Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Rekeying

Rekeying Using the Manual Copy Method

search

Please Note:

printsuggest an editpdf paneldownload

Rekeying Using the Manual Copy Method

If you change the encryption key on a production policy, and if another GuardPoint on another host uses the same production policy, then that GuardPoint’s data becomes unreadable because the data is still encrypted/decrypted with the old key. To avoid this:

  • Transform all of the data in all of the GuardPoints on all of the Hosts that use the same production policy with the new key.

  • Change the name of the production policy used on the GuardPoint on which you ran dataxform. The policy will then only apply to that GuardPoint and not the other GuardPoints using the policy of the original name.

copy link to clipboardProcedure

  1. Identify a location where CTE can create a GuardPoint and has enough space to hold the data for rekeying.

  2. Log into your key manager's management console.

  3. Create a new key or identify an existing key that you want to use for re-encrypting the data.

  4. Create a Standard production policy that specifies the following:

    • Policy Type: Standard.

    • Name: Something unique that you will be able to recognize in the list of available policies when you go to create the GuardPoint.

    • A Security Rule with Action: all_ops and Effect: apply_key, permit.

    • Any other security rules you need in your production policy.

    • A Key Selection Rule that specifies the new key you want to use.

  5. Add a new GuardPoint that uses the new production policy on the protected host location you identified.

  6. Copy or move the data from the original directory to the new GuardPoint.

    The data in the new directory is rekeyed as it is copied in.

  7. Wait until all files have been copied and the rekey operation has completed on the new GuardPoint.

  8. Direct all applications and users to use the new data location, or change the name of the new GuardPoint directory to the name of the original directory.

    • If you direct all applications and users to use the new data location, make sure that they use the production policy that contains the new encryption key.

    • If you change the name of the new GuardPoint directory to the name of the original directory use the following instructions:

      1. In the key manager management console, disable the original GuardPoint.

      2. Unguard the newly created GuardPoint with the rekeyed data.

      3. On the protected host, rename the original directory to a temporary name.

      4. Rename the newly created directory to the original directory name.

      5. Modify the original policy to use the newly created key.

      6. Enable the original GuardPoint with the original policy. This puts the original policy in effect with the new key on the newly transformed data.

  9. Verify that the rekeyed data is accessible to users.

On this page