Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

User Guides
Integrations and Solutions
CTE Use Cases
Release Notes
Patch Notes
Additional Resources
Previous Releases

All

All

Troubleshooting CTE-LDT

Error Messages

Please Note:

User Guides
CTE Agent Quick Start Guide for Linux and Windows
- Installation Prerequisites
- Installing and Registering CTE
  - Installation and Registration on Linux
  - Installation on Windows
  - Registration with Windows
- Guarding a Device with CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Create an Encryption Key
  - Create a Standard Policy
  - Create a GuardPoint
- Using and Renewing Certificates
- Protecting Data with CTE
- Ransomware Protection
CTE Agent Linux Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Linux
  - Additional Considerations
  - CTE Agent Installation with UEFI Secure Boot
  - Linux Package Installation for Linux Distributions
    - Linux Package Installation for RHEL
    - Linux Package Installation for SLES
    - Linux Package Installation for Ubuntu
  - Verifying Kernel Compatibility
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Linux with CipherTrust Manager
    - Installation Prerequisites
    - Interactive Installation on Linux
    - Silent Installation for CTE or CTE-U on Linux
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Installation and Registration Options
    - Guarding a Device with CipherTrust Manager
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Using Keycloak for Multifactor Authentication for CTE GuardPoints
    - Use Cases for MFA on CTE
    - Exempting some users from authentication with a Whitelist
    - Setting up Multifactor Authentication with a One-Time-Password
    - Setting up Multifactor Authentication with a Time Out
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Container Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- CTE and systemd
  - Overview of CTE and systemd
  - CTE Agent Control Changes on systemd
  - CTE Configuration Changes Required on systemd
    - About systemd Dependency Changes for Unit Configuration Files
    - Location of Application Unit Configuration Files
    - Adding Dependencies to systemd Unit Configuration Files
    - Adding Applications to the secfs-fs-barrier.service File
    - Drop-in Files for systemd
    - Adding Dependencies to the `saslauthd.service` File
  - Systemd Protection
  - Manually Stopping Application or Service
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - fsfreeze and xfs_freeze
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - User Cache Lookup Improvements
  - vmutil
  - vmd utility
  - vmsec Utility
- CipherTrust in-Place Data Transformation for Linux
  - Introduction to in-Place Data Transformation (IDT)
  - Requirements for IDT-Capable GuardPoints
  - The CTE Private Region and IDT Device Header
  - IDT-Capable GuardPoint Encryption Keys
  - Guarding an IDT-Capable Device on Linux
    - Initializing an IDT-Capable Device
    - Guard the Linux Device with an IDT-Capable GuardPoint
    - Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
  - Changing the Encryption Key on Linux IDT-Capable Devices
  - Guarding an IDT-Capable Device with Multiple IO Paths on Linux
  - Use Cases involving IDT GuardPoints
    - Use Case 1: Single Encryption Key
    - Use Case 2: Device-Level GuardPoints
    - Use Case 3: Directory-Level GuardPoints
    - Best Practices for the Migration of a legacy Raw Device GuardPoint to an IDT GuardPoint
    - Migration Prerequisites
    - Migration
    - Use Case 4: Using CTE-IDT with LVM
  - Linux System and IDT-Capable GuardPoint Administration
  - Resizing Guarded IDT Devices
    - Resizing Guarded IDT Devices
  - Alerts and Errors on Linux
- Upgrading CTE on Linux
- Uninstalling CTE from Linux
- CM host registration when switching Agent from CTE-U to CTE
CTE Agent Windows Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Windows
  - Installation Workflow
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Windows with CipherTrust Manager
    - Interactive Installation on Windows
    - Silent Installation on Windows
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Registering CTE After Installation is Complete
    - Setting the CM log for Ransomware Protection
    - Guarding a Device with CipherTrust Manager
    - Installation Prerequisites
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Compatible MFA Providers
    - Use Cases for MFA on CTE
    - Exempting some users or processes from authentication with a Whitelist
    - Remote Authentication for Multifactor Authentication
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
  - Choosing a Login Name Type
  - Ransomware Protection
    - Installing Ransomware Protection
    - Using Ransomware
    - Creating GuardPoints for Ransomware Protection
  - Guarding Data on CIFS Servers and Clients
- Special Cases for CTE Policies
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - FileTable Support on Windows
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Return Codes
  - agentinfo Utility
  - Backup Utility
  - voradmin secfs Commands
  - vmsec Utility
  - vmutil
- Upgrading CTE on Windows
  - Silent Upgrade
  - CTE Scheduled Upgrade
  - Workaround for MSI CTE Typical, Silent, and Scheduled Upgrades
- Uninstalling CTE from Windows
- Troubleshooting and Best Practices
CTE Agent AIX User Guide
- Overview
- Getting Started with CTE for AIX
  - Installation Workflow
  - AIX Package Installation
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for AIX with CipherTrust Manager
    - Installation and Registration Options
    - Installation Prerequisites
    - Interactive Installation on AIX
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Silent Installation on AIX
    - Guarding a Device with CTE and CipherTrust Manager
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Backing up DB2 Databases after Encryption
  - Blocking ptrace system calls to prevent process injection attacks
- Logs
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - secfsd and Raw Devices
  - Using Client Settings with Shell Scripts
  - vmsec Utility
    - vmsec Examples
    - Configuring Dynamic Host Settings for AIX
  - vmutil
  - vmd utility
- Upgrading CTE on AIX
- Uninstalling CTE from AIX
CTE Agent Data Transformation
- Data Transformation Overview
  - The Data Transformation Process
  - CTE Terminology
  - CTE Components
  - CTE Policies
  - Considerations with Bulk Data Transformation
  - Data Transformation Techniques
    - Copy and Restore Transformation Method
    - The CTE dataxform Utility Transformation Method
  - CTE Protection Policies
  - Overview of the dataxform Utility
    - Multithreading in the dataxform Utility
    - dataxform Space Requirements
    - dataxform Execution Time
    - dataxform and Sparse Files
    - dataxform and Linked Files
  - Automatic Data Transformation
  - Best Practices When Using dataxform
  - Summary
- Initial Data Encryption
  - Data Encryption Overview
  - Using the Copy or Restore Encryption Method on File Systems
  - Using the Copy or Restore Encryption Method on Block Devices
  - Using dataxform to Encrypt Your Data with CipherTrust Manager
- Rekeying
  - Rekeying Overview
  - Rekeying with dataxform
  - Rekeying Using the Manual Copy Method
- Appendix A: DataXform Reference
  - Common Dataxform Examples
    - Verifying that a Guarded Directory Can be Rekeyed with Data Transformation
    - Estimating the Data Transformation Runtime Period
    - Manually Running Data Transformation on Specific Files
    - Running Automatic Data Transformation
  - Cleaning Up a Previous dataxform Session
  - Checking for Hard-Link Files Inside the GuardPoint with dataxform
  - Monitoring Data Transformation
    - Data Transformation Logs
    - Using the Message Log Window
    - Using vordxf Files
    - Using dataxform_status Files
    - Using dataxform_auto_config
    - Using dataxform_auto_lock
  - Recovering a Failed or Incomplete dataxform Session
  - Automatic and Manual GuardPoints
  - Data Transformation Examples and Full Command Syntax
    - Data Transformation Command Syntax Examples
    - Data Transformation Command Parameters
  - Unencrypting Data
CTE Agent Live Data Transformation
- Introduction to CTE-LDT
  - Overview of CTE-LDT
  - Keys in CTE-LDT (Versioned Keys)
  - CTE-LDT Policies
  - CTE-LDT Runtime Flow
  - CTE-LDT Administrator Roles
  - Resiliency
- Getting Started
  - Using CTE-LDT
  - Backup/Restore
  - Restrictions
- Installing CTE-LDT
  - System Requirements
  - Installing the CTE-LDT License
  - Installing and Registering the CTE Agent Software on Linux
  - Installing and Registering the CTE Agent Software on Windows
  - Setting the Linux Kernel Time Zone
  - Enabling CTE-LDT on a Protected Host
- Using CTE-LDT
  - Creating and Viewing Versioned Keys
  - Creating CTE-LDT Policies
  - Quality of Service
    - How to Set QoS
    - QoS Best Practices
  - Creating a CTE-LDT GuardPoint
  - Rotating Encryption Keys (Rekey)
    - Manual Key Rotation
    - Creating a Key Rotation Schedule
    - Checking the Rekey Status
    - Obtaining Information About Keys Applied to Files
    - Showing GuardPoints During Rekey (Linux)
    - Suspending and Resuming Rekey and/or Scan Phase
    - Automatic Suspend and Resume of CTE-LDT Operations Due to Insufficient Disk Space
    - Rotating Encryption Keys While a Rekey is in Progress (Relaunch)
  - File System Operations
    - Renaming Files and Directories
    - Deleting a File
    - File Handling (Windows Only)
    - Enabling GuardPoints in Read-Only mounted file systems (Linux)
    - Copying Files Into a GuardPoint
    - Behavior of Hard Links Inside and Outside of GuardPoints (Windows)
  - Excluding Files or Directories from Rekey
    - About the Exclusion Attribute for Files Matching an Exclusion Key Rule
    - Requirements for Exclusion Key Rules
    - Usage Notes and Limitations for Configuring Exclusion Key Rules
    - Examples of Exclusion Key Rules
    - Listing All Files Included in an Exclusion Key Rule (Linux)
    - Listing All Files Included in an Exclusion Key Rule (Windows)
    - Dynamic Resource Sets (Inclusion of New Key Rules)
  - Using CTE-LDT with SAP HANA Fibre Channel Systems (Linux Only)
- CTE-LDT Administration
  - CTE-LDT Metadata in Extended Attributes
    - Listing Extended Attributes
    - MDS File (Linux)
    - Planning for CTE-LDT Attribute Storage
    - Using voradmin To Estimate Disk Space Required for CTE-LDT
    - Displaying Metadata
    - Verifying Metadata (Windows only)
  - DFS(R) and Replication (Windows)
  - Backing Up and Restoring CTE-LDT GuardPoints
    - Clear Text Backup and Restore
    - Encrypted Backup and Restore
    - CTE-LDT Policy for Encrypted Backup and Restore
    - Backup/Restore of Metadata Store File in GuardPoints Undergoing Rekey
    - Restore an Encrypted Backup
    - Restoring Non-CTE-LDT Backup Data to an CTE-LDT GuardPoint
    - Using fsfreeze (Linux only)
    - CTE-LDT Backups Using a File System or Storage-Level Snapshot Tool
    - Windows Backup and Snapshots
    - CTE-LDT Backup and Restore Troubleshooting
  - CTE-LDT Command-Line Administration: voradmin command
  - Migrating a GuardPoint to a Different CTE-LDT Policy
  - Removing CTE-LDT and Security Encryption
    - Migrating a GuardPoint Out of LDT
    - Deleting CTE-LDT Metadata (Linux)
    - Deleting CTE-LDT Metadata (Windows)
    - Removing CTE-LDT from a Host
  - Uninstalling the Agent while CTE-LDT is Rekeying GuardPoints
  - Detecting Loss of NAS connection to an LDT GuardPoint Group
- Using CTE-LDT with CIFS/NFS shares
  - Introduction to LDT over CIFS
  - LDT over CIFS/NFS High-Level Overview
  - LDT Communication Groups and LDT GuardPoint Groups
    - Designation of Primary role to a host within an LDT GuardPoint Group
    - Responsibilities of the Primary host
    - Failover for the LDT Communication Group Master and the LDT GuardPoint Group
    - LDT GuardPoint Group Commands
  - Sharing LDT NFS/CIFS GuardPoints between Linux and Windows
  - Limitations
  - Prerequisites
    - Supported Versions
  - Administrating LDT over CIFS/NFS with CipherTrust Manager
    - Adding a CIFS Connector for CipherTrust Manager
    - LDT AccessOnly nodes
    - Policy and GuardPoint Management
    - Key Rotation Commitment
    - LDT Metadata Management Over NFS/CIFS Shares
    - Backup and Restore LDT on NFS GuardPoints
  - Upgrading CTE agent in an LDT Communication Group
    - Upgrading the CTE-LDT Agents in an LDT Communication Group from 7.2.0 to 7.3.0
    - New Terminology
    - Upgrading CTE agents in an LDT Communication Group from 7.4.0 to 7.5.0 and post 7.5.0
  - Quality of Service
  - Alerts
  - Troubleshooting
- Troubleshooting CTE-LDT
  - Monitoring and Statistics
    - Obtaining Statistics with GuardPoint Status
    - Obtaining CTE-LDT Statistics at the Command Line
    - Obtaining a Rekey Report
    - Monitoring Ongoing CTE-LDT Operations at the Command Line (Windows only)
  - Protecting CTE-LDT GuardPoints against Failure in Underlying File Systems (Linux)
    - Recovery Alerts
  - Alerts Playbook
    - Failure to Enable GuardPoints
    - Failure to Suspend or Resume CTE-LDT Operation
    - Insufficient Resources
    - Failed to Update CTE-LDT Attribute
    - Rekey Stopped
    - Incomplete Key Rotation
    - Skipped Key Rotation
    - Failed to Update CTE-LDT Metadata During Scan Phase
    - File system inconsistencies after system crash
  - Error Messages
  - Warning and Info Messages
  - Recommendations and Considerations
    - All Platform Recommendations and Considerations
    - Windows Recommendations and Considerations

CipherTrust Transparent Encryption Agent
User Guides
CTE Agent Live Data Transformation
Troubleshooting CTE-LDT
Error Messages

Error Messages

This section describes runtime error messages. For information about other types of runtime messages, see Alerts Playbook and Warning and Info Messages .

The alerts are grouped into the following categories:

Failed to Transform File During Rekey
Failure to Suspend CTE-LDT
Failure to Start or Stop Transformation
Failure to Restart Transformation
Failure to Schedule Relaunch
Temporary Failure to Start Transformation on a File
Transient Condition while enabling GuardPoint
Transient Failure to Read LDT Attributes from NFS
Failed to transform passthrough files for AD database files (Windows Only)

Failed to Transform File During Rekey

CTE-LDT could not complete transformation on a file.

Related Messages:

LDT: Rekey failed for file [PathName] on GuardPoint [GuardPoint]
LDT: Extended attribute of inode [InodeNumber] is corrupted under GuardPoint [GuardPoint]

Solution: An I/O error is the most common cause of failure when updating CTE-LDT metadata. For I/O errors, fix the problem at the host OS or storage level, and then restore the file from a backup.

If you cannot find and fix the underlying host OS or storage issue that is causing the error, contact Customer Support for troubleshooting and recovery.

Failure to Suspend CTE-LDT

A request to stop CTE-LDT processing did not succeed. The suspend request was at the host level as part of a QoS schedule, or the suspend request was initiated by a user on the CipherTrust Manager.

Related Messages:

LDT: Failed to suspend rekey on all GuardPoints
LDT operations could not be suspended on the host

Solution: An I/O error is the most common cause of failure when updating the persistent state of a GuardPoint. For I/O errors, fix the problem at the host OS or storage level.

If a backup operation is in progress when this message occurs, you must fix the cause of the suspend failure and then restart the backup. If the backup has already completed when the alert message occurs, the backup image on the GuardPoint may have inconsistent data and CTE-LDT metadata. Discard this backup image and do a fresh backup.

If you cannot find and fix the host OS or storage issue, contact Customer Support for troubleshooting and recovery.

Failure to Start or Stop Transformation

The following general messages are recorded when there are errors attempting to start or stop CTE-LDT:

LDT: Failed to abort key rotation on GuardPoint [GuardPoint]
LDT: Failed to start
LDT: Failed to stop
LDT: Failed to exit

Solution: Examine system logs for additional information as to the cause. If you cannot find and fix the underlying host OS or storage issue that is causing the error, contact Customer Support for troubleshooting and recovery.

Failure to Restart Transformation

The following message is recorded when an attempt to restart transformation after a system reboot fails because the file system is mounted as read-only. Transformation on the specified GuardPoint cannot continue until the file system is mounted with write permission.

LDT: Skipped LDT recovery on read-only file system [GuardPoint]

Solution: Re-mount the file system with write permissions.

Failure to Schedule Relaunch

The following message indicates that a rekey request was sent to a Linux GuardPoint that was already undergoing data transformation, and an error was encountered when CTE-LDT attempted to defer the rekey request until after the current data transformation completes:

LDT: Failed to flag GuardPoint [GuardPoint] for deferred key rotation, error [Error]

Solution: In your key manager, repush the policy to the host.

Temporary Failure to Start Transformation on a File

The following messages are recorded when there are communication issues or lack of resources on the host. Once the condition is corrected, transformation of the file continues automatically:

LDT: Insufficient memory condition encountered during LDT on GuardPoint [GuardPoint]
LDT: Encryption key for file [PathName] unavailable for LDT, possibly due to loss of communication to CipherTrust Manager
LDT: Aborting rekey of file [PathName] due to lack of free memory. Try closing other application to resolve the issue

Solution: Resolve the communication issues or increase the available resources, then verify that CTE-LDT has resumed processing.

Transient Condition while enabling GuardPoint

The following messages are recorded when a request is made to guard an CTE-LDT GuardPoint when GuardPoint initialization is already in progress. During the GuardPoint initialization, the system initializes MDS file associated with the GuardPoint in preparation for CTE-LDT. Initialization of the MDS file can take a few minutes. During this time, if the system retries the guard operation, one of the following messages displays.

Related Messages:

Not re-guarding path [path] (Reason: GuardPoint initialization already in progress)
Not re-guarding path [path] from container [container] (Reason: GuardPoint initialization already in progress)

Solution: Wait for the current GuardPoint initialization to complete and then resubmit the new GuardPoint initialization request if desired.

Transient Failure to Read LDT Attributes from NFS

NFS may incorrectly returns 0’s when reading LDT metadata from files in NFS shares. As CTE-LDT doesn’t expect 0’s returned for LDT attributes, it retries the read operation, and the second operation succeeds and returns valid LDT attribute.

The first read attempt returning 0’s results in the first warning message logged in the system log file as LDT attribute validation fails. However, the second read attempt succeeds and reads valid LDT attribute data, resulting in the second message logged in response to the first message. You can ignore the first warning message if both messages appear together in system log.

Failed to transform passthrough files for AD database files (Windows Only)

CTE-LDT skipped the transformation of passthrough files for all AD database files. The problem occurs when the AD database remains in the default folder location.

Related Messages:

Skipping transformation of passthrough file [filename]. The file resides in the boot directory. CTE cannot encrypt boot directory files.
Skipping transformation of passthrough file [filename]. CTE cannot encrypt these files. They are already encrypted using NTFS encryption or compressed.
Skipping transformation of passthrough file [filename]. File is not in a GuardPoint directory.

Solution: To fix this issue, move the AD database to any folder other than c:\windows or c:\program files.

On this page

CipherTrust Transparent Encryption Agent

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com