Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust in-Place Data Transformation for Linux

The CTE Private Region and IDT Device Header

search

Please Note:

The CTE Private Region and IDT Device Header

IDT-Capable GuardPoints require a small amount of disk space in the standard CTE Private Region. The reserved space is where CTE stores metadata information to identify IDT-Capable GuardPoints and to perform all data transformation and rekey operations in a resilient manner to avoid data loss or integrity issues due to system failures. The IDT-specific reserved space within the CTE Private Region is known as the IDT Device Header. By default, when you initialize a device as an IDT-Capable GuardPoint, CTE reserves 63 MB of space starting at the first sector on the device for the CTE Private Region.

CTE writes the IDT Device Header into the CTE Private Region when the device is guarded for the first time. If there is existing data on the device, the data at the start of the device is relocated to the available free space on the device and CTE creates the CTE Private Region starting at the first sector. For details, see Initialize a Linux Device with Existing Data.

CTE Private Region Location

Normally, CTE requires that the CTE Private Region be embedded at the beginning of the device. IDT, however, allows you to specify that the CTE Private Region for an IDT-Capable GuardPoint should be located in a central CTE metadata directory on the host called /vte/vte-metadata-dir (default: /opt/vte/vte-metadata-dir). If you use this option, CTE stores the CTE Private Region and IDT Device Header for the device in this directory. The location of the CTE Private Region for a device is determined when you first initialize the device as an IDT-Capable GuardPoint. For details, see Initializing an IDT-Capable Device.

Warning

Access to the CTE metadata directory is local to the CTE protected host. Devices whose access is shared across multiple CTE protected hosts in a cluster must be configured with the CTE Private Region embedded in those devices. Using a centralized metadata directory for shared devices will lead data corruption.

The location of the CTE Private Region does not affect CTE’s functionality, but there are some considerations if you choose to use the centralized metadata directory /vte/vte-metadata-dir:

  • Thales recommends that you keep the metadata for the device on the device if at all possible. You should only use the centralized metadata directory if the device cannot be expanded to accommodate the CTE Private Region.

  • The centralized CTE metadata directory must be guarded by the Administrator to prevent accidental modification or deletion of the CTE metadata. If the CTE metadata directory is not guarded, any attempt to configure or enable an IDT-Capable GuardPoint using the centralized metadata directory will be rejected. The policy associated with the metadata directory must:

  • Deny all users (including the root user) the ability to modify or remove any files in the metadata directory.

  • Use the key rule clear_key so that the metadata is stored in clear text.

  • You must back up this directory whenever you back up a device that uses the directory. You will not be able to restore a protected device without access to its corresponding metadata in /vte/vte-metadata-dir.

  • Devices with existing data do not need to be resized to accommodate the CTE Private Region, so there are no disk size discrepancies between system utilities such as fdisk and any other applications. However, Thales still recommends that you do not shrink an IDT-Capable GuardPoint even if the CTE Private Region is not embedded on the device.

Device Size

If you embed the CTE Private Region on the device itself, after configuring and guarding the IDT-Capable GuardPoint on the device, the device size reported to applications is the size of the device minus the space reserved for the CTE Private Region. This can lead to a discrepancy between the disk size reported by some applications versus the size reported by system utilities such as fdisk.

Warning

Do not shrink IDT-Capable GuardPoints. Due to the relocation of user data from the CTE Private Region, if you shrink the device, you may corrupt data on the device.

The IDT Device Header contains both the available device size and the size of the CTE Private Region. To view the IDT Device Header, use the voradmin idt status <device-name> command. The Exported Disk Size field shows the disk size available for use by other applications. The Private Region Size field shows the disk size reserved for CTE. For example: 

 voradmin idt status /dev/sdc2
IDT Header on /dev/secvm/dev/sdc2
    Version:                         1
    Change:                          0
    Private Region Size:             129024 sectors
    Exported Device Size:            9627648 sectors
    Key UUID:                        9cc3c8e4-7ea7-310f-85c7-6f911de1ab52
    Mount Path:                      None

The voradmin idt status command also reports the UUID of the XTS/CBC-CS1 AES 256 key applied to the device.

On this page