Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Migrating to CTE or CTE UserSpace

Prerequisites for Migration

search

Please Note:

Prerequisites for Migration

This page lists the prerequisites for migration. Ensure these pre conditions are satisfied before proceeding with migration process.

copy link to clipboardPrerequisites for Migration for CTE and CTE-U

  1. Users must have the proper licensing for the application to which they are migrating, (CipherTrust Transparent Encryption or CTE-U). For more information on licensing, see CTE UserSpace Licensing Model

  2. User must have Read/Write access to Data Transform.

  3. For Linux installations, the default root access must be read/write. Otherwise, the system can crash.

  4. Ensure that the CTE/CTE-U release supports the OS version on which ProtectFile is installed. CTE Windows supports all of the platforms supported by ProtectFile Windows. CTE-U/CTE Linux supports almost all of the OS versions that ProtectFile supports. The exceptions are listed in Platforms Not Supported by CTE/CTE-U Linux. These ProtectFile instances cannot be migrated to CTE.

  5. Backup the data. The migration process does not preserve state across a power cycle. In the event of a power failure or intentional/ unintentional reboot of a file server when migration is in progress, restore the data from a backup.

  6. Plan downtime. Downtime is required for each protected path on a file server that will be migrated. This means that the other paths can continue to be used with production workloads.

  7. Downtime for an encrypted path means the following:

    1. No application can use that path. In case of NAS shares, the shares must be unmounted from all nodes except the one on which the migration is being performed.

    2. For Linux: In the case of clusters, the migration is carried out on the active node and all of the other nodes must be passive.

    3. For Windows: Storage must be offline. Otherwise, failover can occur.

    4. In case an encrypted path is exported as a NAS share, you must stop the export before beginning the migration.

    5. Migration requires that ProtectFile encrypted paths must have Read/Write access to write, which allows plain text access to applications.

  8. Users who are responsible for migration must be a member of the CTE Admin Group. To add a user to a group, see Assign a User to a Group for more information.

copy link to clipboardPrerequisites for Migration of CTE only

The following prerequisites must be performed before beginning the migration process. Refer to the CTE documentation for more information on installing and configuring CTE:

  1. For CipherTrust Transparent Encryption Linux installations, ensure that CTE is certified for the kernel version on which ProtectFile is installed. In case the kernel version is not certified, do not proceed with the migration and contact Thales support.

  2. For both ProtectFile Windows and Linux installations, ensure that the file system of the encrypted paths is supported by CTE. CTE Windows supports all of the file systems that are supported by ProtectFile Windows. For CTE Linux, there are some file systems which are not supported. File Systems Not Supported by CTE/CTE-U Linux contains the list of file systems that are not supported by CTE Linux. If the file system is not supported by CTE, the migration is not possible.

  3. For ProtectFile Linux installations that protect data on NFS shares, examine the mount point of the NFS shares on each node. For ProtectFile, the NFS shares can be mounted on a different path on each node. However, in CTE, the NFS shares must be mounted on the same path on all of the nodes. Do not proceed with migration until the shares are mounted on the same path on all of the nodes.

    For example:

    /mnt_1 is a mount point

    ProtectFile

    192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_1 ← host 1 192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_2 ← host 2

    CipherTrust Transparent Encryption

    192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_1 ← host 1 192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_1 ← host 2

  4. CTE contains two drivers: vmfiltr and vmlfs. Data migration, from ProtectFile format to CipherTrust Transparent Encryption format, can only work with the vmfiltr drive. To change to the vmfiltr driver, type:

    voradmin config enable vmfiltr

copy link to clipboardLimitations

copy link to clipboardPlatforms Not Supported by CTE-U v10.x

This is the list of platforms that ProtectFile supports but CTE-U v10 does not.

  • PowerPC 64 Little Endian (ppc64le)

copy link to clipboardPlatforms Not Supported by CTE

  • Oracle Enterprise Linux - UEK kernels

  • PowerPC 64 Little Endian (ppc64le)

copy link to clipboardOS Not Supported by CTE-U v10

  • Migration to CTE-U v10 is not supported on Ubuntu 18. It is supported on Ubuntu 20.

copy link to clipboardFile Systems Supported by CTE-U v10

Local File Systems Network File Systems
Btrfs NFSv3
Ext4 NFSv4
XFS

copy link to clipboardFile Systems Not Supported by CTE-U v10

This is the list of file systems that CTE-U v10 for Linux does not support.

Not Supported
Ext3
GFS2
OCFS2
TRFS
VxFS

copy link to clipboardFile systems not supported by CTE Linux

Not Supported
BTRFS
OCFS2
GFS2
VxFS

copy link to clipboardSpecial Cases

Migration of a CTE-U v9.x in Linux Pacemaker Cluster to CTE-U v10 is supported in both active-active and active-passive scenarios.

On this page