Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Introduction to LDT

Overview of LDT

search

Please Note:

printsuggest an editpdf paneldownload

Overview of LDT

CipherTrust Transparent Encryption - Live Data Transformation (LDT) is an optional, separately licensed feature of CipherTrust Transparent Encryption (CTE). With LDT, after enabling a GuardPoint, a Administrator can encrypt, or rekey, GuardPoint data without blocking user or application access to the data. In LDT, rekey means decrypting data with the current cryptographic key and then encrypting it with a new cryptographic key. The concept of rekey, and how LDT rekeys data, is described in this document.

After enabling GuardPoints, LDT performs initial encryption or rekeying in the background, unnoticed by users. The data stays live and available. This accelerates CTE deployments and eliminates the need to block application and user access to data during encryption or rekey operations, which can seriously inconvenience users and affect operational efficiency.

With LDT, the Administrator can create a single LDT policy for both initial encryption and subsequent rekeying. The same policy applies to production access and security rules without restricting user or application access to data. Applications have continuity of access to GuardPoint data during LDT.

Warning

To prevent data loss or corruption, you must stop all applications and users that are accessing files inside a GuardPoint before enabling a Live Data Transformation encryption policy for that GuardPoint. Terminating the applications closes all files that are currently being accessed inside the GuardPoint.
Unlike non-Live Data Transformation policies, however, you do not need to keep the GuardPoint offline while data transformation takes place. Instead, you can restart all applications as soon as the GuardPoint has been applied to the host, and CTE will perform the data encryption in the background. This is the only application service downtime required when using LDT.

Note

While LDT is supported on platforms with SELinux enabled in enforcing mode, you may run into interoperability issues with certain SELinux policies that may be enforcing rules against CTE access. If you experience issues running CTE with SELinux enabled, contact your system administrator for assistance. Thales Technical Support will recommend that you disable or change the mode to permissive mode to rule out SELinux when investigating reported issues.

copy link to clipboardUse Cases

This section provides a summary of typical uses for LDT. The concepts mentioned in this section are described in more detail throughout the rest of this guide.

  1. Encrypt unprotected data.

    When protecting files in a directory, you must encrypt them. This process is called initial data encryption.

  2. Convert non-LDT GuardPoints to LDT GuardPoints.

    Use when you have existing GuardPoints that are protected with policies created before you started using LDT.\

  3. Rekey process.

    Changing the key from one version to another version of the same key provides more security. Using LDT, you can change the encryption keys to more secure keys.

  4. Transform the encrypted data to clear data.

On this page