User Guides
CTE-U Quick Start Guide
- Terminology and Components
- Install and Configure CTE-U with CipherTrust Manager
  - Installation Prerequisites
  - Installation and Registration
  - Verifying Package Signatures
  - Setting the SE Linux state
- Guarding with CTE-U and CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Create an Encryption Key
  - Guarding CTE files with CTE-U
- Exporting GuardPoints over NFS
- Migrating CTE Agents to CTE-U
- Multifactor Authentication for CTE-U
  - Introduction to Multifactor Authentication
  - Using CTE-U with Multi-factor Authentication
  - Use Cases for MFA on CTE
  - Exempting some users from authentication with a Whitelist
  - Setting up Multifactor Authentication with a One-Time-Password
  - Setting up Multifactor Authentication with an Inactivity Time Out
  - Administrator Tasks for Multifactor Authentication
  - Troubleshooting Multifactor Authentication
- Phased migration from CTE-U 9.x to CTE-U 10.x
CTE-U Health Manager Utility
- Performing Health Check
- Using the Monitor
- Service Commands
- Viewing the Service Status
- Gathering the Technical Dump Information
- Troubleshooting/ Debugging CTE-U
CTE-U Advanced Configuration Guide for Linux
- Getting Started with CTE for Linux
  - Silent Installation for CTE or CTE-U on Linux
  - Using external certificates for communication between CTE Agent and CipherTrust Manager
  - Configuring CTE-U with CipherTrust Manager
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Concise Logging
- CTE-U Overview
- Special Cases for CTE-U Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
- Enhanced Encryption Mode
  - Disk Space
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - File Systems Compatibility
- CTE with systemd
  - CTE Agent Control Changes on systemd
  - CTE Agent Control Changes on systemd
  - Adding Applications to the secfs-fuse.service File
  - Adding Dependencies to systemd Unit Configuration Files
- Utilities
  - CTE-U Linux Authentication and Client Settings
  - Individual GuardPoint Tuning
  - Agent Health Utility
  - Secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - agentinfo Utility (Java version)
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Voradmin Utility
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - vmd utility
  - vmsec Utility
- Upgrading CTE-U on Linux
- Uninstalling CTE-U from Linux
Using FreeBSD with CTE-U
- FreeBSD Jail
- Install CTE-U Dependencies
- FreeBSD Services
- Upgrade CTE-U Packages
- Remove CTE-U Packages
- Unsupported Features for CTE-U with FreeBSD

Verifying Package Signatures

This section explains how to verify signatures of the CTE-U installer packages. After the signature is verified, CTE-U can be installed on file servers.

Verifying Signature of rpm Packages

To verify the signature of the rpm package:

Download the public key from the Support Portal:

Note

The key is named 610-000250-001_PUBLIC-GPG-CONNECTOR-SIGNING-KEY.key.
Save the key on the file server, for example, at /cte/public_key.
Navigate to the directory where the extracted CTE-U packages are stored.

Import the public key into the rpm keystore, type:

Run rpm --import /path/to/public_key/<gpg_key>.

Example

rpm --import /cte/public_key/610-000250-001_PUBLIC-GPG-CONNECTOR-SIGNING-KEY.key

Verify the signature, type:

rpm -Kvv <protectfile_installer>.rpm.

Example

rpm Kvv cte_<version>-<build>.x86_64.rpm

The command output should contain information similar to the following:

cte-<version>-<build>.x86_64.rpm:
Header V3 RSA/SHA256 Signature, key ID <key_id>: OK
Header SHA1 digest: OK (<sha1_digest>)
V3 RSA/SHA256 Signature, key ID <key_id>: OK
MD5 digest: OK (<md5_digest>)

If the output contains Signature, key ID : OK for SHA256, the signature is verified successfully.

Verifying Signature of deb Packages

To verify the signature of the deb package:

Download the public key from the Support Portal:

Note

The key is named 610-000250-001_PUBLIC-GPG-CONNECTOR-SIGNING-KEY.key.
Save the key on the file server, for example, at /cte/public_key.
Navigate to the directory where the extracted CTE-U packages are stored.

Import the public key, type:

gpg --import /path/to/public_key/<gpg_key>

For example, run:

gpg --import /pf/public_key/610-000250-001_PUBLIC-GPG-CONNECTOR-SIGNING-KEY.key

Verify the signature, type:
```
gpg -verify cte_<version>-<build>.deb.sig.
```
If the output contains the text Good signature, the signature is verified successfully.

Verifying Signature of Interactive Installers

To verify the signature of the interactive installer package:

Download the public key from the Support Portal:

Note

The key is named 610-000250-001_PUBLIC-GPG-CONNECTOR-SIGNING-KEY.key.
Save the key on the file server, for example, at /cte/public_key.
Navigate to the directory where the extracted CTE-U packages are stored.

Import the public key, type: (The signature cannot be verified without a valid public key.)

gpg --import /path/to/public_key/<gpg_key>.

For example, run:

gpg --import /pf/public_key/610-000250-001_PUBLIC-GPG-CONNECTOR-SIGNING-KEY.key

Verify the signature.

gpg -verify safenet_pf<version>-<build>.tar.gz.sig.

If the output contains a good signature, the signature is verified successfully.

Suggest A Change

Verifying Package Signatures

Verifying Signature of rpm Packages

Verifying Signature of deb Packages

Verifying Signature of Interactive Installers

On this page