Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Excluding Files or Directories from Rekey

About the Exclusion Attribute for Files Matching an Exclusion Key Rule

search

Please Note:

printsuggest an editpdf paneldownload

About the Exclusion Attribute for Files Matching an Exclusion Key Rule

Files matching an exclusion key rule have the status rekey_excluded in the LDT attribute. For more information about LDT attributes, see LDT Metadata in Extended Attributes. To check for the exclusion attribute on a file, see Determining if a File is Included in an Exclusion Key Rule.

copy link to clipboardThe Exclusion Attribute is not Persistent

Exclusion from rekey is no longer a persistent property as of v7.6.0.

See Dynamic Resource Set for more information.

copy link to clipboardDetermining if a File is Included in an Exclusion Key Rule

Use the voradmin ldt attr get <path to file> command to check whether a file is associated with an exclusion key rule.

  • On Linux, an excluded file will include the status rekey_excluded in the voradmin output. For example:

    voradmin ldt attr get /oxf-fs1/gp1/foo.txt
LDT attributes: rekeyed_size=0, rekey_status=rekey_excluded

  • On Windows, an excluded file will include the attribute Rekey Status Excluded in the voradmin output. For example:

    C:\> voradmin ldt attr get c:\gp1\foo.txt
LDT attributes:
Rekey Status Excluded
Initial Rekeyed Size 9 Bytes
Data Transformed 0 Bytes

Key:
Current Key Name/Version (Clear_Key)
New Key Name/Version (Clear_Key)

copy link to clipboardRemoving the Exclusion Attribute From a File

To disassociate a file from an exclusion key rule, you must copy the file to a new file that is not associated with the resource set, or exclusion key rule, of that same source file. You can then remove the original file. The new file is created under the default key rule of whatever policy applies to the new file. Moving or renaming a file does not disassociate a file from an exclusion key rule.

For example, assume the following exclusion key rule where Key_TextFiles is a non-versioned key:

Exclusion Key Rule: Resource set =*.txt, Key = Key_TextFiles

If you copy the file test1.txt to test1.foo, test1.foo is created with whatever key is specified in the policy that matches the new file. The key for the new file could be a non-versioned key, versioned key, clear_key, or, no key at all if the new file is outside of a GuardPoint. The original file test1.txt remains unchanged and encrypted with the Key_TextFiles non-versioned key because the file remains in the exclusion key rule.

copy link to clipboardRename and Restore (Linux)

The effect of rename, or backup/restore operations, involving files associated or excluded with exclusion key rules, is complex. In some cases, the operations to restore, or rename, causes conflicts between the key associated with the source file, and the key associated with the target file. For example, the result of a rename operation involving a source file, not associated with an exclusion key rule, and target file name associated with a resource set of an exclusion key rule is different from the result of the same operation when the target file name is associated with the resource set of an exclusion key rule with clear_key.

Note

Be sure to review the effect of the operations below and avoid administrative operations that cross associations of files across multiple resource sets with conflicting key rules.

copy link to clipboardBackup/Restore

copy link to clipboardRename Operation

On this page