Rekeying Using the Manual Copy Method

If you change the encryption key on a production policy, and if another GuardPoint on another host uses the same production policy, then that GuardPoint’s data becomes unreadable because the data is still encrypted/decrypted with the old key. To avoid this:

• Transform all of the data in all of the GuardPoints on all of the Hosts that use the same production policy with the new key.

• Change the name of the production policy used on the GuardPoint on which you ran dataxform. The policy will then only apply to that GuardPoint and not the other GuardPoints using the policy of the original name.

Procedure

1. Identify a location where CTE can create a GuardPoint and has enough space to hold the data for rekeying.

2. Log into your key manager's management console.

3. Create a new key or identify an existing key that you want to use for re-encrypting the data.

4. Create a Standard production policy that specifies the following:

   • Policy Type: Standard.

   • Name: Something unique that you will be able to recognize in the list of available policies when you go to create the GuardPoint.

   • A Security Rule with Action: all_ops and Effect: apply_key, permit.

   • Any other security rules you need in your production policy.

   • A Key Selection Rule that specifies the new key you want to use.

5. Add a new GuardPoint that uses the new production policy on the protected host location you identified.

6. Copy or move the data from the original directory to the new GuardPoint.

   The data in the new directory is rekeyed as it is copied in.

7. Wait until all files have been copied and the rekey operation has completed on the new GuardPoint.

8. Direct all applications and users to use the new data location, or change the name of the new GuardPoint directory to the name of the original directory.

   • If you direct all applications and users to use the new data location, make sure that they use the production policy that contains the new encryption key.

   • If you change the name of the new GuardPoint directory to the name of the original directory use the following instructions:

     1. In the key manager management console, disable the original GuardPoint.

     2. Unguard the newly created GuardPoint with the rekeyed data.

     3. On the protected host, rename the original directory to a temporary name.

     4. Rename the newly created directory to the original directory name.

     5. Modify the original policy to use the newly created key.

     6. Enable the original GuardPoint with the original policy. This puts the original policy in effect with the new key on the newly transformed data.

9. Verify that the rekeyed data is accessible to users.