Migration Overview
What is Migration?
Migration allows for seamless transition from Thales legacy products like ProtectFile, or CTE-U v9.x, to state of the art products from CipherTrust Transparent Encryption suite. This transition will create ProtectFile and CTE-U v9.x equivalent configurations in Transparent Encryption on CipherTrust Manager. Note that some encrypted data formats may not require migration.
Note
There is no direct migration path from KeySecure Classic to the CipherTrust Transparent Encryption or CipherTrust Manager. The CipherTrust Transparent Encryption migration requires both ProtectFile and CTE UserSpace to use CipherTrust Manager.
For Customers still using ProtectFile with KeySecure Classic, they should migrate from the KeySecure Classic configuration to CipherTrust Manager first. Refer to Migration from KeySecure Classic to CipherTrust Manager.
Why migration?
If you are using ProtectFile or CTE-U v9.x, you must migrate to a CipherTrust Transparent Encryption product of your choice.
Thales CipherTrust Transparent Encryption suite offers two products to which you can migrate:
-
CTE Agent for Linux and Windows This is the state of the art solution for file encryption. For Linux, this is a kernel-based implementation. This is referred to as CTE in this document.
-
CTE UserSpace Agent: This is a Linux-only, kernel-agnostic solution that is suitable for customers with frequent kernel change requirements. This solution is on par with CipherTrust Transparent Encryption for Linux in terms of functionality.
Migration Paths
You can migrate the following products:
| Source Product | Recommended Minimum Version | Target Product | Recommended Minimum Version |
|---|---|---|---|
| CTE UserSpace | 8.x / 9.x | CTE-U Agent (Linux only) | v10.0 or higher |
| ProtectFile Linux | 8.12.4p01 | CTE-U Agent (Linux only) | v10.0 or higher |
| ProtectFile Linux | 8.12.4p01 | CTE Agent for Linux | v7.3 or higher |
| ProtectFile Windows | 8.12.2 | CTE Agent for Windows | v7.3 or higher |
CipherTrust Manager minimum version requirements for the migration process:
| Product | Recommended Minimum Version |
|---|---|
| CipherTrust Manager | 2.2.0-5508 |
Migration Process
Migration consists of the following two steps:
-
Policy Migration: Migrate the ProtectFile configuration elements on CipherTrust Manager to their equivalent CipherTrust Transparent Encryption configuration elements on CipherTrust Manager. The PFMigrate tool is used for migrating configurations.
Policy migration is applicable for all of the above product migrations to CipherTrust Transparent Encryption or CTE-U.
-
Data Migration: Migrate the encrypted data for each ProtectFile encryption rule from ProtectFile format to CTE/CTE-U format. Dataxform tool is used for data migration.
Note
Data migration is required only in the case of ProtectFile migration to CTE.
Summary
The following list is a high-level summary overview of the steps required for migrating ProtectFile Rules on Windows or Linux file servers. The succeeding sections describe the details of the migration.
Note
For explicit details on how to complete tasks on CipherTrust Manager, CipherTrust Transparent Encryption and Data Transformation, and ProtectFile, consult the product documentation for each product.
Migration Stages
Click the desired tab below for migration steps.
The following diagram depicts the migration stages:
Assuming Stage 1 is already completed. Steps below are for Stage 2 onwards.
-
Run the
pfmigrateutility with required parameters to migrate the CipherTrust Manager configuration for ProtectFile. -
Check that all of the appropriate policies, rules and clients/client groups are created in CipherTrust Manager.
-
Install CTE on the file servers and register them with the CipherTrust Manager with their exact post-migration names on the CipherTrust Manager.
-
Make sure that GuardPoints are applied properly on the Linux and Windows servers.
-
On the CipherTrust Manager, ProtectFile encryption rule which is to be migrated, edit the access policy to give Read/Write access to the
dataxformprocess. -
On the file server, run data transformation (
dataxform) on each encryption rule/protected path.
Note
Thales recommends that you transform one encryption rule at a time.
-
Navigate to the ProtectFile encryption rule on CipherTrust Manager and disable it.
-
Disable the corresponding data transformation CTE GuardPoint on CipherTrust Manager.
-
Navigate to the corresponding production CTE GuardPoint on CipherTrust Manager and enable it.
-
After all the encryption rules are transformed then they must uninstall ProtectFile agent from the host.
-
Run the
pfmigrateutility with the required parameters to migrate the CipherTrust Manager configuration for ProtectFile. -
Check that all of the appropriate policies, rules, and clients/client groups are created in CipherTrust Manager.
-
Uninstall the ProtectFile agent from the client.
-
Install CTE-U v10.x on the file servers and register them with the CipherTrust Manager with their exact post-migration names on the CipherTrust Manager.
-
Navigate to the corresponding production CTE-U GuardPoint on the CipherTrust Manager and enable it.
-
Make sure that GuardPoints are applied properly on the Linux servers.
Note
This section applies to CTE-U 8.x and 9.x clients.
-
Run the
pfmigrateutility with required parameters to migrate the CipherTrust Manager configuration for ProtectFile. -
Check that all of the appropriate policies, rules, and clients/client groups are created in CipherTrust Manager.
-
Uninstall the CTE-U agent from the client.
-
Install CTE-U v10.x on the file servers and register them with the CipherTrust Manager with their exact post-migration names on the CipherTrust Manager.
-
Navigate to the corresponding production CTE-U GuardPoint on the CipherTrust Manager and enable it.
-
Make sure that GuardPoints are applied properly on the Linux servers.
