Please Note:

User Guides
CTE Agent Linux and Windows Quick Start Guide
- Installation Prerequisites
- Installing and Registering CTE
  - Installation and Registration on Linux
  - Installation on Windows
  - Registration with Windows
- Guarding a Device with CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Create an Encryption Key
  - Create a Standard Policy
  - Create a GuardPoint
- Using and Renewing Certificates
- Protecting Data with CTE
- Ransomware Protection
CTE Agent Linux Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Linux
  - Additional Considerations
  - CTE Agent Installation with UEFI Secure Boot
  - Linux Package Installation for Linux Distributions
    - Linux Package Installation for RHEL
    - Linux Package Installation for SLES
    - Linux Package Installation for Ubuntu
  - Verifying Kernel Compatibility
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Linux with CipherTrust Manager
    - Installation Prerequisites
    - Interactive Installation on Linux
    - Silent Installation for CTE or CTE-U on Linux
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Installation and Registration Options
    - Guarding a Device with CipherTrust Manager
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Using Keycloak for Multifactor Authentication for CTE GuardPoints
    - Exempting some users from authentication with a Whitelist
    - Setting up Multifactor Authentication with a One-Time-Password
    - Setting up Multifactor Authentication with a Time Out
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Container Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- CTE and systemd
  - Overview of CTE and systemd
  - CTE Agent Control Changes on systemd
  - CTE Configuration Changes Required on systemd
    - About systemd Dependency Changes for Unit Configuration Files
    - Location of Application Unit Configuration Files
    - Adding Dependencies to systemd Unit Configuration Files
    - Adding Applications to the secfs-fs-barrier.service File
    - Drop-in Files for systemd
    - Adding Dependencies to the `saslauthd.service` File
  - SystemD Protection
  - Manually Stopping Application or Service
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - fsfreeze and xfs_freeze
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - User Cache Lookup Improvements
  - vmutil
  - vmd utility
  - vmsec Utility
- CipherTrust in-Place Data Transformation for Linux
  - Introduction to in-Place Data Transformation (IDT)
  - Requirements for IDT-Capable GuardPoints
  - The CTE Private Region and IDT Device Header
  - IDT-Capable GuardPoint Encryption Keys
  - Guarding an IDT-Capable Device on Linux
    - Initializing an IDT-Capable Device
    - Guard the Linux Device with an IDT-Capable GuardPoint
    - Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
  - Changing the Encryption Key on Linux IDT-Capable Devices
  - Guarding an IDT-Capable Device with Multiple IO Paths on Linux
  - Linux System and IDT-Capable GuardPoint Administration
  - Resizing Guarded IDT Devices
    - Resizing Guarded IDT Devices
  - Alerts and Errors on Linux
- Upgrading CTE on Linux
- Uninstalling CTE from Linux
- Migrating Agents from CTE-U to CTE
CTE Agent Windows Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Windows
  - Installation Workflow
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Windows with CipherTrust Manager
    - Interactive Installation on Windows
    - Silent Installation on Windows
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Registering CTE After Installation is Complete
    - Setting the CM log for Ransomware Protection
    - Guarding a Device with CipherTrust Manager
    - Installation Prerequisites
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Compatible MFA Providers
    - Use Cases for MFA on CTE
    - Exempting some users or processes from authentication with a Whitelist
    - Remote Authentication for Multifactor Authentication
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
  - Choosing a Login Name Type
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Guarding Data on CIFS Servers and Clients
- Special Cases for CTE Policies
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - FileTable Support on Windows
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Return Codes
  - agentinfo Utility
  - Backup Utility
  - voradmin secfs Commands
  - vmsec Utility
  - vmutil
- Upgrading CTE on Windows
  - Silent Upgrade
  - CTE Scheduled Upgrade
  - Workaround for MSI CTE Typical, Silent, and Scheduled Upgrades
- Uninstalling CTE from Windows
- Troubleshooting and Best Practices
CTE Agent AIX User and Configuration Guide
- Overview
- Getting Started with CTE for AIX
  - Installation Workflow
  - AIX Package Installation
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for AIX with CipherTrust Manager
    - Installation and Registration Options
    - Installation Prerequisites
    - Interactive Installation on AIX
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Silent Installation on AIX
    - Guarding a Device with CTE and CipherTrust Manager
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Backing up DB2 Databases after Encryption
  - Blocking ptrace system calls to prevent process injection attacks
- Logs
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - secfsd and Raw Devices
  - Using Client Settings with Shell Scripts
  - vmsec Utility
    - vmsec Examples
    - Configuring Dynamic Host Settings for AIX
  - vmutil
  - vmd utility
- Upgrading CTE on AIX
- Uninstalling CTE from AIX
CTE Agent Data Transformation
- Data Transformation Overview
  - The Data Transformation Process
  - CTE Terminology
  - CTE Components
  - CTE Policies
  - Considerations with Bulk Data Transformation
  - Data Transformation Techniques
    - Copy and Restore Transformation Method
    - The CTE dataxform Utility Transformation Method
  - CTE Protection Policies
  - Overview of the dataxform Utility
    - Multithreading in the dataxform Utility
    - dataxform Space Requirements
    - dataxform Execution Time
    - dataxform and Sparse Files
    - dataxform and Linked Files
  - Automatic Data Transformation
  - Best Practices When Using dataxform
  - Summary
- Initial Data Encryption
  - Data Encryption Overview
  - Using the Copy or Restore Encryption Method on File Systems
  - Using the Copy or Restore Encryption Method on Block Devices
  - Using dataxform to Encrypt Your Data with CipherTrust Manager
- Rekeying
  - Rekeying Overview
  - Rekeying with dataxform
  - Rekeying Using the Manual Copy Method
- Appendix A: DataXform Reference
  - Common Dataxform Examples
    - Verifying that a Guarded Directory Can be Rekeyed with Data Transformation
    - Estimating the Data Transformation Runtime Period
    - Manually Running Data Transformation on Specific Files
    - Running Automatic Data Transformation
  - Cleaning Up a Previous dataxform Session
  - Checking for Hard-Link Files Inside the GuardPoint with dataxform
  - Monitoring Data Transformation
    - Data Transformation Logs
    - Using the Message Log Window
    - Using vordxf Files
    - Using dataxform_status Files
    - Using dataxform_auto_config
    - Using dataxform_auto_lock
  - Recovering a Failed or Incomplete dataxform Session
  - Automatic and Manual GuardPoints
  - Data Transformation Examples and Full Command Syntax
    - Data Transformation Command Syntax Examples
    - Data Transformation Command Parameters
  - Unencrypting Data
CTE Agent Live Data Transformation
- Introduction to LDT
  - Overview of LDT
  - Keys in LDT (Versioned Keys)
  - LDT Policies
  - LDT Runtime Flow
  - LDT Administrator Roles
  - Resiliency
- Getting Started
  - Using LDT
  - Backup/Restore
  - Restrictions
- Installing LDT
  - System Requirements
  - Installing the LDT License
  - Installing and Registering the CTE Agent Software on Linux
  - Installing and Registering the CTE Agent Software on Windows
  - Setting the Linux Kernel Time Zone
  - Enabling LDT on a Protected Host
- Using LDT
  - Creating and Viewing Versioned Keys
  - Creating LDT Policies
  - Quality of Service
    - How to Set QoS
    - QoS Best Practices
  - Creating an LDT GuardPoint
  - Rotating Encryption Keys (Rekey)
    - Manual Key Rotation
    - Creating a Key Rotation Schedule
    - Checking the Rekey Status
    - Obtaining Information About Keys Applied to Files
    - Showing GuardPoints During Rekey (Linux)
    - Suspending and Resuming Rekey and/or Scan Phase
    - Automatic Suspend and Resume of LDT Operations Due to Insufficient Disk Space
    - Rotating Encryption Keys While a Rekey is in Progress (Relaunch)
  - File System Operations
    - Renaming Files and Directories
    - Deleting a File
    - File Handling (Windows Only)
    - Enabling GuardPoints in Read-Only mounted file systems (Linux)
    - Copying Files Into a GuardPoint
    - Behavior of Hard Links Inside and Outside of GuardPoints (Windows)
  - Excluding Files or Directories from Rekey
    - About the Exclusion Attribute for Files Matching an Exclusion Key Rule
    - Requirements for Exclusion Key Rules
    - Usage Notes and Limitations for Configuring Exclusion Key Rules
    - Examples of Exclusion Key Rules
    - Listing All Files Included in an Exclusion Key Rule (Linux)
    - Listing All Files Included in an Exclusion Key Rule (Windows)
    - Dynamic Resource Sets
  - Using LDT with SAP HANA Fibre Channel Systems (Linux Only)
- LDT Administration
  - LDT Metadata in Extended Attributes
    - Listing Extended Attributes
    - MDS File (Linux)
    - Planning for LDT Attribute Storage
    - Using voradmin To Estimate Disk Space Required for LDT
    - Displaying Metadata
    - Verifying Metadata (Windows only)
  - DFS(R) and Replication (Windows)
  - Backing Up and Restoring LDT GuardPoints
    - Clear Text Backup and Restore
    - Encrypted Backup and Restore
    - LDT Policy for Encrypted Backup and Restore
    - Backup/Restore of Metadata Store File in GuardPoints Undergoing Rekey
    - Restore an Encrypted Backup
    - Restoring Non-LDT Backup Data to an LDT GuardPoint
    - Using fsfreeze (Linux only)
    - LDT Backups Using a File System or Storage-Level Snapshot Tool
    - Windows Backup and Snapshots
    - LDT Backup and Restore Troubleshooting
  - LDT Command-Line Administration: voradmin command
  - Migrating a GuardPoint to a Different LDT Policy
  - Removing LDT and Security Encryption
    - Migrating a GuardPoint Out of LDT
    - Deleting LDT Metadata (Linux)
    - Deleting LDT Metadata (Windows)
    - Removing LDT from a Host
  - Uninstalling the Agent while LDT is Rekeying GuardPoints
  - Detecting Loss of NAS connection to an LDT GuardPoint Group
- Using LDT with CIFS/NFS shares
  - Introduction to LDT over CIFS
  - LDT over CIFS/NFS High-Level Overview
  - LDT Communication Groups and LDT GuardPoint Groups
    - Designation of Primary role and Primary Set in an LDT GuardPoint Group
    - Responsibilities of the Primary host
    - Failover for the LDT Communication Group Master and the LDT GuardPoint Group
    - LDT GuardPoint Group Commands
  - Sharing LDT NFS/CIFS GuardPoints between Linux and Windows
  - Limitations
  - Prerequisites
    - Supported Versions
  - Administrating LDT over CIFS/NFS with CipherTrust Manager
    - Adding a CIFS Connector for CipherTrust Manager
    - LDT AccessOnly nodes
    - Policy and GuardPoint Management
    - Key Rotation Commitment
    - LDT Metadata Management Over NFS/CIFS Shares
    - Backup and Restore LDT on NFS GuardPoints
  - Upgrading CTE agent in an LDT Communication Group
    - Upgrading the LDT Agents in an LDT Communication Group from 7.2.0 to 7.3.0
    - New Terminology
    - Upgrading CTE agents in an LDT Communication Group from 7.4.0 to 7.5.0 and post 7.5.0
  - Quality of Service
  - Alerts
  - Troubleshooting
- Troubleshooting LDT
  - Monitoring and Statistics
    - Obtaining Statistics with GuardPoint Status
    - Obtaining LDT Statistics at the Command Line
    - Obtaining a Rekey Report
    - Monitoring Ongoing LDT Operations at the Command Line (Windows only)
  - Protecting LDT GuardPoints against Failure in Underlying File Systems (Linux)
    - Recovery Alerts
  - Alerts Playbook
    - Failure to Enable GuardPoints
    - Failure to Suspend or Resume LDT Operation
    - Insufficient Resources
    - Failed to Update LDT Attribute
    - Rekey Stopped
    - Incomplete Key Rotation
    - Skipped Key Rotation
    - Failed to Update LDT Metadata During Scan Phase
    - File system inconsistencies after system crash
  - Error Messages
  - Warning and Info Messages
  - Recommendations and Considerations
    - All Platform Recommendations and Considerations
    - Windows Recommendations and Considerations
CTE Terminology

Recovering a Failed or Incomplete dataxform Session

A dataxform session can fail for different reasons: dataxform can be canceled, the process is killed, the system crashes, and so on. The recovery process is similar for manual and automatic dataxform.

For more information, see:

Restarting an Incomplete Automatic dataxform Session
Recovering from a Failed dataxform Session
Avoiding Double Encryption

Restarting an Incomplete Automatic dataxform Session

Although unlikely, if an automatic dataxform session fails to complete, your intervention may be required to allow it to resume.

In the case of a system restart--for example after a power failure--the automatic session will be resumed when the GuardPoint is mounted during the boot sequence. However, if the dataxform session terminated unexpectedly (for example, if the session had been killed), then the system will not restart it automatically, and the GuardPoint status needs to be reset so that another automatic session will be initiated.

The following steps reset the GuardPoint status:

Verify that the session really has terminated unexpectedly by verifying that no existing dataxform process is running. Use the standard system tools (ps or task manager).
From your key manager, disable the GuardPoint, then wait until the GuardPoint status on the CTE Agent no longer lists the GuardPoint.
From your key manager enable the GuardPoint.

An automatic dataxform session will start soon after this, and the session will continue from where it previously stopped.

Recovering from a Failed dataxform Session

The following is an example of how to recover from a failed dataxform session. The GuardPoint in this example is /opt/apps/dx9.

A manual dataxform session is run, then canceled using Ctrl-c:

# dataxform --rekey --nq --print_stat --preserve_modified_time --gp /opt/apps/dx9

Response

Checking if data transform is supported for guard point /opt/apps/dx9
Data transformation is supported on /opt/apps/dx9
About to perform the requested data transform operation
-- Be sure to back up your data
-- Do not access files in the guard point during the transform process
-- Please do not attempt to terminate the application
Scan found 10003 files (273 KB) in 5 directories for guard point /opt/apps/dx9
The current operation took 0 hours, 0 minutes and 2 seconds
Shutting down data transform: received fatal signal 2
Transformed 1126 files (24 KB) of 10003 files (273 KB) for guard point /opt/apps/dx9
The current operation took 0 hours, 0 minutes and 7 seconds
Data transform got errors on some files
The file /opt/apps/dx9/datafile931 could not be transformed, a signal stopped the data transform
The file /opt/apps/dx9/datafile1102 could not be transformed, a signal stopped the data transform
The file /opt/apps/dx9/datafile1121 could not be transformed, a signal stopped the data transform
The file /opt/apps/dx9/datafile1100 could not be transformed, a signal stopped the data transform
The file /opt/apps/dx9/datafile1120 could not be transformed, a signal stopped the data transform
The file /opt/apps/dx9/datafile1132 could not be transformed, a signal stopped the data transform
Number of files in error due to a signal stopping the dataxform: 6
The data transform operation took 0 hours, 0 minutes and 7 seconds
Could not complete data transform for guard point /opt/apps/dx9, data transform was interrupted by a signal
Data transform for guard point /opt/apps/dx9 finished but 6 files were not processed due to errors

The dataxform_status-_opt_apps_dx9, dataxform_status_error-_opt_apps_dx9, and dataxform_dir_list-_opt_apps_dx9 files are created in the log directory, or the GuardPoint, depending on the command line options. By default, all status and log files go to /var/log/vormetric. If --status_gp was included on the command line, the status files go in the GuardPoint.

The dataxform session log file, /var/log/vormetric/vordxf-_opt_apps_dx9_root.log, is updated. It displays the same basic information as displayed on the terminal screen.

The dataxform messages indicate that the session had been interrupted and that a number of files (6) are in an unknown state due to the interruption.
You may optionally use the --recovery option to generate a set of files that track the progress dataxform made in the GuardPoint (see later). However this step is not required and can be deferred until after a new dataxform session has been run to transform the remaining files.

Resume the data transformation run, using the same command as you used to start it before.

dataxform --rekey --nq --print_stat --preserve_modified_time --gp /opt/apps/dx9

Response

Checking if /opt/apps/dx9 is a guard point with a rekey policy applied /opt/apps/dx9 is a guard point with a rekey policy applied
Automatic data transform status for /opt/apps/dx9: previous attempt did not complete
Note: data from a previous dataxform run is being used
About to perform the requested data transform operation
-- Be sure to back up your data
-- Please do not attempt to terminate the application
Scan found 10003 files (273 KB) in 5 directories for guard point /opt/apps/dx9
Transformed 10001 files (273 KB) of 10003 files (273 KB) for guard point /opt/apps/dx9
Data transform got errors on some files
The file /opt/apps/dx9/datafile931 could not be transformed, it was in progress in the previous data transform
The file /opt/apps/dx9/datafile1102 could not be transformed, it was in progress in the previous data transform
The file /opt/apps/dx9/datafile1121 could not be transformed, it was in progress in the previous data transform
The file /opt/apps/dx9/datafile1100 could not be transformed, it was in progress in the previous data transform
The file /opt/apps/dx9/datafile1120 could not be transformed, it was in progress in the previous data transform
The file /opt/apps/dx9/datafile1132 could not be transformed, it was in progress in the previous data transform
The data transform operation took 0 hours, 0 minutes and 7 seconds
Could not complete data transform for guard point /opt/apps/dx9, data transform was interrupted by a signal
Data transform for guard point /opt/apps/dx9 finished but 6 files were not processed due to errors

If for some reason this session also did not complete, performing the same operation again should continue from where the previous session ended. The status records are accumulated across each session.

Warning

Do not run the --recovery option more than once, as a second run may overwrite vital information required to recover any files that did not transform correctly.

Use the --recovery option to generate a set of files that track the progress dataxform made in the GuardPoint.

dataxform --recovery --gp /opt/apps/dx9

Response

Number of files previously in error due to a signal stopping the dataxform: 6
Scan found 10010 files (273 KB) in 6 directories for guard point /opt/apps/dx9
Generating list of files previously transformed on /opt/apps/dx9
Data transform got errors on some files
The file /opt/apps/dx9/datafile931 was previously in error. A signal stopped the dataxform
The file /opt/apps/dx9/datafile1102 was previously in error. A signal stopped the dataxform
The file /opt/apps/dx9/datafile1121 was previously in error. A signal stopped the dataxform
The file /opt/apps/dx9/datafile1100 was previously in error. A signal stopped the dataxform
The file /opt/apps/dx9/datafile1120 was previously in error. A signal stopped the dataxform
The file /opt/apps/dx9/datafile1132 was previously in error. A signal stopped the dataxform
Number of files in error due to a signal stopping the dataxform: 6
The dataxform_files_todo-_opt_apps_dx9 and dataxform_files_done-_opt_apps_dx9 are created, and the /var/log/vormetric/dataxform_status-_opt_apps_dx9 file may be updated.

Use those files later to determine which files in the GuardPoint have not been transformed.

cat dataxform_status-_opt_apps_dx9

Response

version=5
status=done
operation=rekey
current=
0 in-progress files
seqno=2
hmac=5449453CBAEFCC01EC02542650D8C1040D762D213829F8B3CF967DC578320A475F705C11D3BAF74D588630CE8078AF46

This file indicates that the dataxform session had completed.

The /var/log/vormetric/vordxf-_opt_apps_dx9_root.log file is updated. It displays the same basic information displayed on the terminal screen.

The primary files of interest are dataxform_files_todo-_opt_apps_dx9, dataxform_files_done-_opt_apps_dx9, and dataxform_status_error-_opt_apps_dx9.

dataxform_files_done-_opt_apps_dx9 lists the files that dataxform rekeyed successfully. Leave these files alone.

Note

If more than one session restart was required to complete the dataxform run, there may be repeated entries in the above list.

dataxform_status_error-_opt_apps_dx9 lists the files that were being processed at the time an error occurred—for example, when dataxform was interrupted in the above example. These are the files that have to be checked individually to determine if they had been processed. They may or may not have been completely processed.
```
cat dataxform_status_error-_opt_apps_dx9
```

Response

Error, was in progress during a previous session: /opt/apps/dx9/datafile931
Error, was in progress during a previous session: /opt/apps/dx9/datafile1102
Error, was in progress during a previous session /opt/apps/dx9/datafile1121
Error, was in progress during a previous session: /opt/apps/dx9/datafile1100
Error, was in progress during a previous session: /opt/apps/dx9/datafile1120
Error, was in progress during a previous session: /opt/apps/dx9/datafile1132

dataxform_files_todo-_opt_apps_dx9 lists the files that dataxform had not touched and are yet to be transformed, and any files for which a transform was attempted but for some reason failed.
```
cat dataxform_files_todo-_opt_apps_dx9
```

Response

/opt/apps/dx9/datafile931
/opt/apps/dx9/datafile1100
/opt/apps/dx9/datafile1102
/opt/apps/dx9/datafile1120
/opt/apps/dx9/datafile1121
/opt/apps/dx9/datafile1132

    head -12 dataxform_files_done-_opt_apps_dx9

Response

/opt/apps/dx9/datafile1
/opt/apps/dx9/datafile2
/opt/apps/dx9/datafile3
/opt/apps/dx9/datafile4
/opt/apps/dx9/datafile5
/opt/apps/dx9/datafile6
/opt/apps/dx9/datafile7
/opt/apps/dx9/datafile8
/opt/apps/dx9/datafile9
/opt/apps/dx9/datafile10
/opt/apps/dx9/datafile11
/opt/apps/dx9/datafile12

Unguard the GuardPoint with the rekey policy through your key manager. Do not re-apply the regular policy because you are not able to use the in the GuardPoint. A proper rekey policy restricts access to all the files in the GuardPoint. You have to disable the rekey policy so you can access all the files in the GuardPoint and determine their transformation status.
At this point, you should restore the files that were named in the error listing above from a backup, and run a transformation session for just these files, using the "todo" list (dataxform_files_todo-_opt_apps_dx9) to select which files are to be transformed. However, depending on the exact nature of the error reported, some entries may need to be removed from the "todo" list, for example, if somehow a file no longer exists, then attempting to transform it again will obviously not work.
If you are running automatic dataxform, remove the dataxform_auto_conf file from the GuardPoint.
Re-apply the rekey policy to the GuardPoint, but first be sure that your current directory is not the GuardPoint.

Verify that the policy has been successfully re-applied.

secfsd -status guard

Response

GuardPoint Policy Type ConfigState Status Reason
---------- ------ ---- ----------- ------ ------
/opt/apps/dx1 allowAllOps_fs local guarded guarded N/A
/opt/apps/dx3 denyAllOps_fs local guarded guarded N/A
/opt/apps/dx4 allowAllOps_fs local guarded guarded N/A
/dev/dsk/c0t0d0s7 allowAllOps_rd rawdevice guarded guarded N/A
/opt/apps/dx9 clear_to_aes128_dx local guarded guarded N/A

Run dataxform on just the files in the todo list. For example:

dataxform --rekey_list --file_list var/log/vormetric/dataxform_files_todo-_opt_apps_dx9 --nq --print_stat --preserve_modified_time --gp /opt/apps/dx9

Response

Checking if data transform is supported for guard point /opt/apps/dx9
Data transformation is supported on /opt/apps/dx9
Previous status information does not relate to a --rekey_file operation.
About to perform the requested data transform operation
-- Be sure to back up your data
-- Please do not access files in the guard point during the
transform process
-- Please do not attempt to terminate the application
Starting data transform of /opt/apps/dx9 for files listed in
/var/log/vormetric/dataxform_files_todo-_opt_apps_dx9
The data transform operation took 0 hours, 1 minutes and 20 seconds
bash-3.00#

In this case the dataxform completes successfully. The error file was removed because no errors were encountered in the rekey process.

Unguard the rekey policy.

If you are satisfied with the successful completion, clean up the files left by the rekey process.

# dataxform --cleanup --gp /opt/apps/dx9
About to remove the data transformation status files
Do you wish to continue (y/n)? **y**

Apply a regular policy that uses the applied key.
Check that the access controls and encryption keys configured in the policy are working as expected.

Avoiding Double Encryption

Scenarios can occasionally occur that can lead to double-encryption. This can be caused by various different issues such as:

Attempts to run Data Transformation twice on the same content, using the same policy, so on the second transformation it attempted to encrypt the file with the target key, not the source key
Bad restore attempt
Files incorrectly copied into a GuardPoint
Procedural problem with encrypting the GuardPoint
The file is unencrypted, or encrypted without a header, and the policy assumes that the file must be encrypted with a header
The file is corrupted, in which case you need to recover the file from a backup method
The wrong transform policy was used, so you need to change the policy

CipherTrust Transparent Encryption UserSpace has added two error messages to help avoid the double-encryption scenario. They are:

Invalid header
Wrong key

Invalid Header

If Data Transformation is converting from an encrypted state and its header has been corrupted, the following message displays as the file is being processed:

The file (filename) has an invalid header; skipping

At the end of the dataxform run, it will display another message for each file skipped, and a count of the number of files skipped:

The file (filename) was skipped. It has an invalid header
Number of files skipped due to an invalid header: (count)

Encrypted with Incorrect Key

If converting from an encrypted state and the encryption key of a file does not match the initial key in the transform rule, the following message displays as the file is being processed:

The file (filename) was skipped. It is encrypted with a wrong key

At the end of the dataxform run, it displays another message for each file skipped, and a count of the number of files skipped:

The file (filename) was skipped. It is encrypted with a wrong key
Number of files skipped due to a wrong key: (count)

Recovering a Failed or Incomplete dataxform Session

Restarting an Incomplete Automatic dataxform Session

Recovering from a Failed dataxform Session

Avoiding Double Encryption

Invalid Header

Encrypted with Incorrect Key

On this page

Suggest A Change