Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Migrating to CTE or CTE UserSpace

Migration Overview

search

Please Note:

Migration Overview

copy link to clipboardWhat is Migration?

Migration allows for seamless transition from Thales legacy products like ProtectFile, or CTE-U v9.x, to state of the art products from CipherTrust Transparent Encryption suite. This transition will create ProtectFile and CTE-U v9.x equivalent configurations in Transparent Encryption on CipherTrust Manager. Note that some encrypted data formats may not require migration.

Note

There is no direct migration path from KeySecure Classic to the CipherTrust Transparent Encryption or CipherTrust Manager. The CipherTrust Transparent Encryption migration requires both ProtectFile and CTE UserSpace to use CipherTrust Manager.

For Customers still using ProtectFile with KeySecure Classic, they should migrate from the KeySecure Classic configuration to CipherTrust Manager first. Refer to Migration from KeySecure Classic to CipherTrust Manager.

copy link to clipboardWhy migration?

If you are using ProtectFile or CTE-U v9.x, you must migrate to a CipherTrust Transparent Encryption product of your choice.

Thales CipherTrust Transparent Encryption suite offers two products to which you can migrate:

  1. CTE Agent for Linux and Windows This is the state of the art solution for file encryption. For Linux, this is a kernel-based implementation. This is referred to as CTE in this document.

  2. CTE UserSpace Agent: This is a Linux-only, kernel-agnostic solution that is suitable for customers with frequent kernel change requirements. This solution is on par with CipherTrust Transparent Encryption for Linux in terms of functionality.

copy link to clipboardMigration Paths

You can migrate the following products:

Source Product Recommended Minimum Version Target Product Recommended Minimum Version
CTE UserSpace 8.x / 9.x CTE-U Agent (Linux only) v10.0 or higher
ProtectFile Linux 8.12.4p01 CTE-U Agent (Linux only) v10.0 or higher
ProtectFile Linux 8.12.4p01 CTE Agent for Linux v7.3 or higher
ProtectFile Windows 8.12.2 CTE Agent for Windows v7.3 or higher

CipherTrust Manager minimum version requirements for the migration process:

Product Recommended Minimum Version
CipherTrust Manager 2.2.0-5508

copy link to clipboardMigration Process

Migration consists of the following two steps:

  1. Policy Migration: Migrate the ProtectFile configuration elements on CipherTrust Manager to their equivalent CipherTrust Transparent Encryption configuration elements on CipherTrust Manager. The PFMigrate tool is used for migrating configurations.

    Policy migration is applicable for all of the above product migrations to CipherTrust Transparent Encryption or CTE-U.

  2. Data Migration: Migrate the encrypted data for each ProtectFile encryption rule from ProtectFile format to CTE/CTE-U format. Dataxform tool is used for data migration.

    Note

    Data migration is required only in the case of ProtectFile migration to CTE.

copy link to clipboardSummary

The following list is a high-level summary overview of the steps required for migrating ProtectFile Rules on Windows or Linux file servers. The succeeding sections describe the details of the migration.

Note

For explicit details on how to complete tasks on CipherTrust Manager, CipherTrust Transparent Encryption and Data Transformation, and ProtectFile, consult the product documentation for each product.

copy link to clipboardMigration Stages

Click the desired tab below for migration steps.

The following diagram depicts the migration stages:

Migration Stages

Assuming Stage 1 is already completed. Steps below are for Stage 2 onwards.

  1. Run the pfmigrate utility with required parameters to migrate the CipherTrust Manager configuration for ProtectFile.

  2. Check that all of the appropriate policies, rules and clients/client groups are created in CipherTrust Manager.

  3. Install CTE on the file servers and register them with the CipherTrust Manager with their exact post-migration names on the CipherTrust Manager.

  4. Make sure that GuardPoints are applied properly on the Linux and Windows servers.

  5. On the CipherTrust Manager, ProtectFile encryption rule which is to be migrated, edit the access policy to give Read/Write access to the dataxform process.

  6. On the file server, run data transformation (dataxform) on each encryption rule/protected path.

Note

Thales recommends that you transform one encryption rule at a time.

  1. Navigate to the ProtectFile encryption rule on CipherTrust Manager and disable it.

  2. Disable the corresponding data transformation CTE GuardPoint on CipherTrust Manager.

  3. Navigate to the corresponding production CTE GuardPoint on CipherTrust Manager and enable it.

  4. After all the encryption rules are transformed then they must uninstall ProtectFile agent from the host.

  1. Run the pfmigrate utility with the required parameters to migrate the CipherTrust Manager configuration for ProtectFile.

  2. Check that all of the appropriate policies, rules, and clients/client groups are created in CipherTrust Manager.

  3. Uninstall the ProtectFile agent from the client.

  4. Install CTE-U v10.x on the file servers and register them with the CipherTrust Manager with their exact post-migration names on the CipherTrust Manager.

  5. Navigate to the corresponding production CTE-U GuardPoint on the CipherTrust Manager and enable it.

  6. Make sure that GuardPoints are applied properly on the Linux servers.

Note

This section applies to CTE-U 8.x and 9.x clients.

  1. Run the pfmigrate utility with required parameters to migrate the CipherTrust Manager configuration for ProtectFile.

  2. Check that all of the appropriate policies, rules, and clients/client groups are created in CipherTrust Manager.

  3. Uninstall the CTE-U agent from the client.

  4. Install CTE-U v10.x on the file servers and register them with the CipherTrust Manager with their exact post-migration names on the CipherTrust Manager.

  5. Navigate to the corresponding production CTE-U GuardPoint on the CipherTrust Manager and enable it.

  6. Make sure that GuardPoints are applied properly on the Linux servers.

On this page