The CTE dataxform Utility Transformation Method
The CTE dataxform utility transforms data-in-place and contains two components:
-
User-mode that controls the overall operation.
-
Kernel-mode that transforms files block-by-block.
Figure 1-5: Offline Rekey
Transforming data in place has two important advantages:
-
Minimal storage requirements — Because dataxform transforms files in place, where they reside, it does not require temporary file storage. However, the utility does need storage in which to create a list of files for transformation.
-
Security — The period of time that the data transformed by the dataxform utility appears in memory, outside the GuardPoint and therefore, unprotected, is shorter than with copying. This is significant for rekeying (compared to copying), which holds clear file data in memory between reading and rewriting. Moreover, dataxform requires coordination between the administrator for the protected host and the Security Administrators for your key manager, so that no one individual can subvert security during transformation.
Offsetting these advantages is the complexity of recovering from an interrupted dataxform run. Because dataxform transforms files in-place, data in a file undergoing transformation at the time of a failure may be only partly transformed. There is no way to determine which blocks have been transformed and which have not. These files must be recreated after the dataxform runs from a backup copy. The protected host administrator must determine (by examining dataxform logs) which files may have been incompletely transformed, delete them from the transformed file set, and recreate them by selective copying from a backup.
