Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Guarding an IDT-Capable Device on Linux

Initializing an IDT-Capable Device

search

Please Note:

Initializing an IDT-Capable Device

When you initialize an IDT-Capable storage device, the process specifies:

  • Whether there is existing data on the device that needs to be encrypted.

  • Where you want to store the CTE Private Region, which contains the IDT Device Header along with metadata that identifies the IDT-Capable device as a guarded device. You can embed the CTE Private Region on the device itself or in the central CTE metadata directory on the host. (For details, see The CTE Private Region and IDT Device Header.)

How you initialize the device depends on whether it is a new device or an existing device that already has data that needs to be transformed into cipher-text. For details, see:

Initialize a New Linux Device

Run the voradmin idt config new command to initialize a new device. The new option specifies that the device does not hold user data so no initial data transformation is required. For a shared device that is accessed from multiple protected hosts, you must initialize the device only once and on only one protected host.

Note

To configure devices with multiple IO paths for Linux, see Changing the Encryption Key on Linux IDT-Capable Devices.

  1. Log into the device as root.

  2. Run the voradmin idt config [-external] new [-c <n>] <device-name> command, where:

    • -external is an optional parameter that tells CTE you want to use the centralized CTE metadata directory instead of embedding the CTE Private Region on the device itself. If you use this option, you must have configured and guarded the centralized CTE metadata directory as described in CTE Private Region Location.

    • new (required) indicates that the device contains no data (it is a new disk). As soon as you push the IDT policy, the device will be available as a guarded IDT-Capable GuardPoint.

    • -c <n> (optional). If you use this option, CTE sets the number of data transformation jobs to run in parallel to the number specified in <n>. <n> can be an integer between 1 and 60 (default: 8).

      Each data transformation job transforms 1MB worth of data and requires CPU resources in addition to three I/O operations as part of data transformation. Each job reads 1MB of data from the device, preserves the data in the CTE Private Region, rekeys the data to cipher-text, and writes the transformed data to the device. If you increase the number of parallel jobs, the data transformation process will complete faster but there will be an increased performance impact on the system. Only increase the –c option if you are certain that the system resources are available to handle the additional load.

      The value for the -c option you specify here remains in effect for all subsequent data transformations (such as any data rekeys) until you specify a new value.

    • <device-name> (required). Specifies the device name. For example, /dev/sdc2.

    For example, if you want to initialize a new Linux disk named /dev/sdc2 using 10 parallel data transformation jobs with the CTE Private Region embedded on the device, you would specify:

     voradmin idt config new -c 10 /dev/sdc2

    If you want to initialize a new Linux disk named /dev/sdc2 using the default number of parallel data transformations but with the CTE Private Region in the centralized CTE metadata directory, you would specify:

     voradmin idt config -external new /dev/sdc2

  3. To verify that the disk has been initialized, run the voradmin idt status command.

     voradmin idt status /dev/sdc2
Device /dev/sdc2 is configured to guard as IDT-Capable GuardPoint

  4. At this point the Administrator can protect the device as an IDT-Capable GuardPoint through the Key Manager. For details, see Guard the Linux Device with an IDT-Capable GuardPoint.

Note

The initialization process prepares the device to be guarded but does not actually guard it. You need to assign an IDT-Capable GuardPoint to the device in the Key Manager before the device is actually protected.

Initialize a Linux Device with Existing Data

If the device has existing data, you need to use the voradmin idt config xform command to initialize the disk for CTE. Unless you are using the centralized CTE metadata directory, this command examines the current disk size and computes the size required to hold the existing data plus the CTE Private Region at the beginning of the device. After the CTE initialization is complete, you then need to resize the device before you can guard it with an IDT-Capable GuardPoint.

Warning

If access to the device is shared access across multiple CTE Protected hosts in a cluster, be sure to initialize the device on one and only one of the CTE hosts.

The following procedure describes how to initialize the device for CTE. Note that the existing data is not altered in any way until after you perform this procedure and you guard the data with an IDT-Capable GuardPoint. CTE does not begin transforming the data from clear-text to cipher-text until the IDT-Capable GuardPoint has been applied and the encryption key has been pushed to the device through the GuardPoint Policy.

  1. Log into the device as root.

  2. Run the voradmin idt config [-external] xform [-c <n>] <device-name> command, where:

    • -external is an optional parameter that tells CTE you want to use the centralized CTE metadata directory instead of embedding the CTE Private Region on the device itself. If you use this option, you will not have to resize the device but you must have configured and guarded the centralized CTE metadata directory as described in CTE Private Region Location.

    • xform (required) indicates that the device contains existing data. CTE will transform all existing data on the device from clear-text to cipher-text as soon as you guard the device. The device will be unaccessible until the transformation is complete, and the device must remain offline during the entire transformation process. No user access will be permitted until all data has been transformed.

    • -c <n> (optional). If you use this option on Linux, CTE sets the number of data transformation jobs to run in parallel to the number specified in <n>. <n> can be an integer between 1 and 60 (default: 8).

      Each data transformation job transforms 1MB worth of data and requires CPU resources in addition to three I/O operations as part of data transformation. Each job reads 1MB of data from the device, preserves the data in the CTE Private Region, rekeys the data to cipher-text, and writes the transformed data to the device. If you increase the number of parallel jobs, the data transformation process will complete faster but there will be an increased performance impact on the system. Only increase the -c option if you are certain that the system resources are available to handle the additional load.

      The value for the -c option you specify here remains in effect for all subsequent data transformations (such as any data rekeys) until you specify a new value.

    • <device-name> (required). Specifies the device name. For example, /dev/sdc3.

    For example, if you want to initialize an existing Linux disk named /dev/sdc3 using 10 parallel data transformation jobs with the CTE Private Region embedded on the device, you would specify:

    voradmin idt config xform -c 10 /dev/sdc3
Device /dev/sdc3 must be resized to at least 9893888 sectors (4831 MBs) before guarding as IDT-Capable GuardPoint

    In this case you must manually resize the Linux disk by at least 9893888 sectors before you can guard it. After you guard the disk, you can expand it again later but you cannot shrink it unless you remove the GuardPoint.

    If you want to initialize the same device using the centralized CTE metadata directory, you would specify:

    voradmin idt config xform -external -c 10 /dev/sdc3

    Note that you do not get a message about resizing the device because the CTE Private Region will not be embedded on the device.

  3. To verify that the disk has been initialized, run the voradmin idt status command. 

    voradmin idt status /dev/sdc3
Device /dev/sdh is configured to guard as an IDT-Capable GuardPoint

  4. If you are embedding the CTE Private Region on the device, at this point, you need to resize the device using your standard disk management tools before you can guard it. Make sure you increase the device size by at least the amount shown in the voradmin idt config xform message.

    You cannot assign an IDT-Capable GuardPoint to the device until it has been resized. If you do not resize the device, the GuardPoint assignment will fail.

  5. After the device has been resized or the centralized CTE metadata directory has been configured and guarded, the Administrator can protect the device as an IDT-Capable GuardPoint through the Key Manager as described in Guard the Linux Device with an IDT-Capable GuardPoint.

    Note

    The initialization process prepares the device to be guarded but does not actually guard it. You need to assign an IDT-Capable GuardPoint to the device in the Key Manager before the device is actually protected. In addition, the initialization process is only kept in memory until the device is guarded or rebooted. If the device is rebooted before you guard it, you will need to perform the initialization procedure again.

On this page