PFMigrate Utility
Introduction
Policy migration is the first step in the migration process. PFMigrate is a utility that you can use to migrate the configuration elements of legacy products (ProtectFile and CTE-U v9.x) in CipherTrust Manager to their corresponding equivalent CTE or CTE-U v10.x configuration elements on the same or a different CipherTrust Manager.
You can migrate single, multiple, or all clients by providing a list of ProtectFile and CTE-U v9.x clients in a predefined input file for migration. You can also preview the result before migration by running the utility in Dry Run mode.
Both legacy and current product lines provide transparent encryption, with additional access controls. However, there are several small but significant differences, in terms of deployment scenarios, policy management, encryption schemes, application access, and audit trails. This guide describes all such differences.
The pfmigrate
utility only migrates configurations on CipherTrust Manager. Based on your source and target product, you may need to perform additional steps to migrate data on the file servers/clients.
Permissions
You can run the pfmigrate
utility from any Windows or Linux client that can access CipherTrust Manager. You can run it as any user and it does not require root or administrator privileges.
It can migrate the ProtectFile to CTE configuration elements on the same CM which hosts the ProtectFile configuration. Alternatively, you can choose a different CM for the CTE configuration. However, you can migrate ProtectFile (Linux) and CTE-Userspace to CTE-U v10 only on a CM with the same set of key material as that on the source CM.
Objective
The objectives of the PFMigrate utility can be:
-
Migrate legacy product based policies and keys to the Thales latest state of art file encryption products.
-
Replace CTE-U on a client with CTE-U v10.
Expectations
Remember the following while performing the migration:
-
If you are planning to deploy any more encryption rules, deploy them as a CTE or CTE-U v10 rule after the migration is completed. Do not create new ProtectFile or CTE-U encryption rules.
-
Once the path is migrated successfully and removed from the ProtectFile path, CTE or CTE-U v10 ensures the protection of those paths.
-
If the name of a User set, Resource set, Process set, groups, rules, or access polices contains a space, those spaces are removed during migration.
For example:
-
Before migration:
username: pf user
-
After migration:
username: pfuser
Thales recommends using the underscore character in place of spaces in CTE-U.
For example: pf_user. -