Guard the Linux Device with an in-Place Data Transformation GuardPoint

After the device has been initialized, you can guard the device as an in-Place Data Transformation GuardPoint from the CipherTrust Manager console. For existing devices, as soon as the GuardPoint configuration has been pushed to the host and the status changes to guarded, CTE begins transforming the data on the disk using the encryption key associated with the GuardPoint Policy.

1. Log on to the CipherTrust Manager as an administrator of type Security with Host role permissions, type Domain and Security, or type All.

2. Make sure that you know what Policy you want to associate with the in-Place Data Transformation GuardPoint or create a new standard policy if needed.

   The policy you use must use an XTS/CBC-CS1 AES 256 key as the key rule.

3. Select Hosts > Hosts on the menu bar. The Hosts window opens.

4. Click the target host in the Host Name column. The Edit Host window opens to the General tab for the selected host.

5. Click the GuardPoints tab and then click Guard. The Guard window opens.

6. In the Policy field, select the Policy you identified or created earlier in this procedure. CTE will use the XTS/CBC-CS1 AES 256 key associated with this policy to encrypt the data on the device.

7. In the Type field, select either Raw or Block Device (Auto Guard) or Raw or Block Device (Manual Guard) .

   If you select Auto Guard, CTE starts the guard process as soon as the policy is pushed to the host. You enable, disable, guard, and unguard the GuardPoint in the CipherTrust Manager. If you want to have the device automatically guarded and mounted at system start up, add the device to /etc/fstab. For details, see Auto Mount Options for File System Devices on Linux.

   If you select Manual Guard, You guard the GuardPoint on the protected host with the secfsd -guard <path> and secfsd -unguard <path> commands. At system startup, you must guard the device and then mount it. This gives you more control over when data transformations occur because CTE will not start encrypting or rekeying the device until you manually start the process.

8. In the Path field, add the path for the device you want to guard. For example, /dev/sdh.

   If you specify multiple paths in this field, all specified devices will be guarded and all will be encrypted with the encryption key specified in the associated policy.

9. Click OK.

   The CipherTrust Manager pushes the policy and the GuardPoint configuration to the host and the CTE agent on the host writes the in-Place Data Transformation Header into the CTE private region for the specified devices. If this is a new device, the status changes to guarded and the disk is available for user access immediately.

   If there is existing data on the device, CTE begins transforming the data from clear-text to cipher-text as soon as the GuardPoint configuration is available and the device status changes to guarded. The device will remain inaccessible until this data transformation completes. The length of time required to transform the data depends on the amount of existing data and the number of parallel data transformation jobs specified on the voradmin config command.

   To see the data transformation progress, use the voradmin idt xform status <device-name> command.

After the device is initialized and guarded, the protected device must be accessed through the CTE device pathname. This pathname corresponds to the secvm device. For example, the Linux device pathname /dev/sdh becomes /dev/secvm/dev/sdh as soon as the process is complete.

• Be sure to use the secvm device name when using file system management tools such as mkfs and fsck.
• Do not use the device mapper names corresponding to in-Place Data Transformation GuardPoints for GuardPoint administration on protected hosts.