Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CTE Agent Windows Advanced Configuration Guide

Special Cases for CTE Policies

search

Please Note:

printsuggest an editpdf paneldownload

Special Cases for CTE Policies

This following section describes a CTE-specific configuration task related to configuring policies in the key manager.

When using hard links on Windows, all the hard links to a file must be within the boundary of a GuardPoint and must use the same key. The following scenarios provide additional details:

  • If hard links to the same file are inside a GuardPoint and outside a GuardPoint, the effect on the file depends on what process accesses which hard link first. If the hard link within the GuardPoint is opened first, the file is transformed. If the hard link outside the GuardPoint is opened first, the file won’t be transformed.

  • If hard links to the same file exist in different GuardPoints with different keys, the file will be corrupted.

  • If hard links to the same file exist in the same GuardPoint but with different keys, such as if folder-based rules are used, there will be a conflict in the key.

copy link to clipboardSecurity Rule Ordering for Polices

If you want to enforce restrictions when guarding NFS/CIFS shares using an LDT or standard policy with a CBC-CS1 key, note the following:

CipherTrust Transparent Encryption embeds the LDT and/or IV (initialization vector) attributes in the first 4K of files for NFS/CIFS shares guarded with an LDT or standard policy with a CBC-CS1 key. Embedding CipherTrust Transparent Encryption attributes increases the actual file size by 4K. CTE hides that extra 4K when reporting the file size to users, or processes, that access the file with the Apply Key effect.

If you need the actual file size, or read/write access on the embedded header, for backup/restore processes for example, then you need a rule that permits access without Apply Key.

copy link to clipboardLDT Policies

copy link to clipboardExample 1: Permits Backup and Restore

A policy that allows backup and restore of encrypted data, clear-text access to certain processes, and denies access to all others:

Rule Purpose
1 Default LDT rule required for LDT policies.
2 Allows for processes in the backup Process Set to access the real file size and backup the CipherTrust Transparent Encryption attributes along with the encrypted file data.
3 Allows for processes in the authorized-processes Process Set to access the clear-text data, but it hides the additional 4K from the CipherTrust Transparent Encryption attribute.
4 Denies all other processes access to the data.

copy link to clipboardExample 2: Permits access to certain Processes

A policy that only allows certain processes clear-text access but allows all others to see the OS file attributes.

Rule Purpose
1 Default LDT rule required for LDT policies.
2 Allows for processes in the authorized-processes Process Set to access the clear-text data.
3 Allows for processes not in the authorized-processes Process Set to read the OS file and directory attributes.
Note: Processes that match this rule obtain the file size with the 4K header. If a process that is not in the authorized-processes Process Set needs the file size without the header, then the Apply Key must be present in the Effect or you will need an additional rule granting Apply Key to that specific process. That rule must be defined before this rule.
4 Denies processes not in the authorized-processes Process Set from reading any data from the files.

copy link to clipboardStandard Policies

copy link to clipboardExample 1: Permits access to certain Processes

A policy that allows backup and restore of encrypted data, clear-text access to certain processes, and denies access to all others:

Rule Purpose
1 Allows for processes in the backup Process Set to access the real file size and backup the CipherTrust Transparent Encryption attributes along with the encrypted file data.
2 Allows for processes in the authorized-processes Process Set to access the clear-text data, but it hides the additional 4K from the CipherTrust Transparent Encryption attribute.
3 Denies all other processes access to the data.

copy link to clipboardExample 2: Permits access to certain Processes

A policy that only allows certain processes clear-text access but allows all others to see the OS file attributes.

Rule Purpose
1 Allows for processes in the authorized-processes Process Set to access the clear-text data.
2 Allows for processes not in the authorized-processes Process Set to read the OS file and directory attributes.
Note: Processes that match this rule obtain the file size with the 4K header. If a process that is not in the authorized-processes Process Set needs the file size without the header, then the Apply Key must be present in the Effect or you will need an additional rule granting Apply Key to that specific process. That rule must be defined before this rule.
3 Denies processes not in the authorized-processes Process Set from reading any data from the files.

For more information, see Adding Security Rules in the CipherTrust Manager documentation.

On this page