Guarding an IDT-Capable Device on Linux
In order to guard an IDT-Capable device, you need to:
-
Make sure the devices you intend to guard meet the requirements for IDT-Capable GuardPoints. For details, see Requirements for IDT-Capable GuardPoints.
-
Install the CTE Agent and register the host with the Key Manager if it is not already registered. IDT does not require any special registration options or licenses.
-
Initialize the device using the
voradmin idt config [new|xform]command to specify whether there is any existing data on this device that needs to be encrypted and to configure the location of the CTE Private Region. For details, see Initializing an IDT-Capable Device. -
Log on to the Key Manager to apply an IDT-Capable GuardPoint to the device. For details, see Guard the Linux Device with an IDT-Capable GuardPoint.
Warning
For devices with shared access across multiple CTE Protected hosts in a cluster, you must designate one and only one of the nodes in the cluster as the node on which you plan to initialize and guard the device for the first time. The designated node must be the only one that accesses the device until the entire initial data transformation process has completed. This requires guarding each shared device at the designated host level rather than at the host group level if you are using a host group to manage the CTE Protected nodes in your cluster. DO NOT initialize or guard any device on multiple nodes in the cluster simultaneously, because multiple nodes attempting to transform the same data can corrupt the data on the entire device.
