Please Note:

User Guides
CTE Agent Linux and Windows Quick Start Guide
- Installation Prerequisites
- Installing and Registering CTE
  - Installation and Registration on Linux
  - Installation and Registration on Linux with UEFI
  - Installation on Windows
  - Registration with Windows
- Guarding a Device with CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Create an Encryption Key
  - Create a Standard Policy
  - Create a GuardPoint
- Using and Renewing Certificates
- Protecting Data with CTE
- Ransomware Protection
CTE Agent Linux Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Linux
  - Additional Considerations
  - CTE Agent Installation with UEFI Secure Boot
  - Linux Package Installation for Linux Distributions
    - Linux Package Installation for RHEL
    - Linux Package Installation for SLES
    - Linux Package Installation for Ubuntu
  - Verifying Kernel Compatibility
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Linux with CipherTrust Manager
    - Installation Prerequisites
    - Interactive Installation on Linux
    - Silent Installation for CTE or CTE-U on Linux
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Installation and Registration Options
    - Guarding a Device with CipherTrust Manager
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Using Keycloak for Multifactor Authentication for CTE GuardPoints
    - Exempting some users from authentication with a Whitelist
    - Setting up Multifactor Authentication with a One-Time-Password
    - Setting up Multifactor Authentication with a Time Out
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Container Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- CTE and systemd
  - Overview of CTE and systemd
  - CTE Agent Control Changes on systemd
  - CTE Configuration Changes Required on systemd
    - About systemd Dependency Changes for Unit Configuration Files
    - Location of Application Unit Configuration Files
    - Adding Dependencies to systemd Unit Configuration Files
    - Adding Applications to the secfs-fs-barrier.service File
    - Drop-in Files for systemd
    - Adding Dependencies to the `saslauthd.service` File
  - SystemD Protection
  - Manually Stopping Application or Service
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - fsfreeze and xfs_freeze
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - User Cache Lookup Improvements
  - vmutil
  - vmd utility
  - vmsec Utility
- CipherTrust in-Place Data Transformation for Linux
  - Introduction to in-Place Data Transformation (IDT)
  - Requirements for IDT-Capable GuardPoints
  - The CTE Private Region and IDT Device Header
  - IDT-Capable GuardPoint Encryption Keys
  - Guarding an IDT-Capable Device on Linux
    - Initializing an IDT-Capable Device
    - Guard the Linux Device with an IDT-Capable GuardPoint
    - Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
  - Changing the Encryption Key on Linux IDT-Capable Devices
  - Guarding an IDT-Capable Device with Multiple IO Paths on Linux
  - Linux System and IDT-Capable GuardPoint Administration
  - Resizing Guarded IDT Devices
    - Resizing Guarded IDT Devices
  - Alerts and Errors on Linux
- Upgrading CTE on Linux
- Uninstalling CTE from Linux
- Migrating Agents from CTE-U to CTE
CTE Agent Windows Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Windows
  - Installation Workflow
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Windows with CipherTrust Manager
    - Interactive Installation on Windows
    - Silent Installation on Windows
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Registering CTE After Installation is Complete
    - Setting the CM log for Ransomware Protection
    - Guarding a Device with CipherTrust Manager
    - Installation Prerequisites
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Compatible MFA Providers
    - Use Cases for MFA on CTE
    - Exempting some users or processes from authentication with a Whitelist
    - Remote Authentication for Multifactor Authentication
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
  - Choosing a Login Name Type
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Guarding Data on CIFS Servers and Clients
- Special Cases for CTE Policies
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - FileTable Support on Windows
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Return Codes
  - agentinfo Utility
  - Backup Utility
  - voradmin secfs Commands
  - vmsec Utility
  - vmutil
- Upgrading CTE on Windows
  - Silent Upgrade
  - CTE Scheduled Upgrade
  - Workaround for MSI CTE Typical, Silent, and Scheduled Upgrades
- Uninstalling CTE from Windows
- Troubleshooting and Best Practices
CTE Agent AIX User and Configuration Guide
- Overview
- Getting Started with CTE for AIX
  - Installation Workflow
  - AIX Package Installation
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for AIX with CipherTrust Manager
    - Installation and Registration Options
    - Installation Prerequisites
    - Interactive Installation on AIX
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Silent Installation on AIX
    - Guarding a Device with CTE and CipherTrust Manager
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Backing up DB2 Databases after Encryption
  - Blocking ptrace system calls to prevent process injection attacks
- Logs
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - secfsd and Raw Devices
  - Using Client Settings with Shell Scripts
  - vmsec Utility
    - vmsec Examples
    - Configuring Dynamic Host Settings for AIX
  - vmutil
  - vmd utility
- Upgrading CTE on AIX
- Uninstalling CTE from AIX
CTE Agent Data Transformation
- Data Transformation Overview
  - The Data Transformation Process
  - CTE Terminology
  - CTE Components
  - CTE Policies
  - Considerations with Bulk Data Transformation
  - Data Transformation Techniques
    - Copy and Restore Transformation Method
    - The CTE dataxform Utility Transformation Method
  - CTE Protection Policies
  - Overview of the dataxform Utility
    - Multithreading in the dataxform Utility
    - dataxform Space Requirements
    - dataxform Execution Time
    - dataxform and Sparse Files
    - dataxform and Linked Files
  - Automatic Data Transformation
  - Best Practices When Using dataxform
  - Summary
- Initial Data Encryption
  - Data Encryption Overview
  - Using the Copy or Restore Encryption Method on File Systems
  - Using the Copy or Restore Encryption Method on Block Devices
  - Using dataxform to Encrypt Your Data with CipherTrust Manager
- Rekeying
  - Rekeying Overview
  - Rekeying with dataxform
  - Rekeying Using the Manual Copy Method
- Appendix A: DataXform Reference
  - Common Dataxform Examples
    - Verifying that a Guarded Directory Can be Rekeyed with Data Transformation
    - Estimating the Data Transformation Runtime Period
    - Manually Running Data Transformation on Specific Files
    - Running Automatic Data Transformation
  - Cleaning Up a Previous dataxform Session
  - Checking for Hard-Link Files Inside the GuardPoint with dataxform
  - Monitoring Data Transformation
    - Data Transformation Logs
    - Using the Message Log Window
    - Using vordxf Files
    - Using dataxform_status Files
    - Using dataxform_auto_config
    - Using dataxform_auto_lock
  - Recovering a Failed or Incomplete dataxform Session
  - Automatic and Manual GuardPoints
  - Data Transformation Examples and Full Command Syntax
    - Data Transformation Command Syntax Examples
    - Data Transformation Command Parameters
  - Unencrypting Data
CTE Agent Live Data Transformation
- Introduction to LDT
  - Overview of LDT
  - Keys in LDT (Versioned Keys)
  - LDT Policies
  - LDT Runtime Flow
  - LDT Administrator Roles
  - Resiliency
- Getting Started
  - Using LDT
  - Backup/Restore
  - Restrictions
- Installing LDT
  - System Requirements
  - Installing the LDT License
  - Installing and Registering the CTE Agent Software on Linux
  - Installing and Registering the CTE Agent Software on Windows
  - Setting the Linux Kernel Time Zone
  - Enabling LDT on a Protected Host
- Using LDT
  - Creating and Viewing Versioned Keys
  - Creating LDT Policies or converting a Standard Policy to an LDT Policy
  - Quality of Service
    - How to Set QoS
    - QoS Best Practices
  - Creating an LDT GuardPoint
  - Rotating Encryption Keys (Rekey)
    - Manual Key Rotation
    - Creating a Key Rotation Schedule
    - Checking the Rekey Status
    - Obtaining Information About Keys Applied to Files
    - Showing GuardPoints During Rekey (Linux)
    - Suspending and Resuming Rekey and/or Scan Phase
    - Automatic Suspend and Resume of LDT Operations Due to Insufficient Disk Space
    - Rotating Encryption Keys While a Rekey is in Progress (Relaunch)
  - File System Operations
    - Renaming Files and Directories
    - Deleting a File
    - File Handling (Windows Only)
    - Enabling GuardPoints in Read-Only mounted file systems (Linux)
    - Copying Files Into a GuardPoint
    - Behavior of Hard Links Inside and Outside of GuardPoints (Windows)
  - Excluding Files or Directories from Rekey
    - About the Exclusion Attribute for Files Matching an Exclusion Key Rule
    - Requirements for Exclusion Key Rules
    - Usage Notes and Limitations for Configuring Exclusion Key Rules
    - Examples of Exclusion Key Rules
    - Listing All Files Included in an Exclusion Key Rule (Linux)
    - Listing All Files Included in an Exclusion Key Rule (Windows)
    - Dynamic Resource Sets
  - Using LDT with SAP HANA Fibre Channel Systems (Linux Only)
- LDT Administration
  - LDT Metadata in Extended Attributes
    - Listing Extended Attributes
    - MDS File (Linux)
    - Planning for LDT Attribute Storage
    - Using voradmin To Estimate Disk Space Required for LDT
    - Displaying Metadata
    - Verifying Metadata (Windows only)
  - DFS(R) and Replication (Windows)
  - Backing Up and Restoring LDT GuardPoints
    - Clear Text Backup and Restore
    - Encrypted Backup and Restore
    - LDT Policy for Encrypted Backup and Restore
    - Backup/Restore of Metadata Store File in GuardPoints Undergoing Rekey
    - Restore an Encrypted Backup
    - Restoring Non-LDT Backup Data to an LDT GuardPoint
    - Using fsfreeze (Linux only)
    - LDT Backups Using a File System or Storage-Level Snapshot Tool
    - Windows Backup and Snapshots
    - LDT Backup and Restore Troubleshooting
  - LDT Command-Line Administration: voradmin command
  - Migrating a GuardPoint to a Different LDT Policy
  - Removing LDT and Security Encryption
    - Migrating a GuardPoint Out of LDT
    - Deleting LDT Metadata (Linux)
    - Deleting LDT Metadata (Windows)
    - Removing LDT from a Host
  - Uninstalling the Agent while LDT is Rekeying GuardPoints
  - Detecting Loss of NAS connection to an LDT GuardPoint Group
- Using LDT with CIFS/NFS shares
  - Introduction to LDT over CIFS
  - LDT over CIFS/NFS High-Level Overview
  - LDT Communication Groups and LDT GuardPoint Groups
    - Designation of Primary role and Primary Set in an LDT GuardPoint Group
    - Responsibilities of the Primary host
    - Failover for the LDT Communication Group Master and the LDT GuardPoint Group
    - LDT GuardPoint Group Commands
  - Sharing LDT NFS/CIFS GuardPoints between Linux and Windows
  - Limitations
  - Prerequisites
    - Supported Versions
  - Administrating LDT over CIFS/NFS with CipherTrust Manager
    - Adding a CIFS Connector for CipherTrust Manager
    - LDT AccessOnly nodes
    - Policy and GuardPoint Management
    - Key Rotation Commitment
    - LDT Metadata Management Over NFS/CIFS Shares
    - Backup and Restore LDT on NFS GuardPoints
  - Upgrading CTE agent in an LDT Communication Group
    - Upgrading the LDT Agents in an LDT Communication Group from 7.2.0 to 7.3.0
    - New Terminology
    - Upgrading CTE agents in an LDT Communication Group from 7.4.0 to 7.5.0 and post 7.5.0
  - Quality of Service for LDT CIFS/NFS GuardPoints
  - Alerts
  - Troubleshooting
- Troubleshooting LDT
  - Monitoring and Statistics
    - Obtaining Statistics with GuardPoint Status
    - Obtaining LDT Statistics at the Command Line
    - Obtaining a Rekey Report
    - Monitoring Ongoing LDT Operations at the Command Line (Windows only)
  - Protecting LDT GuardPoints against Failure in Underlying File Systems (Linux)
    - Recovery Alerts
  - Alerts Playbook
    - Failure to Enable GuardPoints
    - Failure to Suspend or Resume LDT Operation
    - Insufficient Resources
    - Failed to Update LDT Attribute
    - Rekey Stopped
    - Incomplete Key Rotation
    - Skipped Key Rotation
    - Failed to Update LDT Metadata During Scan Phase
    - File system inconsistencies after system crash
  - Error Messages
  - Warning and Info Messages
  - Recommendations and Considerations
    - All Platform Recommendations and Considerations
    - Windows Recommendations and Considerations
CTE Terminology

Creating LDT Policies or converting a Standard Policy to an LDT Policy

LDT uses a single Live Data Transformation encryption policy to address both data transformation and ongoing protection. In contrast, if you do not use LDT, you need a separate policy for initial data transformation, or rekey, and another policy to protect the data while it is in production use. For more information about LDT policies, see LDT Policies.

To create an Live Data Transformation encryption policy:

In a web browser, navigate to the URL of the CipherTrust Manager you want to use and log in with CipherTrust Manager Administrator credentials.
If the client you want to protect is registered to the default domain (root), proceed to the next step. If you need to change to a different domain, do the following:
1. In the top menu bar, click the domain/user name (default: root/admin) on the right-hand side.
2. Select Switch Domains, then select the domain in which the client is registered.
3. The logged in user now shows the new domain name/user name.
In the CipherTrust Manager Applications Page, open the CTE application.
In the left-hand menu bar on the Clients page, click Policies.
Click Create Policy. CipherTrust Manager displays the Create Policy Wizard.

On the General Info page, set the following options:

Field	Description
Name	A unique name for the policy. Make sure you use a name that is descriptive and easy to remember so that you can find it quickly when you want to associate it with a GuardPoint. For example: LDT-Policy-West
Policy Type	Select Live Data Transformation.
Description	A user-defined description to help you identify the policy later. For example: LDT policy for the West Coast Datacenter.
Learn Mode	Learn Mode provides a temporary method for disabling the blocking behavior of CTE/LDT policies. While useful for quality assurance, troubleshooting, and mitigating deployment risk, Learn Mode is not intended to be enabled permanently for a policy in production. This prevents the policy Deny rules from functioning as designed in the policy rule set. Ensure that the policy is properly configured for use in Learn Mode. Any Security Rule that contains a Deny effect must have Apply Key applied as well. This is to prevent data from being written in mixed states, resulting in the loss of access or data corruption. Apply Key will have no effect when combined with a Deny rule unless the policy is in Learn Mode.

Click Next.
On the Security Rules page, define the security rules you want to use.

CipherTrust Manager automatically adds a default security access rule with an action of key_op and the effects Permit and Apply Key. This rule permits key operations on all resources, without denying user or application access to resources. This allows it to perform a rekey operation whenever the encryption key rotates to a new version. This rule is required by LDT, so you cannot edit it, move it, or delete it.

To add additional security rules, click Create Security Rule and enter the requested information. If you want to grant user and application access to files at all times, including during initial LDT and subsequent key rotations, add a security rule with the action all_ops and the effects Permit and Audit.

On the Create Key Rule page, click Create Key Rule and enter the following information:

Field	Description
Resource Set	If you want to select a resource set for this key rule, click Select and either choose an existing resource set or create a new one. Resource sets let you specify which directories or files will either be encrypted with the key or will be excluded from encryption with this key.
Current Key Name	Click Select to choose an existing key or create a new one. Current key is the key applied to data that you want to protect using LDT. This is either a non-versioned key from a standard policy or a clear_key. You must use clear_key when data is not currently encrypted. When migrating a standard policy to LDT, you must enter the encryption key from the key rule of the standard policy, as the current key of LDT policy.
Transformation Key Name	Click Select to choose an existing versioned key or to create a new one. Transformation key is the versioned key that LDT applies to transform the data. For the initial transformation, the data is transformed from the Current key, to the Transformation key. If the data is currently encrypted, CTE decrypts it using the key specified in the Current Key Name field and re-encrypts it using the key specified in this field. When rotating the Transformation key, LDT transforms the data from a previous version of the transformation key to a new version.

Note

LDT now supports dynamic resource sets. This means that you can alter the resource set, and the policy will pick up the changed resource set and apply it. However, make sure that you do not mix encryption keys in your edited resource set. This will cause corruption.

When you are done specifying key rules, click Next.

On the Confirmation page, review the information you entered and click Save when you are ready to save the policy.

The following example shows a simple LDT policy that encrypts clear-text files using a versioned key named LDT-Key-1. The key_op and all_ops actions in the Security Rules panel grant user and application access to files at all times, including during initial LDT and subsequent key rotations.

Security Rule Ordering for Polices

If you want to enforce restrictions when guarding NFS/CIFS shares using an LDT or standard policy with a CBC-CS1 key, note the following:

CipherTrust Transparent Encryption embeds the LDT and/or IV (initialization vector) attributes in the first 4K of files for NFS/CIFS shares guarded with an LDT or standard policy with a CBC-CS1 key. Embedding CipherTrust Transparent Encryption attributes increases the actual file size by 4K. CTE hides that extra 4K when reporting the file size to users, or processes, that access the file with the Apply Key effect.

If you need the actual file size, or read/write access on the embedded header, for backup/restore processes for example, then you need a rule that permits access without Apply Key.

LDT Policies

Example 1: Permits Backup and Restore

A policy that allows backup and restore of encrypted data, clear-text access to certain processes, and denies access to all others:

Rule	Purpose
1	Default LDT rule required for LDT policies.
2	Allows for processes in the backup Process Set to access the real file size and backup the CipherTrust Transparent Encryption attributes along with the encrypted file data.
3	Allows for processes in the authorized-processes Process Set to access the clear-text data, but it hides the additional 4K from the CipherTrust Transparent Encryption attribute.
4	Denies all other processes access to the data.

Example 2: Permits access to certain Processes

A policy that only allows certain processes clear-text access but allows all others to see the OS file attributes.

Rule	Purpose
1	Default LDT rule required for LDT policies.
2	Allows for processes in the authorized-processes Process Set to access the clear-text data.
3	Allows for processes not in the authorized-processes Process Set to read the OS file and directory attributes. Note: Processes that match this rule obtain the file size with the 4K header. If a process that is not in the authorized-processes Process Set needs the file size without the header, then the Apply Key must be present in the Effect or you will need an additional rule granting Apply Key to that specific process. That rule must be defined before this rule.
4	Denies processes not in the authorized-processes Process Set from reading any data from the files.

Standard Policies

Example 1: Permits access to certain Processes

A policy that allows backup and restore of encrypted data, clear-text access to certain processes, and denies access to all others:

Rule	Purpose
1	Allows for processes in the backup Process Set to access the real file size and backup the CipherTrust Transparent Encryption attributes along with the encrypted file data.
2	Allows for processes in the authorized-processes Process Set to access the clear-text data, but it hides the additional 4K from the CipherTrust Transparent Encryption attribute.
3	Denies all other processes access to the data.

Example 2: Permits access to certain Processes

A policy that only allows certain processes clear-text access but allows all others to see the OS file attributes.

Rule	Purpose
1	Allows for processes in the authorized-processes Process Set to access the clear-text data.
2	Allows for processes not in the authorized-processes Process Set to read the OS file and directory attributes. Note: Processes that match this rule obtain the file size with the 4K header. If a process that is not in the authorized-processes Process Set needs the file size without the header, then the Apply Key must be present in the Effect or you will need an additional rule granting Apply Key to that specific process. That rule must be defined before this rule.
3	Denies processes not in the authorized-processes Process Set from reading any data from the files.

For more information, see Adding Security Rules in the CipherTrust Manager documentation.

Using Auto Mount with LDT Policies

Auto Mount is supported with LDT policies, with CBC/CBS-CS1 keys, on both NFS and local file systems. It is an option provided for guarding a GuardPoint. When selected, it enables automatic guarding of the GuardPoint when accessed, rather than immediately after policy deployment.

Configuring and Guarding an Automount GuardPoint

Add this newly created directory as a GuardPoint on CipherTrust Manager using an LDT policy. A GuardPoint configured with a LDT policy using auto mount must use GuardPoint type: Auto Directory. The Auto Mount option is not supported with GuardPoint type: manual. When you select GuardPoint type: Auto Directory in a LDT policy, the Auto Mount option displays.

Note

For GuardPoint type: Auto raw, see File System Mount Points on Linux.
Once the GuardPoint displays on the agent, mount the device on the GuardPoint. This should trigger guarding.

Verify that the GuardPoint has been enabled, that the policy is in effect, and rekey is in progress.

voradmin ldt attr get /nfs-oxf-fs1/gp

Example

LDT stats: version=7, rekey_status=rekeyed
Number of times rekeyed:                1 time
Rekey start time:                       2025/03/27 07:05:19
Last rekey completion time:             2025/03/27 07:05:19
Estimated rekey completion time:        N/A
Policy key version:                     21
Pushed Policy key version:              21
Policy ID:
        6a4b49bd-6f34-4646-ae95-8e60e2824ff6
Data stats:
        total=0.0MB, rekeyed=0.0MB
        truncated=0.0MB, sparse=0.0MB
File stats:
        total=0, rekeyed=0, failed=0
        passed=0, skipped=0, created=0, removed=0, excluded=0

Verify that all files are rekeyed to completion as per policy key rules.

 voradmin ldt attr get /nfs-oxf-fs1/gp

Example

LDT stats: version=7, rekey_status=rekeyed
Number of times rekeyed:                2 times
Rekey start time:                       2025/03/27 07:21:52
Last rekey completion time:             2025/03/27 07:22:14
Estimated rekey completion time:        N/A
Policy key version:                     22
Pushed Policy key version:              22
Policy ID:
        6a4b49bd-6f34-4646-ae95-8e60e2824ff6
Data stats:
        total=1.0GB, rekeyed=1024.0MB
        truncated=0.0MB, sparse=0.0MB
File stats:
        total=1, rekeyed=1, failed=0
        passed=0, skipped=0, created=0, removed=0, excluded=0

Unmount. The unmount should trigger an unguard of the GuardPoint, the way it does for regular auto mount GuardPoints.

Note

Manually unmounting displays a busy error. This is the expected behavior, as the unguard operation is in progress. Once unguard completes, the mount point is unmounted automatically.

Example
```
umount /nfs-oxf-fs1/gp
```
Response
```
umount: /nfs-oxf-fs1/gp: target is busy.
```

Behavior of Auto Mount GuardPoints

After you push a policy on a CTE agent, if you check the status, you'll find that the auto mount GuardPoint is not yet guarded because the guard operation is not yet triggered:

secfsd -status guard

Response

GuardPoint      Policy                  Type        ConfigState Status Reason
------------------------------------------------------------------------------
/nfs-oxf-fs1/gp VMFSODT40-AUTOMOUNT-POL auto mount guarded not guarded Not auto-mounted

In the CTE CLI, Auto Mount is controlled by autofs. When autofs is enabled, accessing the GuardPoint triggers the guard operation.

Example

ls /nfs-oxf-fs1/test

secfsd -status guard

Response

${gp} Policy Type ConfigState Status Reason
------ ---- ----------- ------ ------
/nfs-oxf-fs1/gp VMFSODT40-AUTOMOUNT-POL auto mount guarded guarded N/A

Note

When adding the auto mount GuardPoint, the mount point should be unmounted. If the mount point is mounted with auto mount, then you must manually unmount the mount point so that the next time the mount point is accessed, secfsd will guard the GuardPoint.

Running Recovery on Automount GuardPoint with LDT policy

When a system crashes during an active rekey operation, the GuardPoint may enter a state that requires recovery.

secfsd -status guard

Response

GuardPoint       Policy                   Type       ConfigState  Status       Reason
----------       ------                   ----       -----------  ------       ------
/nfs-oxf-fs1/gp  VMFSODT40-AUTOMOUNT-POL  automount  unguarded    not guarded  GuardPoint needs LDT recovery

The GuardPoint is not guarded, displays the GuardPoint status, and aborts the guard operation, while leaving the mount point mounted. This enables the admin to manually run the voradmin ldt recover command.

voradmin ldt recover /nfs-oxf-fs1/gp

Response

Enter YES to disregard failures in LDT recovery as the result of inconsistencies in underlying file system -> YES
/nfs-oxf-fs1/gp - recovered without failure(s) - status 1
/nfs-oxf-fs1/gp - GuardPoint rkea flags 10032
Unmounted Automount GuardPoint /nfs-oxf-fs1/gp

After recovery, the auto mount mount point is unmounted, and the admin is prompted accordingly.

Collecting Agent Information

Do not use voradmin ldt list all with the -force-mount option. This could create more issues.
Change the GuardPoint type from automount to manual to enable the GuardPoint and collect the Agent information.

Limitations

CTE does not support nested GuardPoints with auto mount enabled
Auto mount with LDT policies only supports auto-fs mount points.
The GuardPoint path must be at the same level as the mount point when enabling auto mount on an autofs mount point. This ensures that auto mount unguards when the autofs mount point times out. If the GuardPoint path is set at any level deeper than the configured autofs mount point, the autofs mount point will never timeout because the GuardPoint will continue to keep the mount point in a busy state.
CTE does not remove the shadow directory created after unmount.
CTE does not support auto-fs configured using direct mount with an LDT policy.
CTE does not support systemd automount with an LDT policy.

Suggest A Change

Creating LDT Policies or converting a Standard Policy to an LDT Policy

Security Rule Ordering for Polices

LDT Policies

Example 1: Permits Backup and Restore

Example 2: Permits access to certain Processes

Standard Policies

Example 1: Permits access to certain Processes

Example 2: Permits access to certain Processes

Using Auto Mount with LDT Policies

Configuring and Guarding an Automount GuardPoint

Behavior of Auto Mount GuardPoints

Running Recovery on Automount GuardPoint with LDT policy

Collecting Agent Information

Limitations

On this page