Migrating GuardPoints over NFS from or to an LDT Policy
GuardPoints over NFS can be guarded using policies with key rules specifying a mix of CBC or CBC‑CS1 keys.
You can migrate to an LDT policy from clear text (no existing policy) or from a standard CTE policy. If the standard policy uses:
- CBC keys
The CBC keys are transformed during the initial data transformation when LDT embeds the LDT metadata in the beginning of each file. LDT shifts the existing data in the files by 4096 bytes to make room for the LDT metadata.
- CBC-CS1 keys
The IV attribute is already embedded in the protected files. LDT transforms the files in those GuardPoints without shifting the existing data because the required IV attribute already exists.
Migration out of an LDT policy is only partially supported because of the shift to the existing data that was done to accommodate the LDT metadata. You can only migrate from a Live Data Transformation policy that uses CBC or CBC_CS1 keys to a different Live Data Transformation policy that uses CBC or CBC_CS1 keys. You cannot remove the Live Data Transformation policy from a guarded directory, and you cannot migrate from a Live Data Transformation policy to a standard CTE policy. The migration support matrix is shown in the following table.
Source Policy Type | Target Policy Type | Supported? |
---|---|---|
Live Data Transformation using CBC or CBC_CS1 keys | Live Data Transformation using CBC or CBC_CS1 keys | Yes |
Live Data Transformation | No policy (unguarded directory) | No |
Live Data Transformation | Standard CTE policy | No |
Standard Policy using CBC or CBC_CS1 keys | Live Data Transformation using CBC or CBC_CS1 keys | Yes |
The only method for migrating an NFS GuardPoint from LDT to clear-text or to a CTE standard policy that uses CBC or CBC_CS1 keys is the following:
-
Perform a full backup of files in the NFS GuardPoint in clear text. Make sure that you disable the security rule for the backup process in the LDT policy, if the security rule skips Apply Key as part of backup operation.
-
Upon completion of full backup, unguard the directory on the key manager and then remove the LDT Private Space directory (
ldtprivspace
) in the NFS GuardPoint using thevoradmin ldt rmldt <GuardPoint>
command. -
Remove the remaining files inside the NFS GuardPoint directory and restore the full backup of the files in clear-text over the NFS GuardPoint directory. If you are migrating to a standard CTE policy, you can now proceed with re-guarding the NFS GuardPoint directory using the standard policy.