CTE-LDT Backups Using a File System or Storage-Level Snapshot Tool
You can make a file system snapshot using a Logical Volume Manager service or mirroring/splitting storage level LUNs of a file system inside the storage subsystem. CTE-LDT does not have requirements for where and how you create a file system snapshot. However, it is required that you suspend CTE-LDT processes before you take the file system snapshot. Suspending CTE-LDT ensures data and metadata consistency between files and CTE-LDT extended attributes.
You may choose to suspend CTE-LDT manually on the managed host using voradmin ldt suspend command or fsfreeze -f, or suspend CTE-LDT on the CipherTrust Manager.
Note
Be aware that suspending CTE-LDT on the CipherTrust Manager suspends CTE-LDT on the entire host.
After creating a file system snapshot, you can resume CTE-LDT processes on the GuardPoint using voradmin ldt resume, or fsfreeze -u, or resuming CTE-LDT on the CipherTrust Manager. Do not mix the use of fsfreeze and voradmin ldt suspend to pause and resume CTE-LDT. CTE suspends or resumes CTE-LDT processes during live transformation when freezing or unfreezing GuardPoint access using fsfreeze -f or -u option.
Note
You can make sure CTE-LDT is suspended at backup time by setting the QoS schedule
You can mount a file system snapshot for data recovery. Configuration for GuardPoints must be duplicated over the mount point of the snapshot file system. Make sure to use the same CTE-LDT policy. Enabling GuardPoints over or under the snapshot mount point provides access to the protected files for recovery. You can choose to manually resume key rotation on the GuardPoints of the snapshot file system, although this is not necessary.
Following is an example of the fsfreeze command used to freeze access to the file system /oxf-fs1 in order to create a snapshot of the file system device. This examples illustrates three GuardPoints enabled inside the file system namespace, /oxf-fs1/gp-1, /oxf-fs1/gp-2, and /oxf-fs1/gp-3. Executing the command fsfreeze -f targets any of the GuardPoints in the /oxf-fs1 mount point and suspends CTE-LDT processes on all of the GuardPoints. Then it freezes access to the file system.
fsfreeze -f /oxf-fs1/gp-1
voradmin ldt list all
MDS_1: type=file, nguards=1, name=/oxf-fs1/gp-3/__vorm_mds__
Guard Table: version 1 nentries 1
Guard 0: type=GP, state=REKEYING SUSPENDED (vadm), flags=GP LOCKED, gp=/oxf-fs1/gp-3
File List: count 4308
MDS_2: type=file, nguards=1, name=/oxf-fs1/gp-2/__vorm_mds__
Guard Table: version 1 nentries 1
Guard 0: type=GP, state=REKEYING DIRTY, flags=GP LOCKED, gp=/oxf-fs1/gp-2
File List: count 4308
MDS_3: type=file, nguards=1, name=/oxf-fs1/gp-1/__vorm_mds__
Guard Table: version 1 nentries 1
Guard 0: type=GP, state=REKEYING SUSPENDED (vadm), flags=GP LOCKED, gp=/oxf-fs1/gp-1
File List: count 4308
After the file system snapshot is created, executing the fsfreeze -u command on any of the GuardPoints in the file system namespace unfreezes access to the file system and resumes CTE-LDT processes on all of the GuardPoints.
fsfreeze -u /oxf-fs1/gp-1
voradmin ldt list all
MDS_1: type=file, nguards=1, name=/oxf-fs1/gp-3/__vorm_mds__
Guard Table: version 1 nentries 1
Guard 0: type=GP, state=REKEYING DIRTY, flags=GP LOCKED, gp=/oxf-fs1/gp-3
File List: count 4308
MDS_2: type=file, nguards=1, name=/oxf-fs1/gp-2/__vorm_mds__
Guard Table: version 1 nentries 1
Guard 0: type=GP, state=REKEYING DIRTY, flags=GP LOCKED, gp=/oxf-fs1/gp-2
File List: count 4308
MDS_3: type=file, nguards=1, name=/oxf-fs1/gp-1/__vorm_mds__
Guard Table: version 1 nentries 1
Guard 0: type=GP, state=REKEYING DIRTY, flags=GP LOCKED, gp=/oxf-fs1/gp-1
File List: count 4308
Support for Volume Level Snapshots on NAS Shares with LDT on Linux
CTE supports volume level snapshot capabilities of NAS shares. You may choose to enable the snapshot service on an LDT-protected GuardPoint as long as the GuardPoint is enabled before the snapshot service is activated. Note that the snapshot service is deactivated before the GuardPoint is disabled. Keeping the snapshot service active when the GuardPoint is not enabled may result in data corruption or inconsistent LDT metadata at file or GuardPoint levels.
