Restore an Encrypted Backup
Restore a File Fully Rekeyed to the Latest Key Version
Restore a Partially Rekeyed/encrypted File
Restore a File Not Rekeyed/encrypted with an Older Key Version
This section illustrates restoration of the three files from the backup media to the same GuardPoint, /oxf-fs1/gp1
. The files are restored to a different directory under the GuardPoint.
Restore a File Fully Rekeyed to the Latest Key Version
Recall that file_1.dat was archived in the backup media when it was fully rekeyed to version 9 of the key. As the current version of the key is also 9, file_1.dat is restored from backup without any changes. After restoring the file, the state of the restored file and its applied and current key versions remain unchanged, as compared to the original file that was backed up.
my_backup --preserve=xattr /backup-media/oxf-fs1/gp1/data_files \
/file_1.dat /oxf-fs1/gp1/restored_files/file_1.dat
voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_1.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=none
Key: name=LDT_AES256_KEY, version=9
voradmin ldt attr get /oxf-fs1/gp1/data_files/file_1.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=none
Key: name=LDT_AES256_KEY, version=9
Restore a Partially Rekeyed/encrypted File
Recall that file_2.dat, archived in the backup media, was partially rekeyed between versions 8 and 9. As the current version of the key was 9 at the time of backup, file_2.dat is restored to the GuardPoint with the same version of the key from the time of backup. The file is flagged for lazy rekey, meaning that a background rekey operation is scheduled to transform the file to the latest key version the next time an application tries to access the file.
At the completion of restoration, the file is fully transformed to the key version (v9). The key version is also the latest one in the policy. Although the file is flagged for lazy rekey (LAZY_RK), the file does not need to be transformed to the latest key version because it’s already there. Had the file been partially rekeyed from version 7 to version 8 of the key at the time of backup, the restored file would have completed rekeying to version 8 at the end of the restoration. Therefore, the LAZY_RK flag would initiate a background transformation to update the key version to the latest key version when the file is accessed.
If this file is not accessed by any application, the file remains unchanged in the GuardPoint. It is not transformed to the latest key version. To trigger a rekey, either re-push the LDT policy from the CipherTrust Manager, or access the file with an application, such as a file explorer.
my_backup --preserve=xattr /backup-media/oxf-fs1/gp1/data_files/ \
file_1.dat /oxf-fs1/gp1/restored_files/file_2.dat
voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_2.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=lazy_rekey
Key: name=LDT_AES256_KEY, version=9
voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_2.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=none
Key: name=LDT_AES256_KEY, version=9
Restore a File Not Rekeyed/encrypted with an Older Key Version
Recall file_3.dat was archived in the backup media when it was keyed to version 8 of the key, one version below the latest version at the time of backup. At completion of the restoration, file_3.dat is restored from backup to the same version, version 8, that it was keyed to when it was backed up.
However, the file is flagged for lazy rekey. After restoring the file, it is keyed to version 8 and flagged for lazy rekey (LAZY_RK). The file is rekeyed to the latest key version, version 9, as soon as an application accesses the file. If this file is not accessed by any application, the file remains unchanged in the GuardPoint.
my_backup --preserve=xattr /backup-media/oxf-fs1/gp1/data_files \
/file_3.dat /oxf-fs1/gp1/restored_files/file_3.dat
voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_3.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=lazy_rekey
Key: name=LDT_AES256_KEY, version=8
sum /oxf-fs1/gp1/restored_files/file_3.dat
39994 1406976
voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_3.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=none
Key: name=LDT_AES256_KEY, version=9