Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Using LDT

Creating and Viewing Versioned Keys

search

Please Note:

printsuggest an editpdf paneldownload

Creating and Viewing Versioned Keys

For LDT, you create a versioned key that you can add to any number of Live Data Transformation policies. When you add a new key version, CipherTrust Manager pushes the new version to every CTE client that is associated with any of they Live Data Transformation policies that contain that key.

Use the Keys & Access Management application in the CipherTrust Manager Applications Page when creating or viewing versioned keys.

Caution

Make sure that all keys you create for LDT are Symmetric. LDT does not support asymmetric keys.

copy link to clipboardCreating a Versioned Key

  1. Log into the CipherTrust Manager Console as an administrator.

  2. From the Products page in the CipherTrust Manager Console, click Keys in the left hand pane.

    Tip

    To navigate to the Products page from anywhere in the CipherTrust Manager Console, click the App Switcher icon in the top left corner.

  3. Above the Key table, click Create a New Key.

  4. Enter a Key Name so that you will be able to find this key easily when you want to rotate it. For example, LDT-Key-1.

    Note

    • When CipherTrust Manager displays the list of available keys, you cannot filter the list by versioned vs. non-versioned. Therefore, it is especially important to name the key in such a way that you can easily search for it by name.

    • Using a standard naming convention will also help if you want to create an automatic key rotation schedule for all your LDT keys.

  5. In the Key Metadata > Groups for Key sharing section, do the following:

    1. In the Search box, type "cte".

    2. Add CTE Admins and CTE Clients to the key sharing groups by clicking the green Add button. The Key Shared? check box is automatically selected and the Add button changes to a Remove button.

    3. Below the Groups table, click the CTE Key Properties check box.

      CipherTrust Manager displays the following options for CTE keys:

      • CTE Versioned: Specifies that this is a versioned key. Make sure this option is selected.

      • Persistent on Client: Specifies whether the key is stored in persistent memory on the client.

        If this option is selected, the key is downloaded and stored (in an encrypted form) in persistent memory on the client.

        If this option is not selected, the key is downloaded to non-persistent memory on the client. Every time the key is needed, the client retrieves it from the CipherTrust Manager. This is the default setting.

      • Encryption Mode: Encryption mode of the key. Choose one of the following for LDT keys:

        • CBC

        • CBC-CS1

      Encryption using CBC-CS1 keys is known as enhanced encryption. For details, see the CTE Agent for Linux Advanced Configuration and Integration Guide or the CTE Agent for Windows Advanced Configuration and Integration Guide.

    Note

    XTS encryption is not supported for protecting directory-based GuardPoints. Do not select XTS as your encryption mode.

  6. In the Key Behaviors section at the bottom of the page, clear the Prevent this key from being exported check box. If the key cannot be exported, the key will not appear in the keys list when you add the key rule to the policy.

    If want the option to delete this key later on, clear the Prevent this key from being deleted check box. Use caution when deleting keys, as any data encrypted with that key will be inaccessible if you delete the encryption key.

  7. Click Create. The new key appears in the Keys table.

copy link to clipboardViewing Versioned Key Information

  1. Log into the CipherTrust Manager Console as an administrator.

  2. Open the Keys & Access Management application.

  3. Click the Latest Version Only check box to show only one entry for each versioned key.

  4. Find the key in the Keys table.

    Tip

    You can filter the list by key name using wildcard searches. For example, if you know that the key name contains "LDT", you can search for *ldt*. The search is not case sensitive.

    If the Version for a key is 0, then this is the first version of the key and no key rotation has taken place. If the Version is greater than 0, the key has been rotated.

  5. To find all versions of a key, click the name of the key in the Key Name column. CipherTrust Manager displays the ID, version number, state, and date created information for each version of the key.

copy link to clipboardModifying Key Rules

CTE v7.4 (Windows) and CTE v7.6 (Linux), and subsequent versions, allows users to modify the Key Rules while an LDT policy is active and enforced on a client. Users can add new rules and modify the existing rules. The following use case is addressed with this change:

  1. Users can prioritize and plan the encryption of large files inside a GuardPoint.

  2. User can transform the excluded files by adding new Key Rules.

Warning

While making Key Rule changes, you cannot change the order of the rules, or the encryption key rules applied to the file. If the data encryption keys are mismatched, it may result in data corruption.

Note

Dynamic resource sets for CTE Linux are compatible with CipherTrust Manager v2.14 and subsequent versions.

On this page