Please Note:

User Guides
CTE Agent Linux and Windows Quick Start Guide
- Installation Prerequisites
- Installing and Registering CTE
  - Installation and Registration on Linux
  - Installation on Windows
  - Registration with Windows
- Guarding a Device with CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Create an Encryption Key
  - Create a Standard Policy
  - Create a GuardPoint
- Using and Renewing Certificates
- Protecting Data with CTE
- Ransomware Protection
CTE Agent Linux Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Linux
  - Additional Considerations
  - CTE Agent Installation with UEFI Secure Boot
  - Linux Package Installation for Linux Distributions
    - Linux Package Installation for RHEL
    - Linux Package Installation for SLES
    - Linux Package Installation for Ubuntu
  - Verifying Kernel Compatibility
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Linux with CipherTrust Manager
    - Installation Prerequisites
    - Interactive Installation on Linux
    - Silent Installation for CTE or CTE-U on Linux
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Installation and Registration Options
    - Guarding a Device with CipherTrust Manager
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Using Keycloak for Multifactor Authentication for CTE GuardPoints
    - Exempting some users from authentication with a Whitelist
    - Setting up Multifactor Authentication with a One-Time-Password
    - Setting up Multifactor Authentication with a Time Out
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Container Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- CTE and systemd
  - Overview of CTE and systemd
  - CTE Agent Control Changes on systemd
  - CTE Configuration Changes Required on systemd
    - About systemd Dependency Changes for Unit Configuration Files
    - Location of Application Unit Configuration Files
    - Adding Dependencies to systemd Unit Configuration Files
    - Adding Applications to the secfs-fs-barrier.service File
    - Drop-in Files for systemd
    - Adding Dependencies to the `saslauthd.service` File
  - SystemD Protection
  - Manually Stopping Application or Service
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - fsfreeze and xfs_freeze
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - User Cache Lookup Improvements
  - vmutil
  - vmd utility
  - vmsec Utility
- CipherTrust in-Place Data Transformation for Linux
  - Introduction to in-Place Data Transformation (IDT)
  - Requirements for IDT-Capable GuardPoints
  - The CTE Private Region and IDT Device Header
  - IDT-Capable GuardPoint Encryption Keys
  - Guarding an IDT-Capable Device on Linux
    - Initializing an IDT-Capable Device
    - Guard the Linux Device with an IDT-Capable GuardPoint
    - Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
  - Changing the Encryption Key on Linux IDT-Capable Devices
  - Guarding an IDT-Capable Device with Multiple IO Paths on Linux
  - Linux System and IDT-Capable GuardPoint Administration
  - Resizing Guarded IDT Devices
    - Resizing Guarded IDT Devices
  - Alerts and Errors on Linux
- Upgrading CTE on Linux
- Uninstalling CTE from Linux
- Migrating Agents from CTE-U to CTE
CTE Agent Windows Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Windows
  - Installation Workflow
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Windows with CipherTrust Manager
    - Interactive Installation on Windows
    - Silent Installation on Windows
      - Silent Installation Using the exe File
      - Silent Installation Using the MSI File
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Registering CTE After Installation is Complete
    - Setting the CM log for Ransomware Protection
    - Guarding a Device with CipherTrust Manager
    - Installation Prerequisites
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Compatible MFA Providers
      - Using STA for Multifactor Authentication for CTE GuardPoints
      - Using Okta for Multifactor Authentication for CTE GuardPoints
      - Using Keycloak for Multifactor Authentication for CTE GuardPoints
      - Using Cisco DUO for Multifactor Authentication for CTE GuardPoints
      - Using Microsoft Azure Entra ID Multifactor Authentication for CTE GuardPoints
    - Use Cases for MFA on CTE
    - Exempting some users or processes from authentication with a Whitelist
    - Remote Authentication for Multifactor Authentication
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
  - Choosing a Login Name Type
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Guarding Data on CIFS Servers and Clients
- Special Cases for CTE Policies
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - FileTable Support on Windows
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Return Codes
  - agentinfo Utility
  - Backup Utility
  - voradmin secfs Commands
  - vmsec Utility
  - vmutil
- Upgrading CTE on Windows
  - Silent Upgrade
  - CTE Scheduled Upgrade
  - Workaround for MSI CTE Typical, Silent, and Scheduled Upgrades
- Uninstalling CTE from Windows
- Troubleshooting and Best Practices
CTE Agent AIX User and Configuration Guide
- Overview
- Getting Started with CTE for AIX
  - Installation Workflow
  - AIX Package Installation
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for AIX with CipherTrust Manager
    - Installation and Registration Options
    - Installation Prerequisites
    - Interactive Installation on AIX
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Silent Installation on AIX
    - Guarding a Device with CTE and CipherTrust Manager
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Backing up DB2 Databases after Encryption
  - Blocking ptrace system calls to prevent process injection attacks
- Logs
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - secfsd and Raw Devices
  - Using Client Settings with Shell Scripts
  - vmsec Utility
    - vmsec Examples
    - Configuring Dynamic Host Settings for AIX
  - vmutil
  - vmd utility
- Upgrading CTE on AIX
- Uninstalling CTE from AIX
CTE Agent Data Transformation
- Data Transformation Overview
  - The Data Transformation Process
  - CTE Terminology
  - CTE Components
  - CTE Policies
  - Considerations with Bulk Data Transformation
  - Data Transformation Techniques
    - Copy and Restore Transformation Method
    - The CTE dataxform Utility Transformation Method
  - CTE Protection Policies
  - Overview of the dataxform Utility
    - Multithreading in the dataxform Utility
    - dataxform Space Requirements
    - dataxform Execution Time
    - dataxform and Sparse Files
    - dataxform and Linked Files
  - Automatic Data Transformation
  - Best Practices When Using dataxform
  - Summary
- Initial Data Encryption
  - Data Encryption Overview
  - Using the Copy or Restore Encryption Method on File Systems
  - Using the Copy or Restore Encryption Method on Block Devices
  - Using dataxform to Encrypt Your Data with CipherTrust Manager
- Rekeying
  - Rekeying Overview
  - Rekeying with dataxform
  - Rekeying Using the Manual Copy Method
- Appendix A: DataXform Reference
  - Common Dataxform Examples
    - Verifying that a Guarded Directory Can be Rekeyed with Data Transformation
    - Estimating the Data Transformation Runtime Period
    - Manually Running Data Transformation on Specific Files
    - Running Automatic Data Transformation
  - Cleaning Up a Previous dataxform Session
  - Checking for Hard-Link Files Inside the GuardPoint with dataxform
  - Monitoring Data Transformation
    - Data Transformation Logs
    - Using the Message Log Window
    - Using vordxf Files
    - Using dataxform_status Files
    - Using dataxform_auto_config
    - Using dataxform_auto_lock
  - Recovering a Failed or Incomplete dataxform Session
  - Automatic and Manual GuardPoints
  - Data Transformation Examples and Full Command Syntax
    - Data Transformation Command Syntax Examples
    - Data Transformation Command Parameters
  - Unencrypting Data
CTE Agent Live Data Transformation
- Introduction to LDT
  - Overview of LDT
  - Keys in LDT (Versioned Keys)
  - LDT Policies
  - LDT Runtime Flow
  - LDT Administrator Roles
  - Resiliency
- Getting Started
  - Using LDT
  - Backup/Restore
  - Restrictions
- Installing LDT
  - System Requirements
  - Installing the LDT License
  - Installing and Registering the CTE Agent Software on Linux
  - Installing and Registering the CTE Agent Software on Windows
  - Setting the Linux Kernel Time Zone
  - Enabling LDT on a Protected Host
- Using LDT
  - Creating and Viewing Versioned Keys
  - Creating LDT Policies
  - Quality of Service
    - How to Set QoS
    - QoS Best Practices
      - General Best Practices for QoS
      - Select and Set Rekey I/O Rate
  - Creating an LDT GuardPoint
  - Rotating Encryption Keys (Rekey)
    - Manual Key Rotation
    - Creating a Key Rotation Schedule
    - Checking the Rekey Status
    - Obtaining Information About Keys Applied to Files
    - Showing GuardPoints During Rekey (Linux)
    - Suspending and Resuming Rekey and/or Scan Phase
    - Automatic Suspend and Resume of LDT Operations Due to Insufficient Disk Space
    - Rotating Encryption Keys While a Rekey is in Progress (Relaunch)
  - File System Operations
    - Renaming Files and Directories
      - Renaming Directories on Linux
      - Caveats
      - Example
      - Considerations
    - Deleting a File
    - File Handling (Windows Only)
    - Enabling GuardPoints in Read-Only mounted file systems (Linux)
    - Copying Files Into a GuardPoint
    - Behavior of Hard Links Inside and Outside of GuardPoints (Windows)
  - Excluding Files or Directories from Rekey
    - About the Exclusion Attribute for Files Matching an Exclusion Key Rule
    - Requirements for Exclusion Key Rules
    - Usage Notes and Limitations for Configuring Exclusion Key Rules
    - Examples of Exclusion Key Rules
    - Listing All Files Included in an Exclusion Key Rule (Linux)
    - Listing All Files Included in an Exclusion Key Rule (Windows)
    - Dynamic Resource Sets
  - Using LDT with SAP HANA Fibre Channel Systems (Linux Only)
- LDT Administration
  - LDT Metadata in Extended Attributes
    - Listing Extended Attributes
    - MDS File (Linux)
    - Planning for LDT Attribute Storage
    - Using voradmin To Estimate Disk Space Required for LDT
    - Displaying Metadata
    - Verifying Metadata (Windows only)
  - DFS(R) and Replication (Windows)
  - Backing Up and Restoring LDT GuardPoints
    - Clear Text Backup and Restore
    - Encrypted Backup and Restore
    - LDT Policy for Encrypted Backup and Restore
    - Backup/Restore of Metadata Store File in GuardPoints Undergoing Rekey
    - Restore an Encrypted Backup
    - Restoring Non-LDT Backup Data to an LDT GuardPoint
    - Using fsfreeze (Linux only)
    - LDT Backups Using a File System or Storage-Level Snapshot Tool
    - Windows Backup and Snapshots
    - LDT Backup and Restore Troubleshooting
  - LDT Command-Line Administration: voradmin command
  - Migrating a GuardPoint to a Different LDT Policy
  - Removing LDT and Security Encryption
    - Migrating a GuardPoint Out of LDT
    - Deleting LDT Metadata (Linux)
    - Deleting LDT Metadata (Windows)
    - Removing LDT from a Host
  - Uninstalling the Agent while LDT is Rekeying GuardPoints
  - Detecting Loss of NAS connection to an LDT GuardPoint Group
- Using LDT with CIFS/NFS shares
  - Introduction to LDT over CIFS
  - LDT over CIFS/NFS High-Level Overview
  - LDT Communication Groups and LDT GuardPoint Groups
    - Designation of Primary role and Primary Set in an LDT GuardPoint Group
    - Responsibilities of the Primary host
    - Failover for the LDT Communication Group Master and the LDT GuardPoint Group
    - LDT GuardPoint Group Commands
  - Sharing LDT NFS/CIFS GuardPoints between Linux and Windows
  - Limitations
  - Prerequisites
    - Supported Versions
  - Administrating LDT over CIFS/NFS with CipherTrust Manager
    - Adding a CIFS Connector for CipherTrust Manager
    - LDT AccessOnly nodes
      - CTE Windows Deployment for LDT AccessOnly nodes
      - Configuring LDT for CIFS shares Mapped to Multiple IP addresses
    - Policy and GuardPoint Management
      - Creating a GuardPoint on a CIFS Share Drive on CipherTrust Manager
      - Pausing and Resuming LDT per host and per GuardPoint
      - Migrating GuardPoints over NFS from or to an LDT Policy
      - Multiple GuardPoint Pathnames
    - Key Rotation Commitment
    - LDT Metadata Management Over NFS/CIFS Shares
    - Backup and Restore LDT on NFS GuardPoints
  - Upgrading CTE agent in an LDT Communication Group
    - Upgrading the LDT Agents in an LDT Communication Group from 7.2.0 to 7.3.0
    - New Terminology
    - Upgrading CTE agents in an LDT Communication Group from 7.4.0 to 7.5.0 and post 7.5.0
  - Quality of Service
  - Alerts
  - Troubleshooting
- Troubleshooting LDT
  - Monitoring and Statistics
    - Obtaining Statistics with GuardPoint Status
    - Obtaining LDT Statistics at the Command Line
    - Obtaining a Rekey Report
    - Monitoring Ongoing LDT Operations at the Command Line (Windows only)
  - Protecting LDT GuardPoints against Failure in Underlying File Systems (Linux)
    - Recovery Alerts
  - Alerts Playbook
    - Failure to Enable GuardPoints
    - Failure to Suspend or Resume LDT Operation
    - Insufficient Resources
    - Failed to Update LDT Attribute
    - Rekey Stopped
    - Incomplete Key Rotation
    - Skipped Key Rotation
    - Failed to Update LDT Metadata During Scan Phase
    - File system inconsistencies after system crash
  - Error Messages
  - Warning and Info Messages
  - Recommendations and Considerations
    - All Platform Recommendations and Considerations
    - Windows Recommendations and Considerations
CTE Terminology

Designation of Primary role and Primary Set in an LDT GuardPoint Group

The first host that enables a GuardPoint over NFS/CIFS share is designated as the primary host for the LDT GuardPoint Group. The primary role designation persists until the GuardPoint is disabled on the primary host or the primary host crashes. Designation of another CTE host for the primary role is the result of the old primary crashing, or disabling the GuardPoint. Another member of the LDT GuardPoint Group will be elected to assume the primary role for the LDT GuardPoint Group.

A secondary host is not a proper candidate for promotion to primary role if any of the following conditions exist for the GuardPoint on the secondary host:

The NAS share is mounted as read-only on the CTE host
The CTE host has not received the latest policy information from CipherTrust Manager
The latest key version available to the CTE host is not the most recent key version available to other members of the LDT GuardPoint Group

The read-only access to the GuardPoint directory restricts the designated host from performing LDT operations. LDT operations require read and write access to the NAS share.

The second and third conditions are most likely a transient communication failure between CipherTrust Manager and the designated CTE host. Once the communication issue between CipherTrust Manager and the CTE host is resolved, the CTE host will be updated with the most recent policy information, and it will accept subsequent designations for promotion to primary role.

In addition to the previous conditions, is usually the result of IO or networking issues between CTE host and the NAS share. If this occurs, disable the CTE host and remove it from the LDT GuardPoint Group. Removal of the CTE host triggers election of another CTE host for the primary role. If you are unable to disable the GuardPoint on the CTE host, you must reboot the host, and then remove the host from the LDT GuardPoint Group using the voradmin ldt group remove command.

The Designated Primary Set (DPS) contains a list of CTE hosts from which a primary role can be chosen by the LDT/LGS service. CipherTrust Manager administrators can create a DPS by choosing the hosts from the CTE client groups membership that can be promoted to the primary role. Thales recommends that CTE administrators inform the CipherTrust Manager administrator of their choice for DSP membership. The CipherTrust Manager administrator can update DPS as needed. The selected clients should be systems with sufficient resources that can sustain production workloads and the load from rekeying GuardPoints on the primary host. Note that the first CTE client enabling a GuardPoint assumes the primary role for that GuardPoint, regardless of the membership of the client to DPS. Election of another CTE host for promotion to primary role will be a member of the DPS, unless none of the members of the DPS has the GuardPoint enabled. In such a case, one of the members of the LDT GuardPoint Group on which the GuardPoint is enabled will be promoted to the primary role.

A Designated Primary Set (DPS) is created and assigned to a single LDT GuardPoint Group within a LDT GuardPoint Group. With the DPS assigned to a GuardPoint, the election of a new client for the primary role will be from the DPS.

In a Linux environment with a mix of clients from the client group and individual clients guarding the same NAS share, if you guard the NAS share on an individual client first, and later guard it through the client group, the individual client that guarded first is the primary client for the GuardPoint group.

Recommendations for selecting members for DPS

Only select server class systems capable of carrying out the rekey load without interruptions as the result of frequent reboots. Do not select transient hosts, such as a laptop.
Avoid disabling GuardPoints on primary host as much as possible. Disabling GuardPoints on the primary client triggers election of another member from DPS.
Minimize selecting the same preferred primary for multiple GuardPoints for better load distribution unless the primary host can carry out the LDT load.

Limitations

A Designated Primary Set is fully enforced when all members the client group are DPS-capable.
If a client group with DPS enabled has non-DPS capable members, the GuardPoints will not be pushed to the non-DPS capable clients.
Insufficient systems could cause slower rekey rates.

Configuration

When configuring a Designated Primary Set:

You can only choose clients from the client group membership as the designated primary client.
You must guard the NAS share on the client group first.

This Designated Primary Set feature is supported with CipherTrust Manager and CTE agents installed with:

Software	Minimum Version
CipherTrust Transparent Encryption	7.7
CipherTrust Manager	2.17

Prerequisites

Be sure to have completed the following configuration steps for guarding a share on your clients before creating a Designated Primary Set:

Configure a CIFS/SMB connection if your CTE clients are Windows clients.
Create an LDT Communication Group. See Managing LDT Communication Groups to create LDT Communication Groups.
Create an LDT Client Group. See Managing Client Groups to create Client Groups.

Note

Modifications made to a Designated Primary Set list are updated/pushed to the members of the client group associated with the DPS.
A Designated Primary Set (DPS) is fully enforced when all members of the client group are DPS-capable CTE agents. This means that the clients must be agents installed with CTE 7.7.0 or subsequent versions. If any member of the client group enabled with DPS is a non-DPS capable client, the GuardPoint will not be pushed to non-DPS capable clients.

Creating a Designated Primary Set

In CipherTrust Manager, click Transparent Encryption > Clients > Client Groups.
Click the desired client group name.
Select the Designated Primary Set tab.

It displays the list of Designated Primary Sets. Expand the desired Designated Primary Set to see its details.
Click Create Designated Primary Set.
In the General Info screen, provide a name for the Designated Primary Set and select an LDT Communication Group. Click Next.
In the Add Clients screen, select, or search for, the clients for the primary set.
Note
- A Designated Primary Set must contain at least one client.
- Add two or more clients to the Designated Primary Set to have available clients in DPS for election to the primary role in the case of LDT primary promotion.
- During the promotion process, if a GuardPoint is not enabled on any members of the DPS, another client of LDT GuardPoint Group that is not a member of the DPS will be promoted to the primary role. As such, it is a best practice to select multiple clients for the Designated Primary Set for each GuardPoint.
- Select/un-select designated primaries only when guarding NFS/CIFS shares in a client group.
In the Confirmation screen, review the details of Designated Primary Set.
Click Create. The screen displays a message indicating whether the Designated Primary Set was created successfully.
Click Close to close the screen. The Designated Primary Set displays in the Designated Primary Set tab.
After you have created a Designated Primary Set for a client group, you can create a corresponding LDT GuardPoint for it.
- See Creating LDT GuardPoints on SMB/NFS Paths for detailed instructions.

Adding New Clients to a Designated Primary Set

To add new clients to an existing Designated Primary Set:

Under Clients > Client Groups, click the desired client group name.
Select the Designated Primary Set tab.
Expand the desired Designated Primary Set.
Click Add Clients.
Select the checkboxes for the desired client names.
Click Add.

Changing the Designated Primary Set Associated with a GuardPoint

You must modify the Designated Primary Set associated with a GuardPoint, after the GuardPoint is created.

To change the Designated Primary Set associated with a GuardPoint:

Open the Transparent Encryption application.
Click the client group name in the Client Group Name column.
On the GuardPoints tab, click the ellipsis corresponding to the desired GuardPoint.
Click View/Edit. The Edit GuardPoint dialog box is displayed.
In the Designated Primary Set drop-down list, select a different .
Click Save.

The GuardPoint is updated successfully with the new Designated Primary Set.

Validating the Designated Primary Set

In CipherTrust Transparent Encryption, you can get the list of designated primary nodes for the guard path if you have configured a Designated Primary Set.

To get the list, type:
```
voradmin ldt group get_dp <guard path>
```
Example
```
voradmin ldt group get_dp /test/nov25
```
Response
```
LDT GuardPoint Primary: 192.68.34.54
LDT GuardPoint Designated Primary List: 192.68.34.53,192.68.34.54
```
Note

If the DPS is not configured and you type the command to get the list, the response looks similar to the following:

LDT GuardPoint Primary: 192.168.34.54
LDT GuardPoint Designated Primaries: N/A