dataxform and Linked Files

When using dataxform, protected host administrators must be cognizant of the utility’s treatment of linked files—files for which two or more directory entries point to a single data image. In general, the utility encrypts and rekeys linked files correctly, but the relationship of links to GuardPoints means that administrators must be aware of links and how the utility handles them prior to transformation. A link may be hard—it may be a directory entry that points to a file inode to which one or more other directory entries in the same file system also point. A link may be soft—it may represent a file whose data consists of the path name of another file in the same or a different file system.

The dataxform utility can detect that a directory entry is a hard or soft link. It transforms any file with multiple hard links to it when it first encounters any of the links to the file. Thereafter, it skips the already-transformed file, and creates a skipped log entry. This is not an error, but an indication that dataxform recognizes that it has already transformed the file’s data. Soft links are simply skipped.

There are two situations with linked files in which data corruption can potentially result:

• External links — Links in directories outside a GuardPoint, that point to files in directories within the GuardPoint.

• Links to external files — Links in directories protected by a GuardPoint that point to files in directories outside the GuardPoint.

In these cases, the CTE Agent does not have complete control over application access to file data. For example, in a GuardPoint that protects a directory sub-tree (rather than a mount point), if a hard link in a directory outside the GuardPoint points to a file within the GuardPoint, the CTE Agent does not see every access to the file’s data. If the file is opened through the external link and data is written to it, the GuardPoint does not intercept the writes, and no encryption occurs. If the file is later opened through the protected path, and the data written from outside is read, the CTE Agent decrypts it, even though it was never encrypted. This situation does not occur with GuardPoints that protect entire file systems, because hard links can only refer to file data within the same file system name space as the files to which they point.

This problem does not occur with an external soft link, because a file opened through a soft link in a directory outside the GuardPoint is ultimately opened through its actual path, which lies within a protected directory.

Similarly, if a hard link in a protected directory refers to file data outside the GuardPoint, the dataxform kernel component opens it and transforms the data in it. If the file is subsequently opened through a path outside the GuardPoint, data is not decrypted as it is read, and therefore appears corrupt to applications. If applications access the file from outside the GuardPoint and write data to it, the GuardPoint intercepts subsequent reads through the link, and the CTE Agent decrypts data that was never encrypted.

To assist protected host administrators in dealing with linked files, the dataxform utility includes a facility for listing the hard linked files within a GuardPoint. Administrators can analyze these lists to determine whether the links cross GuardPoint boundaries and therefore represent potential for operational errors and data corruption.

See Checking for Hard-Link Files Inside the GuardPoint with dataxform for more information.