Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Migrating to CTE or CTE UserSpace

Data Transformation

search

Please Note:

Data Transformation

Thales provides a data transformation tool called dataxform. This tool has been enhanced to convert the data from ProtectFile to CipherTrust Transparent Encryption format, by providing it with the --migrate option.

Note

Data migration is NOT required when migrating:
ProtectFile to CTE-U v10.x
CTE-U v8.0/v9.0 to CTE-U v10.x

copy link to clipboardPreparing for Data Transformation

To begin:

  1. On CipherTrust Manager, click ProtectFile/ Transparent Encryption UserSpace.

  2. Click on a client name to view the rules and access policy associated with that client.

  3. Choose the rule for the migration and note the corresponding access policy.

copy link to clipboardChanging the Access Policy for Windows

  1. Click Access Policies.

  2. Create an access policy group for migrations (for ex: windows_migration_grp) with Read/Write access for the Administrator.

    1. Create an access policy (for ex: windows_migration).

    2. Add a access policy rule that gives the administrator Read/Write access permissions.

    3. Create an access policy group (for ex: windows_migration_grp) with:

      • OS: Windows

      • Group: Access Control & Encryption

      • Default Access: No Access

    4. Click on the newly created access policy group (windows_migration_gp) to open it.

    5. Search for newly created access policy (windows_migration).

    6. Click on the ellipsis and choose Add to Group.

  3. The newly created access policy group looks like the following graphic. This access policy group will be used for all of the rules.

    1. Change the access policy group for the current rule to this newly created access policy group.

    2. Apply changes and wait for rules to be applied at client.

    Access Policy Groups

  4. On CipherTrust Manager, navigate to the corresponding CipherTrust Transparent Encryption offline (Dataxform) GuardPoint and enable it:

    1. On CM, click CTE.

    2. Click Client on the relevant client name.

    3. Click on ellipses for the GuardPoint and select Enable.

Allow sometime for CipherTrust Manager to enable the GuardPoint. When the status changes to Active, the GuardPoint is enabled. At this moment, the CipherTrust Transparent Encryption GuardPoint would be overlaid on the ProtectFile encrypted path. Confirm this by examining the file servers.

copy link to clipboardTransforming Data in Windows

  1. Open the Windows command line as an Administrator.

  2. Run the pfstatus command, type: **pfstatus.exe**

    Note

    For ProtectFile file or folder policies, use the absolute file/folder path names with pfstatus utility to obtain the status

  3. Run the status command, type:

    secfsd –status guard –v

  4. Run the dataxform command, type:

    dataxform –-rekey –-migrate --gp <GuardPoint>

  5. Run the dataxform command for sparse files, type:

    dataxform –-rekey --preserve_sparse_files -–migrate --gp <GuardPoint>

  6. Exit the Windows command line tool.

  7. After the dataxform has completed, navigate to the corresponding dataxform GuardPoint on the CipherTrust Manager and disable it. Wait for the removal of the GuardPoint from the file server.

  8. Navigate to the ProtectFile encryption rule on the CipherTrust Manager and disable it. Wait for the process to complete.

  9. Navigate to the corresponding production GuardPoint on CipherTrust Manager and enable it. Wait for the operation to finish. Verify that the CipherTrust Transparent Encryption GuardPoint is reapplied on the file server.

Note

If the Client is member of a ClientGroup, then navigate to the corresponding production GuardPoint in the ClientGroup and enable it. Wait for the operation to finish. Verify that the CipherTrust Transparent Encryption GuardPoint is reapplied on the file server.

copy link to clipboardManually Migrating DFS Replication Data

If you are using Distributed File System (DFS) replication, you must manually add additional GuardPoint s for Replication endpoints such as a DFS Private folder.

For each DFS replication client, follow these additional, manual steps for migrating PF encrypted data to CipherTrust Transparent Encryption encrypted data.

  1. Navigate to the DFS Replication client on Transparent Encryption on CM. Note the DFS Replication protected path for the initial transformation/ production GuardPoint .

  2. Click on the Policy for the DFS Replication production GuardPoints created by pfmigrate utility. Note the DFS Replication policy name.

  3. Unguard both the initial transformation and production GuardPoint for DFS Replication path. Wait for these GuardPoint s to be removed from the client.

  4. Once both the initial transformation and production GuardPoints are removed, click **Create GuardPoint ** and select the DFS policy.

  5. Provide the DFS production GuardPoint replication path, and the DFSPrivate folder path manually, in the path field in the Create GuardPoint dialog.

    Creating a ${gp}

  6. Wait for the GuardPoint s to become active on the file server. (It states Yes in the Enabled column.)

copy link to clipboardChanging the Access Policy for Linux

  1. Click Access Policies.

  2. Create an access policy group, (for ex: linux_migration_grp) with:

    • OS: Linux

    • Group: Access Control & Encryption

    • Default Access: Read/Write

  3. The newly created access policy group will look like the following picture. This access policy group will be used for all of the rules. Change access policy group for the current rule with this newly created policy group. Apply changes and wait for rules to be applied at client.

    ${gp} Displaying

  4. On the CM, navigate to the corresponding CTE-U offline ({dxf} GuardPoint and enable it:

    1. On CM, click Transparent Encryption.

    2. Click Client on the relevant client name.

    3. Click on ellipses for the GuardPoint and select Enable.

Allow sometime for CipherTrust Manager to enable the GuardPoint . When the status changes to Active, the GuardPoint is enabled.

copy link to clipboardTransforming Data in Linux

  1. On Linux, use the mount command to confirm that the CipherTrust Transparent Encryption GuardPoint is overlaying the ProtectFile encrypted path. The following screenshot depicts how the CipherTrust Transparent Encryption GuardPoint is overlayed on the ProtectFile encrypted path.

    ${cte} overlaid on PDF

  2. For file servers, login directly as root. Do not execute a switch user command before starting the data transformation.

  3. Run the dataxform tool as follows:

    dataxform -–rekey -–migrate --gp <GuardPoint>

    For transformation to preserve the original timestamps, run it with the following additional option:

    dataxform –-rekey --migrate --preserve_access_time –preserve_modified_time --gp <GuardPoint>

    Note

    The logs are stored in /var/log/vormetric.

  4. Exit the terminal which was used to run dataxform.

  5. After the data transformation has completed, navigate to the corresponding Dataxform GuardPointon the CipherTrust Manager and disable it. Wait for the GuardPointto unmount on the file server.

  6. For the encryption rule, navigate to the ProtectFile encryption rule on the CipherTrust Manager and disable it. Wait for the encryption rule to unmount on the file server.

  7. For Access only rule, navigate to the ProtectFile encryption rule on the CipherTrust Manager and remove it. Wait for the rule to unmount on the file server.

  8. Navigate to the corresponding production GuardPoint on CipherTrust Manager and enable it. Wait for the operation to finish. Verify that the CipherTrust Transparent Encryption GuardPoint is reapplied on the file server.

Note

If the Client is member of a ClientGroup, navigate to the corresponding production GuardPoint in the respective ClientGroup and enable it. Wait for the operation to finish. Verify that the CipherTrust Transparent Encryption GuardPoint is reapplied on the file server.

copy link to clipboardPost Migration

At this point, the migration for this encryption rule is completed. The data is converted to the CipherTrust Transparent Encryption format and the access rules are enforced. The encrypted path is now ready for production use.

  1. Verify the integrity of the data for each ProtectFile encrypted path. Consult the CipherTrust Transparent Encryption product documentation for information on how to verify the data integrity.

    Linux File Server: After data migration, close existing login sessions/terminals and then verify the integrity of the data for each protected path.

    Windows File Server: After data migration, reboot the file server. Once the file server is rebooted, verify the integrity of the data for each protected path.

  2. If you need to migrate other encryption rules immediately, do that now.

  3. If you are not migrating any other encryption rules, make the full cluster nodes, and all of the NAS clients, active.

  4. Repeat the steps for all encryption rules for the ProtectFile client.

  5. Delete the ProtectFile client entry from the CipherTrust Manager once all of the rules are migrated to CTE.

  6. On Windows ProtectFile clients, backup the registry.

  7. Uninstall the ProtectFile software from the file server.

  8. Take a backup of the CipherTrust Manager Configuration and the protected data now encrypted with CTE.

  9. On Linux clients, backup the folder /etc/vormetric and save all of the logs in /var/log/vormetric.

Note

CipherTrust Manager does not support offline mode so you cannot back up offline policies.

Note

Refer to the CTE Data Transformation Guide for more information.

On this page