Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Backing Up and Restoring LDT GuardPoints

Restore an Encrypted Backup

search

Please Note:

printsuggest an editpdf paneldownload

Restore an Encrypted Backup

Restore a File Fully Rekeyed to the Latest Key Version

Restore a Partially Rekeyed/encrypted File

Restore a File Not Rekeyed/encrypted with an Older Key Version

This section illustrates restoration of the three files from the backup media to the same GuardPoint, /oxf-fs1/gp1. The files are restored to a different directory under the GuardPoint.

copy link to clipboardRestore a File Fully Rekeyed to the Latest Key Version

Recall that file_1.dat was archived in the backup media when it was fully rekeyed to version 9 of the key. As the current version of the key is also 9, file_1.dat is restored from backup without any changes. After restoring the file, the state of the restored file and its applied and current key versions remain unchanged, as compared to the original file that was backed up.

my_backup --preserve=xattr /backup-media/oxf-fs1/gp1/data_files \
/file_1.dat /oxf-fs1/gp1/restored_files/file_1.dat

 voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_1.dat
  LDT attributes: rekeyed_size=1440743424, rekey_status=none
     Key:    name=LDT_AES256_KEY, version=9

 voradmin ldt attr get /oxf-fs1/gp1/data_files/file_1.dat
  LDT attributes: rekeyed_size=1440743424, rekey_status=none
     Key:    name=LDT_AES256_KEY, version=9

copy link to clipboardRestore a Partially Rekeyed/encrypted File

Recall that file_2.dat, archived in the backup media, was partially rekeyed between versions 8 and 9. As the current version of the key was 9 at the time of backup, file_2.dat is restored to the GuardPoint with the same version of the key from the time of backup. The file is flagged for lazy rekey, meaning that a background rekey operation is scheduled to transform the file to the latest key version the next time an application tries to access the file.

At the completion of restoration, the file is fully transformed to the key version (v9). The key version is also the latest one in the policy. Although the file is flagged for lazy rekey (LAZY_RK), the file does not need to be transformed to the latest key version because it’s already there. Had the file been partially rekeyed from version 7 to version 8 of the key at the time of backup, the restored file would have completed rekeying to version 8 at the end of the restoration. Therefore, the LAZY_RK flag would initiate a background transformation to update the key version to the latest key version when the file is accessed.

If this file is not accessed by any application, the file remains unchanged in the GuardPoint. It is not transformed to the latest key version. To trigger a rekey, access the file with an application, such as a file explorer.

  • Access the file with an application, such as a file explorer.

    my_backup --preserve=xattr /backup-media/oxf-fs1/gp1/data_files/ \ file_1.dat /oxf-fs1/gp1/restored_files/file_2.dat

    voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_2.dat LDT attributes: rekeyed_size=1440743424, rekey_status=lazy_rekey Key: name=LDT_AES256_KEY, version=9

    voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_2.dat LDT attributes: rekeyed_size=1440743424, rekey_status=none Key: name=LDT_AES256_KEY, version=9

copy link to clipboardRestore a File Not Rekeyed/encrypted with an Older Key Version

Recall file_3.dat was archived in the backup media when it was keyed to version 8 of the key, one version below the latest version at the time of backup. At completion of the restoration, file_3.dat is restored from backup to the same version, version 8, that it was keyed to when it was backed up.

However, the file is flagged for lazy rekey. After restoring the file, it is keyed to version 8 and flagged for lazy rekey (LAZY_RK). The file is rekeyed to the latest key version, version 9, as soon as an application accesses the file. If this file is not accessed by any application, the file remains unchanged in the GuardPoint.

my_backup --preserve=xattr /backup-media/oxf-fs1/gp1/data_files \
/file_3.dat /oxf-fs1/gp1/restored_files/file_3.dat

 voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_3.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=lazy_rekey
     Key:    name=LDT_AES256_KEY, version=8

 sum /oxf-fs1/gp1/restored_files/file_3.dat
39994 1406976

 voradmin ldt attr get /oxf-fs1/gp1/restored_files/file_3.dat
LDT attributes: rekeyed_size=1440743424, rekey_status=none
     Key:    name=LDT_AES256_KEY, version=9

On this page