Running Automatic Data Transformation
You can automatically transform your GuardPoint data by creating a dataxform policy and placing a file called dataxform_auto_config
in the top-level directory of the GuardPoint.
The dataxform_auto_config
file consists of one or two lines. The first line is mandatory. It specifies an internally used version number. Currently, the internal version number is 1
. Set the first line to “version=1
”. The second line is optional. The second line lists additional dataxform parameters. By default, dataxform executes the --rekey
and --gp
options. These options rekey all the files in the GuardPoint. Do not enter the --rekey_list
, --file_list
, or --gp
options in the dataxform_auto_config
file. An example dataxform_auto_config
file is shown below:
version=1
--thd 4 --preserve_modified_time
Automatic Data Transformation Notes and Limitations
-
Low-power systems can run out of memory while running dataxform. If entries like "
[VMD] [ERROR] [1933564] [DXF4328E] Kernel component gave unexpected status 4.
" and "[VMD] [ERROR] [3670108] [DXF4300E] Out of Memory
" are sent to the system messages file, lower the--thd
parameter value. It will take longer to run, but dataxform will use less memory and should complete successfully. -
Automatic dataxform processes directories and files according to the native sort order of the system. Automatic dataxform is aware of the files currently being processed. If the automatic dataxform process is interrupted, you can restart it and it will resume from roughly where it had left off. It will resume within a range of files generally equal to the number of open threads that were running, using the files listed in
./dataxform_status-_gp
and./dataxform_status-alt-_gp
, and based on the system sort order. We strongly recommend that no one access the GuardPoint during data transformation because depending where dataxform is in the list of directories and files to process, the directories and files that you create can be skipped, and changes that you make to the files can go unnoticed. You will then have to manually transform the new or modified files. Additionally, if you do not configure manual dataxform properly, it is easy to rekey a file twice, thus corrupting that file. Automatic dataxform, on the other hand, is easier to recover.
To run automatic dataxform
-
Back up and block all access to the GuardPoint.
-
Create a
dataxform_auto_config
file. -
Log on to the Management Console as an administrator of type Security Administrator with
Host
role permissions or type All. -
Open the GuardPoint tab of the host with the GuardPoint to be transformed. The applied policies and GuardPoints of the host are displayed.
-
Unguard the GuardPoint that is currently in effect. Select the Select option for the GuardPoint. Click Unguard.
-
(Optional) Enter the
df
command on the host system repeatedly until the secfs mount for the GuardPoint is no longer displayed, or execute the “secfsd -status guard
” command repeatedly until the GuardPoint is no longer displayed. -
Copy the
dataxform_auto_config
file into the GuardPoint. Data transformation should start within seconds. -
Apply the dataxform policy to the now disabled GuardPoint.
(Optional) Execute the “
secfsd -status guard
” command repeatedly on the host system until the GuardPoint and rekey policy are displayed. You can also keep clicking the Refresh button in the Edit Host window, GuardPoint tab, until the green status ball is displayed. -
(Optional) Monitor dataxform progress on the host system.
# tail -f /var/log/vormetric/vordxf_path_usr.log
-
Check log files to verify successful dataxform completion.
The
/var/log/vormetric/vordxf_path_usr.log
file lists the success or failure of dataxform, the files that were affected, and the actions taken. Refer to Using dataxform_status* Files for details.Check the rekey status in the Logs window.
-
Disable or delete the dataxform policy. Reboot the host if you cannot disable or delete the rekey policy.
-
Delete the
dataxform_auto_config
file from the GuardPoint.If you do not delete the
dataxform_auto_config
file, the next time you apply a rekey policy to the GuardPoint, data transformation will begin immediately. It is better to copy the file into the GuardPoint when you are ready. -
Apply a production policy to the GuardPoint. If the dataxform policy used an encryption key, be sure to use the same key in the production policy.
Caution
Do not apply a policy that is configured for encryption to a directory that contains unencrypted files because, when apply_key
is configured, the unencrypted files are encrypted when they are accessed. The data will be unusable if read and corrupted if saved.