LDT Metadata in Extended Attributes

An extended attribute is a name/value pair permanently associated with a file or directory stored in a file system. CipherTrust Transparent Encryption (CTE) creates and maintains its own user extended attributes on LDT GuardPoint directories and files. The extended attributes are used to store metadata related to each file or directory that is protected using an LDT policy.

On Linux, LDT sets extended attributes on GuardPoint directories. The LDT attribute of an LDT GuardPoint stores the following metadata:

• Current key version.

• Rekey status.

• Rekey start and end times.

• Estimated completion time.

• Total amount of data transformed.

• Total number of files transformed.

• Current key signature and applied key signature.

On both Linux and Windows, LDT sets extended attributes on files. The LDT attribute of a file stores the following metadata:

• Name of the current key.

• Name of the versioned key.

• Version number of the versioned key.

• LDT rekey status of the file.

In most cases, the current and new key names are the same. The exception is during initial transformation from a legacy policy to an LDT policy, when the file has been encrypted with the current key and is being transformed to the current version of the transformation key.

The state of a file changes during LDT operations. The extended attributes are continually updated to reflect the current file status, which falls into one of the following categories:

• Rekeyed to the current version of the key.

• Rekeyed to the previous version of the key, or the initial key state (before the first LDT rekey has been performed).

• Partially rekeyed, where some regions of the file are rekeyed to the new key version and other regions are still keyed to the previous key version or the initial key.