Rekeying with dataxform
Rekeying with dataxform requires that you change the current key of the production policy on your GuardPoint to a new key
Notes and Limitations
-
For detailed dataxform information, see Overview of the dataxform Utility and dataxform Examples and Full Command Syntax.
-
Guarding and transforming linked files is potentially dangerous. See Checking for Hard-Link Files Inside the GuardPoint with dataxform.
-
Be aware that running more than one dataxform session per underlying disk may affect performance, and cause things to slow down. You can run multiple dataxform sessions provided they are going to different disks. If you run multiple dataxform sessions against the same disk, there will likely be performance impact.
-
If you execute multiple instances of dataxform manually, the instances run in parallel. If you execute multiple instances of dataxform automatically (see Automatic Data Transformation and Running Automatic Data Transformation, the instances run consecutively.
Note
Dataxform is optimized to run as fast as possible, tuning itself to the computer automatically. To run more than one instance at once, you may need to reduce to number of execution threads allocated to each instance. See dataxform Examples and Full Command Syntax.
-
If you change the encryption key on particular production policy, and if another GuardPoint on another host uses the same production policy, then that GuardPoint’s data will be unreadable because it still uses the old key. To avoid this:
-
Transform all of the data in all of the GuardPoints on all of the Hosts that use the same production policy with the new key.
-
Change the name of the production policy used on the GuardPoint on which you ran dataxform. The policy will then only apply to that GuardPoint and not the other GuardPoints using the policy of the original name.
-
Procedure
-
If dataxform was run on this GuardPoint previously, you must clean up those dataxform sessions. See Cleaning Up a Previous dataxform Session.
-
Log into your key manager management console.
-
Create a new key or identify an existing key that you want to use for re-encrypting the data.
-
Create a dataxform policy that specifies:
-
Policy Type: Standard.
-
Name: Something unique that you will be able to recognize in the list of available policies when you go to create the GuardPoint.
Tip
If you are using CipherTrust Manager to create the policy, make sure you enable the Data Transformation check box on the first page of the Create Policy wizard. CipherTrust Manager then adds the appropriate Security Rule automatically and prompts you for a Data Transformation Rule.
-
A Security Rule with Action: key_op and Effect: apply_key, permit.
-
A Key Selection Rule that specifies the original key currently in use.
-
A Data Transformation Rule that specifies the new key you want to use.
-
-
Block all access to data in the GuardPoint that is to be re-encrypted.
-
Unguard the production policy on the GuardPoint.
-
Add a new GuardPoint to the host with the same directory as the original GuardPoint, applying the dataxform policy to the GuardPoint.
Note
At this point, all access to the GuardPoint is denied except for dataxform.
-
From the command line on the protected host, run dataxform as
root
or admin user with at least the--rekey
and--gp
options.For example:
# dataxform --rekey --print_stat --preserve_modified_time --gp /opt/apps/dx2<br> Checking if data transform is supported for guard point /opt/apps/dx2<br> Data transformation is supported on /opt/apps/dx2<br> About to perform the requested data transform operation<br> -- Be sure to back up your data<br> -- Do not access files in the guard point during the transform process<br> -- Please do not attempt to terminate the application Scan found 10005 files (273 KB) in 5 directories for guard point /opt/apps/dx2 The current operation took 0 hours, 0 minutes and 1 seconds Transformed 10010 files (273 KB) of 10005 files (273 KB) for guard point /opt/apps/dx2 The current operation took 0 hours, 0 minutes and 25 seconds Data transform skipped some files The file /opt/apps/dx2/hardlinkedfileLocal01 was skipped. It was an additional hard link The file /opt/apps/dx2/filenothere03 was skipped. It was a soft link The file /opt/apps/dx2/filenothere02 was skipped. It was a soft link The file /opt/apps/dx2/filenothere01 was skipped. It was a soft link The file /opt/apps/dx2/hardlinkedfileLocal02 was skipped. It was an additional hard link Number of additional hard links skipped: 2 Number of soft links skipped: 3 Missing 1 references to hard link /opt/apps/dx2/hardlinkfile01 Missing 1 references to hard link /opt/apps/dx2/hardlinkfile02 Missing 1 references to hard link /opt/apps/dx2/hardlinkfile03 The data transform operation took 0 hours, 0 minutes and 25 seconds Data transform for guard point /opt/apps/dx2 finished but 5 files were skipped
-
View the dataxform run results in the local log,
/var/log/vormetric/vordxf_path_usr.log
, or in the Logs window. -
View the list of files that were not transformed in
/var/log/vormetric/dataxform_status_skip_path.log
.
Notes
-
If dataxform fails, do not clean up the GuardPoint or remove the dataxform status files. If you run dataxform again in the same GuardPoint, dataxform will use these files to resume operation where it had left off.
-
Low-power systems can run out of memory while running dataxform. If entries like "
[VMD] [ERROR] [1933564] [DXF4328E] Kernel component gave unexpected status 4." and "[VMD] [ERROR] [3670108] [DXF4300E] Out of Memory
" are sent to the system messages file, lower the--thd
parameter value. It will take longer to run, but dataxform will use less memory and complete successfully.
-
-
Go back to your key manager management console and, in the production policy, change the key to use the new key instead of the original key.
-
Unguard the GuardPoint that you created using the dataxform policy and re-enable the production policy that now has the new key.
-
Verify proper access to the data.