Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Rekeying

Rekeying with dataxform

search

Please Note:

printsuggest an editpdf paneldownload

Rekeying with dataxform

Rekeying with dataxform requires that you change the current key of the production policy on your GuardPoint to a new key

copy link to clipboardNotes and Limitations

Note

Dataxform is optimized to run as fast as possible, tuning itself to the computer automatically. To run more than one instance at once, you may need to reduce to number of execution threads allocated to each instance. See dataxform Examples and Full Command Syntax.

  • If you change the encryption key on particular production policy, and if another GuardPoint on another host uses the same production policy, then that GuardPoint’s data will be unreadable because it still uses the old key. To avoid this:

    • Transform all of the data in all of the GuardPoints on all of the Hosts that use the same production policy with the new key.

    • Change the name of the production policy used on the GuardPoint on which you ran dataxform. The policy will then only apply to that GuardPoint and not the other GuardPoints using the policy of the original name.

copy link to clipboardProcedure

  1. If dataxform was run on this GuardPoint previously, you must clean up those dataxform sessions. See Cleaning Up a Previous dataxform Session.

  2. Log into your key manager management console.

  3. Create a new key or identify an existing key that you want to use for re-encrypting the data.

  4. Create a dataxform policy that specifies:

    • Policy Type: Standard.

    • Name: Something unique that you will be able to recognize in the list of available policies when you go to create the GuardPoint.

    Tip

    If you are using CipherTrust Manager to create the policy, make sure you enable the Data Transformation check box on the first page of the Create Policy wizard. CipherTrust Manager then adds the appropriate Security Rule automatically and prompts you for a Data Transformation Rule.

    • A Security Rule with Action: key_op and Effect: apply_key, permit.

    • A Key Selection Rule that specifies the original key currently in use.

    • A Data Transformation Rule that specifies the new key you want to use.

  5. Block all access to data in the GuardPoint that is to be re-encrypted.

  6. Unguard the production policy on the GuardPoint.

  7. Add a new GuardPoint to the host with the same directory as the original GuardPoint, applying the dataxform policy to the GuardPoint.

    Note

    At this point, all access to the GuardPoint is denied except for dataxform.

  8. From the command line on the protected host, run dataxform as root or admin user with at least the --rekey and --gp options.

    For example:

    # dataxform --rekey --print_stat --preserve_modified_time --gp /opt/apps/dx2<br>
Checking if data transform is supported for guard point /opt/apps/dx2<br>
Data transformation is supported on /opt/apps/dx2<br>
About to perform the requested data transform operation<br>
-- Be sure to back up your data<br>
-- Do not access files in the guard point during the transform process<br>
-- Please do not attempt to terminate the application

Scan found 10005 files (273 KB) in 5 directories for guard point /opt/apps/dx2
The current operation took 0 hours, 0 minutes and 1 seconds
Transformed 10010 files (273 KB) of 10005 files (273 KB) for guard point /opt/apps/dx2
The current operation took 0 hours, 0 minutes and 25 seconds
Data transform skipped some files
The file /opt/apps/dx2/hardlinkedfileLocal01 was skipped. It was an additional hard link
The file /opt/apps/dx2/filenothere03 was skipped. It was a soft link
The file /opt/apps/dx2/filenothere02 was skipped. It was a soft link
The file /opt/apps/dx2/filenothere01 was skipped. It was a soft link
The file /opt/apps/dx2/hardlinkedfileLocal02 was skipped. It was an additional hard link
Number of additional hard links skipped: 2
Number of soft links skipped: 3
Missing 1 references to hard link /opt/apps/dx2/hardlinkfile01
Missing 1 references to hard link /opt/apps/dx2/hardlinkfile02
Missing 1 references to hard link /opt/apps/dx2/hardlinkfile03
The data transform operation took 0 hours, 0 minutes and 25 seconds
Data transform for guard point /opt/apps/dx2 finished but 5 files were skipped

    • View the dataxform run results in the local log, /var/log/vormetric/vordxf_path_usr.log, or in the Logs window.

    • View the list of files that were not transformed in /var/log/vormetric/dataxform_status_skip_path.log.

    Notes

    • If dataxform fails, do not clean up the GuardPoint or remove the dataxform status files. If you run dataxform again in the same GuardPoint, dataxform will use these files to resume operation where it had left off.

    • Low-power systems can run out of memory while running dataxform. If entries like "[VMD] [ERROR] [1933564] [DXF4328E] Kernel component gave unexpected status 4." and "[VMD] [ERROR] [3670108] [DXF4300E] Out of Memory" are sent to the system messages file, lower the --thd parameter value. It will take longer to run, but dataxform will use less memory and complete successfully.

  9. Go back to your key manager management console and, in the production policy, change the key to use the new key instead of the original key.

  10. Disable the GuardPoint that you created using the dataxform policy and re-enable the production policy that now has the new key.

  11. Verify proper access to the data.

On this page