Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Data Transformation Overview

Overview of the dataxform Utility

search

Please Note:

printsuggest an editpdf paneldownload

Overview of the dataxform Utility

The dataxform utility is installed on a protected host during CTE Agent installation. The utility:

  • Reads each file block-by-block

  • Uses the production key to decrypt each block

  • Re-encrypts it with the data transformation key

  • Rewrites it to its original location.

The following figure illustrates that transforming data with dataxform requires collaboration between the Protected Host Administrator and the Security Administrator for the key manager with which the host is registered.

copy link to clipboardFigure 1-7: Administrator Collaboration

  1. The protected host administrator disables access to the files to be transformed, by stopping applications and/or databases that use them. They inform the key manager Security Administrator when they are inaccessible.

  2. The key manager Security Administrator creates a dataxform policy with appropriate encryption key(s) and applies it to the GuardPoint.

  3. The protected host administrator runs the dataxform utility on the GuardPoint directory with the appropriate parameters and options, and informs the key manager Security Administrator when the utility completes.

  4. The key manager Security Administrator replaces the dataxform policy with a production/standard policy (or an initial test policy used to create the production policy). These policies use production keys that are the same as the encryption key used in the dataxform policy. After the switch, the key manager Security Administrator informs the protected host administrator.

  5. The protected host administrator re-enables user access to the protected data.

Protected host and key manager Security Administrators must coordinate with each other to transform protected data sets using dataxform. While this makes it impossible for a single individual to subvert CTE security, close coordination can be difficult to arrange, particularly in large data centers with many protected hosts administered by different individuals. To partially relax this requirement without compromising security, dataxform execution can be automated. See Automatic Data Transformation.

In addition to rekeying protected files, you can use dataxform for the initial encryption and decryption of file sets. For initial encryption, the key manager Security Administrator specifies clear_key as the transformation policy’s encryption key and a new encryption key as the production key. This instructs the utility not to decrypt files before “re-encrypting” them. Similarly, to decrypt protected data, the key manager Security Administrator specifies clear_key, as the transformation key and the existing encryption key as the production key, causing dataxform to decrypt, but bypass re-encryption.

The dataxform utility starts by creating a list of all files that may require transformation. To guarantee that the list remains correct until the transformation is completed, the admin must prevent all file access by including an "all_ops" "deny" rule in the policy. Without this rule, dataxform does not start.

When using dataxform, it is important to keep in mind the following issues:

  • Ensure that the pre-transformation production policy, the dataxform policy, and post-transformation production policy, all specify the same files to be affected.

  • Similarly, the dataxform policy must specify the same production key as the pre-transformation production policy. The post-transformation production policy must specify the same production key as the dataxform policy’s transformation key.

Note

CTE does not cross-check key relationships. This is the responsibility of the key manager Security Administrator.

On this page