Encrypting NAS NFS with CTE Linux using LDT policies

This reference page describes the initial migration and key rotation when encrypting data in a shared NAS folder exported over NFS, using CTE, with Live Data Transformation (LDT) policies for defining the client behavior for data transformation.

Setup and Assumptions for this example

• Configure LDT over NFS on 4 nodes installed with CTE v7.6, or a subsequent version, with valid LDT licenses

• All CTE agents have LDT enabled and are registered to a CipherTrust Manager with v2.16.0.

• NFS server is setup and a path is exported. For this example we used:

  Path: /opt/testData/sharedFolder/

  NFS server IP: 10.1.1.1

• Mount a path on the CTE client, for example: /root/test_nfs/

• test the path from the client machine using the command showmount -e <NFS_server_IP_address>

• In CTE, create a few folders and sample files to contain data inside this mounted path

Setup

1. Setup on a CTE agent registered to a CipherTrust Manager with the latest version for the initial encryption and access.

2. Log on to CipherTrust Manager, and click **Products -> Transparent Encryption and add the CTE agents as clients if not already added.

3. Make this clients part of an LDT Communication Group. Ensure that all of the clients that will access the same NFS GuardPoint are contained in the same LDT Communication Group.

   

4. Click Client Group and add this client, and any other clients, as members of the Client group.

   

5. In the CTE navigation pane, click Policies -> Policy Elements and create a resource set.

6. Click Policies and create an LDT policy:

   • Create a Security rule with a user set. Select the following for your security rule:

   • uname: cte-linux-userset

   • Action: all-ops

   • Effect: permit, applykey

     

7. Create Key Rule with the following:

   • Current key: clear_key

   • Transformation Key: Create a new CBC_CS1 key and select it as the Transformation Key

   

8. In CTE, check that the agents are configured properly and verify the LDT Communication Group information, type:

   voradmin ldt group comm_info
   

9. On CipherTrust Manager, setup the GuardPoint:

   1. Mount a path on the client machine, for example: /root/test_nfs/EM_Team/CTE/GP1

   2. Choose the policy you created above.

   3. Select Auto Directory

   4. In the Client Group that you created, Create a GuardPoint.

   The GuardPoint is now created on CipherTrust Manager.

Key Rotation

If you want to add a new key version on the CipherTrust Manager, this will trigger the key rotation on the guarded path(s) at the agent. The key rotation operation generates a new version of a key with same key name and attributes, but with new key material.

To add a new key version:

1. Open the CipherTrust Manager Key Manager application.

2. In the left pane, click Keys.

3. Select the desired key.

4. Click Add a new key version. The key version is rotated.

5. On CTE agent, you can track the rekey:

   voradmin ldt attr get <GP path>
   

Access and Verification

1. In CTE client, check the logs for new policies and GuardPoints, type:

   # secfsd -status guard
   

   The new GuardPoint should be listed as Active.

2. Access the NFS share directly on the NAS server. Access any file within the GuardPoint as a user other than root. Observe that it is encrypted, type:

   # cat <fileName>
   

3. Access the NFS share as the root user. Verify that you can read and write the file.

4. Check the LDT rekey status, type:

   # voradmin ldt attr get <GP path>