Using dataxform to Encrypt Your Data with CipherTrust Manager

The dataxform utility is an executable that encrypts data-in-place in a GuardPoint. This section describes how to use dataxform for initial data encryption. For more details on dataxform and its capabilities see Overview of the dataxform Utility and DataXform Reference.

The following procedure explains how to use dataxform if you are using CipherTrust Manager as your key manager.

Notes and Limitations

• For detailed dataxform information, see Overview of the dataxform Utility and dataxform Examples and Full Command Syntax.

• Guarding and transforming linked files is potentially dangerous. See Checking for Hard-Link Files Inside the GuardPoint with dataxform.

• Performance may be impacted (slow down) if you run multiple transforms concurrently on systems where the GuardPoints are on the same disk. On systems with a large number of CPUs running concurrently with default settings, even if the GuardPoints are on different disks, you may experience slower performance. If you execute multiple instances of dataxform manually, the instances run in parallel. If you execute multiple instances of dataxform automatically (see Automatic Data Transformation and Running Automatic Data Transformation, the instances run consecutively.

• It is recommended that you run one dataxform session, for better performance.

Prerequisites

• Verify that there is a good backup of the data to be encrypted. This step is vital.

• Make sure that you have a CTE production policy with the proper security rules defined for the new GuardPoint. The production policy needs to use the same encryption key that you will be using to initially encrypt the data.

• You will need to stop ALL access and services to the data to be encrypted during part of this procedure, and access will NOT be restored until the encryption process is complete. Make sure that you plan for this outage and that users know the data will be inaccessible for some time. To estimate the outage duration, see Estimating the dataxform Runtime Period.

  In addition, make sure you know which dataxform options you want to use so that you are ready to run the command as soon as the GuardPoint is ready. This will keep the required downtime as short as possible. For a complete list of options, see dataxform Examples and Full Command Syntax.

• If you use Microsoft Volume Shadow Services (VSS) files and use dataxform to change the encryption keys, then you must make a VSS shadow copy before and after running dataxform. See Automatic Data Transformation.

Procedure

1. Log into CipherTrust Manager and, if necessary, switch to the domain that contains the client you want to protect.

2. Identify the encryption key you want to use to encrypt the data or create a new encryption key.

3. Create an initial encryption policy for the GuardPoint. This policy will only be used to encrypt the data as it is copied into the new directory, after which you will replace the policy with a production policy.

   1. Launch the CTE application.

   2. In the left-hand menu bar, click Policies.

   3. Click Create Policy.

   4. For Name, make sure you use a name that clearly designates this as an initial-encryption policy and not a production policy. You will need to be able to find this policy name from the list of all available policies when you create the GuardPoint.

   5. For Policy Type, select Standard.

   6. Enable the Data Transformation check box.

   7. Click Next to go to the Security Rules page. CipherTrust Manager should have automatically added a security rule for Action: key_op, Effect: permit,applykey. If this security rule is not there, click Back and make sure you have enabled the Data Transformation check box.

   8. Click Next to go to the Key Rules page.

   9. Click Create Key Rule.

   10. In Current Key Name, select clear_key and click Add.

   11. Click Next to go to the Data Transformation page.

   12. Click Create Data Transformation Rule.

   13. In the Transformation Key Name field select the encryption key you want to use to encrypt the data. This key must match the one specified in the production policy you intend to apply to the GuardPoint after the data has been encrypted..

   14. Click Next to go to the Confirmation page.

   15. Verify your selections and click Save to save the policy.

4. Stop ALL access and services to the data to be encrypted. Make sure no processes, services, or users are currently accessing the data. You cannot restore access to the data until the encryption process is complete.

5. Create a GuardPoint using the initial encryption policy. When you are creating the GuardPoint, for Type, select Directory (Auto Guard) or Directory (Manual Guard). You cannot use dataxform with a block device.

   If you select Auto Guard, CTE starts the guard process as soon as the policy is pushed to the host. You enable, disable, guard, and unguard the GuardPoint in the Management Console.

   If you select Manual Guard, You guard the GuardPoint on the protected host with the secfsd -guard <path> command and unguard it with the secfsd -unguard <path> command. This gives you more control over when data transformations occur because CTE will not start encrypting or rekeying the device until you manually start the process.

   Select Directory (Manual Guard) for Linux/AIX file system directories that must be manually guarded and unguarded in order to failover to a different node in a cluster. See Automatic and Manual GuardPoints for details on this issue.

6. Click OK to apply the policy to the GuardPoint.

   Wait until the policy has been applied to the device. This may take up to a minute.

7. If you selected Auto Guard, disable the GuardPoint from the Management Console.

8. Log onto the host system and manually encrypt the data in the GuardPoint.

   1. Run dataxform with the desired options. For example, if you want to encrypt the GuardPoint /opt/apps/dx2 GuardPoint, display the time taken for dataxform to complete each phase of the transformation process, and have dataxform preserve the last modified dates on the files, you would enter:

      # dataxform --rekey --print_stat --preserve_modified_time --gp /opt/apps/dx2
      Checking if data transform is supported for guardpoint /opt/apps/dx2
      Data transformation is supported on /opt/apps/dx2
      About to perform the requested data transform operation
      -- Be sure to back up your data
      -- Do not access files in the guard point during the transform process
      -- Please do not attempt to terminate the application
      
      Scan found 10005 files (273 KB) in 5 directories for guard point /opt/apps/dx2
      The current operation took 0 hours, 0 minutes and 1 seconds
      Transformed 10010 files (273 KB) of 10005 files (273 KB) for guard point /opt/apps/dx2
      The current operation took 0 hours, 0 minutes and 25 seconds
      Data transform skipped some files
      The file /opt/apps/dx2/hardlinkedfileLocal01 was skipped. It was an additional hard link
      The file /opt/apps/dx2/filenothere03 was skipped. It was a soft link
      The file /opt/apps/dx2/filenothere02 was skipped. It was a soft link
      The file /opt/apps/dx2/filenothere01 was skipped. It was a soft link
      The file /opt/apps/dx2/hardlinkedfileLocal02 was skipped. It was an additional hard link
      Number of additional hard links skipped: 2
      Number of soft links skipped: 3
      Missing 1 references to hard link /opt/apps/dx2/hardlinkfile01
      Missing 1 references to hard link /opt/apps/dx2/hardlinkfile02
      Missing 1 references to hard link /opt/apps/dx2/hardlinkfile03
      The data transform operation took 0 hours, 0 minutes and 25 seconds
      Data transform for guard point /opt/apps/dx2 finished but 5 files were skipped
      

      • View the dataxform run results in the local log, /var/log/vormetric/vordxf _path_usr.log, or in the Logs window.

      • View the list of files that were not transformed in /var/log/vormetric/dataxform_status_skip-_path.log.

      Note

      Low-power systems can run out of memory while running dataxform. If entries like "[VMD] [ERROR] [1933564] [DXF4328E] Kernel component gave unexpected status 4." and "[VMD] [ERROR] [3670108] [DXF4300E] Out of Memory" are sent to the system messages file, lower the --thd parameter value. It takes longer to run, but dataxform uses less memory and completes successfully.

   2. Read the dataxform command line messages as it encrypts files. Specifically note messages that list files or folders that are skipped and the reasons why. The dataxform log file also contains this information. Use it to identify failed transformations (see Monitoring dataxform).

   3. If a dataxform fails during transformation, you can usually rerun it and it resumes transformation beginning with the next file. The risk is that all files that were in-progress during the transformation may not be completely transformed at the point of failure. In this case you will have to restore it from your backup and transform it again.

   Note

   If dataxform fails, do not clean up the GuardPoint or remove the dataxform status files. If you run dataxform again in the same GuardPoint, dataxform will use these files and resume operations where it left off.

   1. After you have verified that the encryption is successful, clean up the dataxform session files before you run dataxform again on the same GuardPoint. See Cleaning Up a Previous dataxform Session.

9. After the dataxform session has been cleaned up, go back to the CipherTrust Manager Console and remove the GuardPoint.

10. Create a new GuardPoint using the desired production policy with the appropriate access control rules. Your data is now fully encrypted and you can redirect access to the GuardPoint.

11. Start all services and restore access to the now-encrypted data.

12. Inform application teams that systems are ready for use. Everything should work exactly as before; however, monitor the situation with your users.