTE from the Teradata Cluster
  - Alerts and Errors
  - Generating IDT-capable Metadata for Teradata Storage Expansion
- Integrating CTE with an Exasol Database
- Integrating CTE with a Couchbase Database
- Integrating CTE with an EnterpriseDB Postgres Advanced Server
- Integrating CTE with a MongoDB database
- Integrating CTE with an Apache Cassandra database
- Integrating CTE with a Neo4j Database
- Integrating CTE with a Kafka
CTE Agent Windows Integration Guides
- Using CTE with Microsoft SQL AlwaysOn and SQL File Tables
  - Using CTE with Microsoft SQL
    - Using CTE with SQL
    - Using CTE with SQL FileTables
      - Supported FileTables Use Cases
      - Unsupported FileTables Use Cases
    - Installing CTE on Microsoft SQL AlwaysOn
    - Data Transformation (Encryption in place)
    - Copy/Restore
    - SQL Server Policy Tuning
  - Using LDT with Microsoft SQL
    - Using LDT with SQL AlwaysOn
    - Using LDT with SQL FILESTREAM
- CTE with Microsoft DFSR
  - Overview
  - Terminology and Topology
  - Configure DFS(R)
  - CTE Configuration Workflow
  - Creating Required DFS(R) Policy Components
  - Using the Standard Encryption Method
    - Creating Standard Policies for DFS(R)
    - Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology
    - Creating Standard GuardPoints with the DFS(R) Full Mesh Topology
  - Using the LDT Encryption Method
    - Creating a CTE-LDT Policy for DFS(R)
    - Creating a LDT GuardPoint for DFS(R)
    - CTE QoS Throttling and Rekey Scheduling
  - Troubleshooting
  - CTE Client Groups
- Encrypt Active Directory Database with Secure Start
  - Secure Start Overview
  - Prerequisites
  - Encrypt by Moving the AD Service into a Guarded Directory
  - Encrypt Data in Place with Offline Transformation
  - Encrypt with an LDT Transformation Policy
  - Configure the Time Out Failure
  - Recover a Server After it Loses Connection to the Key Manager
  - Other Use Cases
  - Best Practices for Encrypting and Protecting the AD Service
- Exchange DAG
  - Exchange DAG Overview
  - CTE Policies for Exchange DAG
    - Creating a Policy for CTE-LDT Encryption with CipherTrust Manager
    - Creating Policies for Standard Encryption with CipherTrust Manager
  - Encrypting with CTE-LDT in an Exchange DAG Environment
  - Encrypting with a Standard CTE Policy in the Exchange DAG Environment
  - Decrypting with CTE-LDT in an Exchange DAG Environment
- Storage Spaces Direct
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
- Encrypt Microsoft OneDrive files with CTE
- Setting up Microsoft DPM with CTE

CipherTrust Transparent Encryption Agent
Integrations and Solutions
CTE Agent Windows Integration Guides
Using CTE with Microsoft SQL AlwaysOn and SQL File Tables
Using CTE with Microsoft SQL
Installing CTE on Microsoft SQL AlwaysOn

Installing CTE on Microsoft SQL AlwaysOn

This section describes how to implement CTE with Microsoft SQL AlwaysOn in a variety of configurations for primary and secondary replica servers, and assumes that you have a basic understanding of Microsoft SQL database.

You may want to keep the primary server decrypted to serve all users, and use the secondary database for running reports or backups.

If the database is encrypted, then the Volume Shadow copy-related backups will snapshot and backup encrypted protected data.
Administrators with the apply_key permission can run a query and pull down reports from the secondary database server without affecting the performance of the primary database server.
The secondary server could be in a remote Data Recovery location. You may want to secure it with encryption.
LDT is supported with SQL AlwaysOn. See Using LDT with SQL AlwaysOn for more information.

Methods for Initial Encryption

There are multiple methods for performing the initial encryption of the databases. Decide on which of the following methods best fits your environment. For more information on transforming data, see the CTE-Live Data Transformation with Data Security Manager.

Data Transformation – Encrypt data in place
Backup and Restore to a GuardPoint
Copy and paste the data into a GuardPoint

Configuration 1

Databases on primary server and secondary replica servers require encryption
Database name and location of secondary replica server are the same as the primary server

To perform the procedure:

Perform a full backup of the primary database.
Change the primary database to offline mode.
Confirm the creation of a data transformation and/or standard policy.
Guard the folder containing the primary database files with that policy:
1. If using 'Encrypt data in place' as the selected method of encryption, execute the data transformation and then apply the standard policy.
2. If using the 'Copy/Restore ' method of encryption, apply the standard policy on an empty folder/device.
On the secondary server, create a new folder to store the replicated database.

Note

The folder name and the path must be the same as the primary server.
Guard the folder with the standard policy.
Perform step 4 above for additional secondary server(s).
Put the primary database back into online mode.
Setup SQL AlwaysOn High Availability group to perform FULL Data Synchronization.

This copies the primary database and replicates it to secondary replica servers.
Verify that the databases in the secondary server are in “Synchronized” mode.

Configuration 2

Database on the primary server does not require encryption, but the secondary replica database requires it
Database names and locations for the secondary replica servers are the same as the primary server

To perform the procedure:

Perform a full backup of the primary database.
Confirm the creation of a data transformation and/or standard policy.
On the secondary server, create a new folder to store the replicated database.

Note

The folder name and the path must be the same as the primary server.
Guard the folder with the standard policy.
Perform step 3 & 4 above for additional secondary server(s).
Setup SQL AlwaysOn High Availability group to perform FULL Data Synchronization.

This copies the primary database and replicates it to secondary replica servers.
Verify that the databases in the secondary server are in “Synchronized” mode.

Configuration 3

Databases on the primary and secondary replica servers require encryption
Database name is the same, but the location of the secondary replica server is in a different location from that of the primary server

To perform the procedure:

Perform a full backup of the primary database.
Change the primary database to offline mode.
Confirm the creation of a data transformation and/or standard policy.
Guard the folder containing the primary database files with that policy:
1. If using 'Encrypt data in place' as the selected method of encryption, execute the data transformation and then apply the standard policy.
2. If using the 'Copy/Restore ' method of encryption, apply the standard policy on an empty folder/device.
On the secondary server, create a new folder to store the replicated database.

Note

The folder name and the path must be the same as the primary server.
Guard the folder with the encryption policy.
From secondary server, perform the restore to the primary database.
1. Select the options Restore with norecovery and Relocate all files to folder.
2. Specify the path of the new folder from step 5.
Repeat steps 4 & 5 above for any additional secondary server(s).
Setup SQL AlwaysOn High Availability group to perform JOIN ONLY Data Synchronization.

This joins the secondary database to the SQL Always High Availability Group. It also establishes replication of new data and logs from the primary to the secondary replicated server.
Verify that the databases in the secondary server are in Synchronized mode.

Configuration 4

Database on the primary server does not require encryption, but the secondary replica database requires encryption
Database name is the same, but the location on the secondary replica server is in a different location than that of the primary server

To perform the procedure:

Perform a full backup of the primary database.
Confirm the creation of a data transformation and/or standard policy.
On the secondary server, create new folder to store the replicated database.
Guard the folder with the standard policy.
From secondary server, perform restore the primary database:
1. Select the options Restore with norecovery and Relocate all files to folder.
2. Specify the path of the new folder from step.
Setup SQL AlwaysOn High Availability group to perform JOIN ONLY Data Synchronization.

Joins the secondary database to the SQL Always HA Group. It also establishes replication of new data and logs from the primary to the secondary replicated server.
Verify that the databases in the secondary server are in Synchronized mode.

Configuration 5

Following is an alternative method for protecting data in a MS SQL Server AlwaysON environment.

To perform the procedure:

Shut down SQL services completely, on the secondary node.

Note

It is important to shut down the secondary node first, in order to keep the assignments the same.
Shut down SQL services completely on the primary node.
Create GuardPoints, using Data Transformation policies, on the directories containing the databases to be encrypted in the primary node.

Note

Perform encrypt-in-place encryption on each directory.
Create GuardPoints, using Data Transformation policies, on the directories containing the databases to be encrypted in the secondary node.

Note

Perform encrypt-in-place encryption on each directory.
Delete the GuardPoints, using Data Transformation policies, from the primary node.
Create GuardPoints, using operational policies, on the four directories in the primary node.
Delete GuardPoints, using Data Transformation policies, from the secondary node.
Create GuardPoints, using operational policies, on the four directories in the secondary node.
Activate SQL services on the primary node.
Activate SQL services on the secondary node.

On this page

CipherTrust Transparent Encryption Agent

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com