Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust in-Place Data Transformation for Linux

Guarding an IDT-Capable Device with Multiple IO Paths on Linux

search

Please Note:

Guarding an IDT-Capable Device with Multiple IO Paths on Linux

Each individual IO path from a server node to a storage controller is treated as a separate device on the host. DM-Multipath on a Linux host provides a management framework to group the individual IO paths to the same LUN into a single multipath device. If you use DM-Multipath to manage devices on the protected host, the individual devices that correspond to each IO path to the LUN cannot be configured for guarding as IDT-Capable, as those devices are under control of DM-Multipath. To guard such devices, you must guard the device mapper generated by DM-Multipath (multipathd) under the /dev/mapper directory.

Note

IDT is the only feature of CTE that exclusively supports guarding of a device mapper generated device under DM-Multipath framework.

The following example illustrates the procedure for guarding a device mapper generated device with the alias name /dev/mapper/mpathA.

  1. Create an in-Place Data Transformation policy using an XTS/CBC-CS1 AES 256 key as the key rule.

  2. On the host, prepare the device to be configured as IDT-Capable using the voradmin idt config [-external] new|xform [-c n] <mapper-alias-name> command.

    For example, if the disk is a new disk with no existing data, you would enter:

    voradmin idt config new /dev/mapper/mpathA

    If the disk has existing data that you want to encrypt, you would enter:

    voradmin idt config xform /dev/mapper/mpathA

  3. Guard /dev/mapper/mpathA as Device GuardPoint using the policy created above. Be sure to check the in-Place Data Transformation check box.

  4. For Manual Guard configuration, enable the GuardPoint using the secfsd command as follows:

    secfsd -guard /dev/mapper/mpathA

  5. For Auto Guard, wait for the /dev/mapper/mpathA device to be guarded on the protected host.

  6. Once the device is guarded, provide the pathname of the secvm device to applications and/or file system operations. For example, /dev/secvm/dev/mapper/mpathA.

Viewing Device Status and the IDT Device Header

After you guard a device, you can view the status of that device using the voradmin idt [xform] status <device-name> command, where:

  • xform (optional). If you specify this option, CTE shows the status of any data transformation processes happening on the device. If you do not specify this option, CTE displays the IDT Device Header for the device.

  • <device-name> (required). The standard Linux name of the device whose status you want to view. (For example, /dev/sdc2.)

For example, if you want to view the IDT Device Header for the Linux device /dev/sdc2, you would enter: 

voradmin idt status /dev/sdc2
IDT Header on /dev/secvm/dev/sdc2
        Version:                         1
        Change:                          0
Private Region Size:             129024 sectors
Exported Device Size:            9627648 sectors
        Key UUID:                        9cc3c8e4-7ea7-310f-85c7-6f911de1ab52
        Mount Path:                      None

If you want to view the data transformation status on /dev/sdc2, you would enter:

voradmin idt status xform /dev/sdc3
        Status:         In-Process
        Relocation Zone 9764864 (relocated = 1)
        SegSpc 27, Xformation Range: 3217 ... 4799, SegIDs: 4795 4796 4791 4792 4797 4798 4799
        KeyID:          2793    Key Name:     IDT_DEMO_KEY_1
        Old KeyID:      0       Old Key Name: clear_key

The Status field displays In-Progress if a data transformation process is running, and Completed if the process has finished.

On this page