Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Backing Up and Restoring CTE-LDT GuardPoints

Restore an Encrypted Backup

search

Please Note:

Restore an Encrypted Backup

Restore a File Fully Rekeyed to the Latest Key Version

Restore a Partially Rekeyed/encrypted File

Restore a File Not Rekeyed/encrypted with an Older Key Version

This section illustrates restoration of the three files from the backup media to the same GuardPoint, /oxf-fs1/gp1. The files are restored to a different directory under the GuardPoint.

Restore a File Fully Rekeyed to the Latest Key Version

Recall that file_1.dat was archived in the backup media when it was fully rekeyed to version 9 of the key. As the current version of the key is also 9, file_1.dat is restored from backup without any changes. After restoring the file, the state of the restored file and its applied and current key versions remain unchanged, as compared to the original file that was backed up.

 my_backup --preserve=xattr /backup-media/oxf-fs1/gp1/data_files \ 
/file_1.dat /oxf-fs1/gp1/restored_files/file_1.dat

 voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_1.dat
  LDT attributes: rekeyed_size=1440743424, rekey_status=none
     Key:    name=LDT_AES256_KEY, version=9

 voradmin ldt attr get /oxf-fs1/gp1/data_files/file_1.dat
  LDT attributes: rekeyed_size=1440743424, rekey_status=none
     Key:    name=LDT_AES256_KEY, version=9

Restore a Partially Rekeyed/encrypted File

Recall that file_2.dat, archived in the backup media, was partially rekeyed between versions 8 and 9. As the current version of the key was 9 at the time of backup, file_2.dat is restored to the GuardPoint with the same version of the key from the time of backup. The file is flagged for lazy rekey, meaning that a background rekey operation is scheduled to transform the file to the latest key version the next time an application tries to access the file.

At the completion of restoration, the file is fully transformed to the key version (v9). The key version is also the latest one in the policy. Although the file is flagged for lazy rekey (LAZY_RK), the file does not need to be transformed to the latest key version because it’s already there. Had the file been partially rekeyed from version 7 to version 8 of the key at the time of backup, the restored file would have completed rekeying to version 8 at the end of the restoration. Therefore, the LAZY_RK flag would initiate a background transformation to update the key version to the latest key version when the file is accessed.

If this file is not accessed by any application, the file remains unchanged in the GuardPoint. It is not transformed to the latest key version. To trigger a rekey, either re-push the CTE-LDT policy from the CipherTrust Manager, or access the file with an application, such as a file explorer.

 my_backup --preserve=xattr /backup-media/oxf-fs1/gp1/data_files/  \ 
file_1.dat /oxf-fs1/gp1/restored_files/file_2.dat

 voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_2.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=lazy_rekey
     Key:    name=LDT_AES256_KEY, version=9

 voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_2.dat
 LDT attributes: rekeyed_size=1440743424, rekey_status=none
     Key:    name=LDT_AES256_KEY, version=9

Restore a File Not Rekeyed/encrypted with an Older Key Version

Recall file_3.dat was archived in the backup media when it was keyed to version 8 of the key, one version below the latest version at the time of backup. At completion of the restoration, file_3.dat is restored from backup to the same version, version 8, that it was keyed to when it was backed up.

However, the file is flagged for lazy rekey. After restoring the file, it is keyed to version 8 and flagged for lazy rekey (LAZY_RK). The file is rekeyed to the latest key version, version 9, as soon as an application accesses the file. If this file is not accessed by any application, the file remains unchanged in the GuardPoint.

 my_backup --preserve=xattr /backup-media/oxf-fs1/gp1/data_files \ 
/file_3.dat /oxf-fs1/gp1/restored_files/file_3.dat

 voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_3.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=lazy_rekey
     Key:    name=LDT_AES256_KEY, version=8

 sum /oxf-fs1/gp1/restored_files/file_3.dat
39994 1406976

 voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_3.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=none
     Key:    name=LDT_AES256_KEY, version=9

On this page