Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Backing Up and Restoring LDT GuardPoints

LDT Policy for Encrypted Backup and Restore

search

Please Note:

printsuggest an editpdf paneldownload

LDT Policy for Encrypted Backup and Restore

Suppose you have an LDT policy allowing a backup user, or a backup process, to perform an encrypted backup. The backup user, or the backup process, reads encrypted data from files and stores the same encrypted data in backup media.

For example, suppose you wanted to back up GuardPoint /oxf-fs1/gp1 protected by My_LDT_Policy_1. The key version before the key rotation is 8. The following steps occur:

  1. Key version 8 expires and is rotated to version 9.

  2. Rotating the encryption key triggers LDT to start running on the data under the GuardPoint.

  3. The QoS schedule suspends LDT because a backup process is running.

  4. The backup process begins, runs and later ends.

  5. The QoS schedule resumes LDT.

  6. LDT on the GuardPoint completes.

Note

Although the backup/restore scenarios and examples described in the rest of this section are specific to LDT on Linux platform, the concepts also apply to LDT on the Windows platform.

Consider the state of the three files in the GuardPoint during the LDT process, right after LDT is suspended in preparation for the backup. You can obtain the state of each file through the voradmin ldt attr get command, which examines the LDT state of each file captured in the LDT extended attributes of those files. (For an overview of voradmin LDT, see LDT Command-Line Administration: voradmin command).

  • File_1.dat is rekeyed/encrypted to completion. The applied and new key versions are at version 9 of the key.

    voradmin ldt attr get /oxf-fs1/gp1/data_files /file_1.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=none
 Key:    name=LDT_AES256_KEY, version=9

  • File_2.dat is partially rekeyed/encrypted. The applied key version is at version 8 and the transformation key is at version 9.

    voradmin ldt attr get /oxf-fs1/gp1/data_files/file_2.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=rekeying,state_saved
Current Key:    name=LDT_AES256_KEY, version=8
New Key:        name=LDT_AES256_KEY, version=9

  • File_3.dat has not been rekeyed/encrypted. The applied key and transformation key are both at version 8, which is the version before the current key rotation.

    voradmin ldt attr get /oxf-fs1/gp1/data_files/file_3.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=none
Key:    name=LDT_AES256_KEY, version=8

While LDT is suspended on the GuardPoint, the backup process starts and archives these three files, including extended attributes, in the backup media.

my_backup --preserve=xattr /oxf-fs1/gp1/data_files/file_1.dat \
    /backup-media/oxf-fs1/gp1/data_files/file_1.dat
my_backup --preserve=xattr /oxf-fs1/gp1/data_files/file_2.dat \
             /backup-media/oxf-fs1/gp1/data_files/file_2.dat
my_backup --preserve=xattr /oxf-fs1/gp1/data_files/file_3.dat \
             /backup-media/oxf-fs1/gp1/data_files/file_3.dat

Note

  • On Linux platforms, you must perform backups on a GuardPoint during periods when LDT is not actively transforming data in the GuardPoint. You must schedule backups in conjunction with LDT schedules or during periods when LDT is paused. Make sure to coordinate with the backup administrator and schedule accordingly.

  • If the preferred method of backup is to create device level snapshots of the file system on the managed host or in the storage array subsystem, you must ensure that the schedule for creating snapshots pauses LDT before a snapshot is created.

On this page