Creating a CTE-LDT GuardPoint
After you have installed the license and registered the CTE-LDT host (see Installing CTE-LDT), you can create a CTE-LDT GuardPoint on the host. When you create the CTE-LDT GuardPoint, you select a Live Data Transformation policy and apply that policy with its transformation keys to that GuardPoint. CTE automatically gets the Quality of Service settings from the associated Client Profile in CipherTrust Manager.
This section describes two scenarios:
Creating an CTE-LDT GuardPoint for an Unguarded Directory
To create an CTE-LDT GuardPoint on what was previously an unprotected/unguarded directory:
-
Create an Live Data Transformation policy that transforms data from clear text to a versioned key. In the policy, set Current Key to clear_key and Transformation Key to the versioned key. For details, see Creating CTE-LDT Policies.
-
Set, or modify, the Quality of Service (QoS) parameters in the Client Profile associated with the CTE client to account for CTE-LDT on all GuardPoints on this client. For details see Quality of Service.
-
In the CipherTrust Manager Applications Page, select the CTE application.
-
In the Clients table, click on the name of the client you want to protect.
-
Above the GuardPoints table, click Create GuardPoint.
-
In the Create GuardPoint page:
-
In the Policy field, select the CTE-LDT policy you created earlier.
-
In the Type field, select the type of device. For CTE-LDT, you can select Auto Directory or Manual Directory.
-
In the Path field, enter the directories you want to protect with this policy or click Browse to select them from a Windows-style explorer.
If you want to enter multiple paths, put each path on its own line.
-
Keep the Preserve Sparse Regions option selected if you want CTE to ignore sparse regions during data transformation.
A sparse region is a region within the file size that has not yet been written to. Therefore, it is not allocated with disk blocks. Any attempt to read a sparse region reads stream of zeros as data. A file may have one or more sparse regions, or an entire file may be sparse.
If you select Preserve Sparse Regions, CTE-LDT detects and skips transforming sparse regions. Therefore, it does not change the number of blocks utilized in the file system. This is the default.
If you disable Preserve Sparse Regions, CTE-LDT transforms a file without checking or skipping sparse regions, if they exist. Consequently, as CTE-LDT operations transform and fill sparse regions with encrypted stream of zeros, sparse regions are allocated with disk blocks. This increases the number of disk blocks utilized in the file system.
-
Click Create.
-
If you want to use the same policy and GuardPoint type on another path, click Yes when prompted. Otherwise, click No.
The CipherTrust Manager pushes the GuardPoint configuration to the client and CTE immediately beings transforming the data in the specified folders from clear-text to cipher-text.
-
-
When the data transformation has finished, applications can resume accessing the now-protected data.
Converting a Non-CTE-LDT GuardPoint to an CTE-LDT GuardPoint
After enabling CTE-LDT on a client, you can change a non-LDT GuardPoint to a CTE-LDT GuardPoint. CTE-LDT GuardPoints provide the advantage of allowing users to access all files in the GuardPoints while encryption is occurring. There is no downtime for the user except for the time needed to apply the GuardPoint.
-
Write a new CTE-LDT policy that transforms data from the non-CTE-LDT/non-versioned key used in the existing GuardPoint, to an CTE-LDT versioned key. See Creating CTE-LDT Policies.
-
Make sure there is no application activity within the GuardPoint.
This step is critical. Do not skip it. Make sure there is no application activity within the GuardPoint.
-
Remove the current GuardPoint.
-
Open the CTE application and click Clients in the left-hand menu bar.
-
Click on the name of the client whose GuardPoint you want to change.
-
Find the GuardPoint you want to change in the GuardPoints table, then click the (...) button at the end of the row and select Remove.
-
-
Guard the directory again using the new CTE-LDT policy. Use the steps in Creating an CTE-LDT GuardPoint for an Unguarded Directory, but choose the policy that starts from the non-versioned/non-LDT key rather than a policy that starts from
clear_key
.