Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Removing CTE-LDT and Security Encryption

Migrating a GuardPoint Out of LDT

search

Please Note:

Migrating a GuardPoint Out of LDT

Migrating a GuardPoint from LDT removes the security encryption. It also provides an Administrator with the flexibility to relax the compliance requirement, when strict compliance for frequent key rotation on specific data is no longer mandatory. The following sections describe how to migrate a GuardPoint from LDT to a non-LDT policy, or to remove encryption protection from it.

Converting a GuardPoint from an LDT Policy to a Standard Policy

If you want to do more than just change the policy on a GuardPoint from an LDT policy to a non-LDT policy, see Deleting LDT Metadata (Linux) or Deleting LDT Metadata (Windows).

Note

  • Converting LDT CIFS/NFS GuardPoints from Live Data Transformation policies to Standard CTE policies is not supported.

  • LDT CIFS/NFS-protected GuardPoints cannot be migrated to clear_key.

  • Reverse migration is not supported for network shares.

  1. Clone the versioned key associated with the LDT GuardPoint to a non-versioned key.

    The clone function creates a new key with the same cryptographic encryption material as the current version of the cloned versioned key.

    This allows LDT to use the cloned key in a non-LDT policy to convert the GuardPoint from an LDT to a non-LDT managed policy.

    1. In the CipherTrust Manager Applications Page, open the Keys & Access Management application.

    2. Click the name of the versioned key that you want to clone.

    3. In the Key Details area, click the (...) button at the end of the row showing the current version of the key and select Clone to clone the current version.

    4. Enter a new name for the key in the Key Name field. Do not select the CTE Versioned option for the clone.

    5. Click Clone.

  2. Open the CTE application and click Clients in the left-hand menu bar.

  3. Click on the name of the client whose GuardPoint you want to migrate.

  4. Find the GuardPoint you want to migrate in the GuardPoints table, then click the (...) button at the end of the row and select Disable.

  5. After LDT disables the GuardPoint, click the (...) button at the end of the row and select Remove.

  6. (Linux only) Ensure that the GuardPoint is removed on the managed host:

    secfsd -status guard
No ${gp}s configured

  7. LDT creates extended attributes for every file under the GuardPoint as well as the GuardPoint directory. Now that the LDT policy does not manage the GuardPoint, you must remove the extended attributes for every file in the GuardPoint, type:

     voradmin ldt attr delete /<${gp}>

  8. The command may take some time depending on the number of files in the GuardPoint.

    Note

    For all of the file system mount points that contain an LDT protected GuardPoint, you must clean up the metadata first. See Deleting LDT Metadata (Linux).

  9. Create a non-LDT policy using the cloned key you created earlier in this procedure.

    1. In the CTE application, click Policies in the left-hand menu bar and then click Create Policy.

    2. Enter a name for the policy in the Name field.

    3. In Policy Type, choose Standard.

    4. Click Next.

    5. On the Security Rules page, click Next to skip adding a security rule.

    6. On the Key Selection Rules, click Create Key Rule.

    7. In the Key Name field, select the cloned key you created earlier.

    8. Click Add.

    9. Click Next

    10. Confirm that the key rule is correct and click Save.

  10. Apply the non-LDT policy to the GuardPoint.

    Caution

    Make sure that you have removed all of the LDT metadata from the GuardPoint before applying the non-LDT policy.

    1. Open the CTE application and click Clients in the left-hand menu bar.

    2. Click on the name of the client whose GuardPoint you want to migrate.

    3. Click Create GuardPoint.

    4. In the Create GuardPoint dialog box, select the Policy that you just created in the Policy field.

    5. Select the Type: Auto Directory or Manual Directory.

    6. In the Path field, and enter or browse to the directory to protect.

    7. When you are done, click Create.

Remove Protection from a GuardPoint

When compliance may no longer require protecting data in a GuardPoint, you may choose to unprotect/decrypt it. Before removing protection from your GuardPoint, you must decrypt the data in your GuardPoint by setting it to clear. You have two options to decrypt your data:

  • While a GuardPoint is protected and enabled under an LDT policy, you can use copy or backup/restore commands to save files in your GuardPoint to a location outside of your GuardPoint.

  • Use the dataxform command to transform your GuardPoint to clear in an offline transformation process.

For GuardPoints over NFS, you must backup the entire GuardPoint before you unguard the GuardPoint. Then you can restore the files from backup over the GuardPoint directory after you remove the protection on the GuardPoint.

Copying Files to Decrypt Them

If you choose to copy your files, you must create a directory outside of the GuardPoint and then copy the files into the GuardPoint directory. After finishing copying, complete the following steps:

  1. Open the CTE application and click Clients in the left-hand menu bar.

  2. Click on the name of the client whose GuardPoint you want to remove.

  3. Find the GuardPoint you want to remove in the GuardPoints table, then click the (...) button at the end of the row and select Disable.

  4. After LDT disables the GuardPoint, click the (...) button at the end of the row and select Remove.

  5. (Linux only) Ensure that the GuardPoint is removed on the managed host:

     secfsd -status guard
No ${gp}s configured

This completes removal of the GuardPoint under an LDT policy. You can now remove the original files and data within the GuardPoint namespace.

Using Dataxform Command to Transform the Files

If you choose to use the dataxform command to transform data in your GuardPoint to clear, use the voradmin command to verify that earlier versions of the versioned key are not in use on your GuardPoint. Complete the following steps to clear all metadata in your GuardPoint. Then, transform your GuardPoint to clear.

  1. Clone the versioned key associated with the LDT GuardPoint to a non-versioned key.

    1. In the CipherTrust Manager Applications Page, open the Keys & Access Management application.

    2. Click the name of the versioned key that you want to clone.

    3. In the Key Details area, click the (...) button at the end of the row showing the current version of the key and select Clone to clone the current version.

    4. Enter a new name for the key in the Key Name field. Do not select the CTE Versioned option for the clone.

    5. Click Clone.

  2. Create a Standard policy using the cloned key you just created.

    1. In the CTE application, click Policies in the left-hand menu bar and then click Create Policy.

    2. Enter a name for the policy in the Name field.

    3. In Policy Type, choose Standard.

    4. Enable the Data Transformation option.

    5. Click Next.

    6. On the Security Rules page, click Next to skip adding a security rule.

    7. On the Key Selection Rules, click Create Key Rule.

    8. In the Key Name field, select the cloned key you created earlier.

    9. Click Add, then click Next.

    10. On the Data Transformation page, click Create Data Transformation Rule.

    11. In the Transformation Key Name field, select clear_key.

    12. Click Add, then click Next.

    13. Confirm that the key rule and data transformation rule are correct and click Save.

  3. Click Clients in the left-hand menu bar.

  4. In the Clients table, click on the name of the client whose GuardPoint you want to remove.

  5. Find the GuardPoint you want to remove in the GuardPoints table, then click the (...) button at the end of the row and select Disable.

  6. After LDT disables the GuardPoint, click the (...) button at the end of the row and select Remove.

    Before you apply the offline data transformation policy to your GuardPoint, you must clean up the LDT metadata from your GuardPoint. LDT creates extended attributes for every file under the GuardPoint, as well as the GuardPoint directory. Now that the LDT policy does not manage the GuardPoint, you can remove the extended attributes for every file in the GuardPoint.

  7. Remove the extended attributes of files in a GuardPoint, type:

     voradmin ldt attr delete <${gp}>

    The command may take some time depending on the number of files in the GuardPoint. After metadata deletion is complete, you can apply the offline transformation policy on the GuardPoint.

  8. CipherTrust Manager, guard and enable the GuardPoint with the Standard policy you created earlier.

  9. After enabling your GuardPoint, run the dataxform command on the managed host to transform the GuardPoint to a clear_key, type:

     dataxform --rekey --gp /<${gp}>/ --preserve_modified_time --preserve_access_time --cleanup_on_success

  10. After completion of dataxform, unguard the GuardPoint.

  11. Remove the GuardPoint from the dataxform policy in CipherTrust Manager.

On this page