Requirements for IDT-Capable GuardPoints
-
IDT-Capable GuardPoints are available for Linux with CTE 6.3.1 or subsequent versions. All versions of CipherTrust Manager work with IDT-Capable GuardPoints.
-
The host server must use the Advanced Encryption Standard instruction set (AES-NI).
-
The policy assigned to the IDT-Capable GuardPoint must be an in-Place Data Transformation policy and use an XTS/CBC-CS1 AES 256 encryption key.
-
In order to create an IDT-Capable GuardPoint on a raw device, the device must be either:
-
Exported from an external storage system to the host device.
-
On a locally-attached disk.
-
-
Devices protected by an IDT-Capable GuardPoint cannot currently be initialized/added as physical volumes for use by LVM. When LVM support is added, it will be announced in the CTE Release Notes.
-
Existing devices divided into one or more logical partitions cannot be guarded as IDT-Capable Device GuardPoints. Logical partitions in such devices cannot be accessed or separately guarded after guarding the device.
For example, the logical partition
/dev/sda1or/dev/sda2inside/dev/sdacannot be accessed after guarding /dev/sda as IDT-Capable GuardPoint. Using/dev/secvm/dev/sda1is invalid as/dev/secvm/dev/sda1is not a GuardPoint and cannot be guarded, and, as such, would not provide access to clear-text data on/dev/sda1. However, you can guard individual partitions, such as/dev/sda1or/dev/sda2, as IDT-Capable GuardPoints without guarding the entire/dev/sdadevice. -
IDT-Capable GuardPoints requires XTS-AES mode of the AES algorithm for encryption.
-
CTE only supports IDT on servers with microprocessors integrated with Advanced Encryption Standard instruction set (AES-NI).
