Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Excluding Files or Directories from Rekey

Dynamic Resource Sets (Inclusion of New Key Rules)

search

Please Note:

Dynamic Resource Sets (Inclusion of New Key Rules)

CTE v7.6, and subsequent versions, support inclusion of a new resource set in a new key rule in an LDT policy already applied to GuardPoint. The new key rule allows LDT to launch and rekey the files associated with the resource set. Before inclusion of the key rule, the files associated with the resource set were in clear-text. Following is an example of a policy applied to GuardPoint /oxf-fs1/gp1 which includes subdirectories dir1, dir2, dir3, dir4, and dir5.

Applying this policy to /oxf-fs1/gp1 will launch and rekey the files under /oxf-fs1/gp1/dir1 and oxf-fs1/gp1/dir2 using the specified key, while the remaining files in /oxf-fs1/gp1 remain in clear-text. To rekey the files under /oxf-fs1/gp1/dir3 and /oxf-fs1/gp1/dir4, you can update the policy as follows:

Once the updated policy is applied to the GuardPoint, the rekey is launched to encrypt the files associated with /oxf-fs1/gp1/dir3 and /oxf-fs1/gp1/dir4 using the encryption keys LDT-KEY2 and LDT-KEY3, respectively. Remaining files in the GuardPoint remain unchanged.

Temporary Exclusion of files in Dynamic Resource Set

Files associated with Resource Sets included in the key rules are encrypted with the key rule. Other files are implicitly excluded from rekey. LDT enforces the exclusion property on the files not included for rekey in any key rule. However, the exclusion property is only enforced until a new non-exclusion key rule is added that covers the implicitly excluded files. For example, the following output shows the exclusion property on the file /oxf-fs1/gp1/dir5/foo.txt which is a file not included in any key rule, in the policy under the previous screen shot. As illustrated, the file is temporarily excluded from rekey.

    # voradmin ldt attr get /oxf-fs1/gp1/dir5/foo.txt
    LDT attributes: rekeyed_size=0, rekey_status=rekey_excluded
        Key: name=clear_key, version=none

The exclusion property will be cleared on the file, and the file will be encrypted, once a new key rule with a defined resource set for dir5 is included in the policy.

Conflicts with Resources under Exclusion Key Rules

Adding a new key rule for rekeying a resource set, in a policy that already includes a key rule with the exclusion property, may result in a conflict. For example:

Before adding the second key rule, the effect of the initial rekey is explicit exclusion of all *.txt files and implicit exclusion of other files. For example, /oxf-fs1/gp1/dir1/my_file is temporarily excluded from rekey after the initial rekey:

    # voradmin ldt attr get /oxf-fs1/gp1/dir1/my_file
    LDT attributes: rekeyed_size=10485760, rekey_status=rekey_excluded
        Key: name=clear_key, version=0

The effect of the rekey, after adding the second key rule, is encryption of the files under /oxf-fs1/gp1/dir1 and the exclusion of all *.txt files from the rekey. If the resource set in the second key rule includes files that also belong to the resource set under the first key rule, then all of the *.txt files remain excluded, due to the first key rule. However, other files (non *.txt) are not excluded due to the second key rule. This rekey process encrypts only those files that were implicitly excluded from rekey prior to the addition of the second key rule. For example, inclusion of the second key rule encrypts /oxf-fs1/gp1/dir1/my_file and removes exclusion from the file:

    # voradmin ldt attr get /oxf-fs1/gp1/dir1/my_file
    LDT attributes: rekeyed_size=10485760, rekey_status=none
        Key: name=LDT-KEY-1, version=0

Once the exclusion property is removed, the restrictions enforced under the exclusion property will no longer be in effect.

Renaming files can also result in conflicts. For example, relocating /oxf-fs1/gp1/dir1/foo.txt to another path breaks the association of foo.txt with /dir1. The resource set will only re-enforce the exclusion property under the first key rule.

Note

Avoid key rules, or file operations, that may result in conflicts in enforcement of the exclusion property or breaking the association of the files with the intended resource sets.

Limitations with Dynamic Resource Sets

  1. Users cannot change the order of the rule, or the encryption key, applied to a file.

  2. Inclusion of dynamic resource-set may clear the exclusion flag on files shared under the exclusion key rule and the dynamic resource set.

  3. Files which are present in the excluded resource-set, if moved to a directory which is encrypted, will result in encryption of the file on the next policy push (either next key rotation or any update made in the policy or policy elements).

  4. Support for Dynamic resource sets does not include GuardPoints over NFS.

On this page