Please Note:

User Guides
CTE Agent Linux and Windows Quick Start Guide
- Installation Prerequisites
- Installing and Registering CTE
  - Installation and Registration on Linux
  - Installation and Registration on Linux with UEFI Secure Boot
  - Windows Installation
  - Windows Registration
- Guarding a Directory with CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Identify or Create an Encryption Key
  - Create a Standard Policy
  - Create and Assign a GuardPoint
- Using and Renewing Certificates
- Protecting Data with CTE
- Guarding a Directory with Ransomware Protection
CTE Agent Linux Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Linux
  - Additional Considerations
  - CTE Agent Installation with UEFI Secure Boot
  - Linux Package Installation for Linux Distributions
    - Linux Package Installation for RHEL
    - Linux Package Installation for SLES
    - Linux Package Installation for Ubuntu
  - Verifying Kernel Compatibility
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Linux with CipherTrust Manager
    - Installation Prerequisites
    - Interactive Installation on Linux
    - Silent Installation for CTE or CTE-U on Linux
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Installation and Registration Options
    - Guarding a Device with CipherTrust Manager
    - Connecting to CipherTrust Manager through a Proxy Server
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Using Keycloak for Multifactor Authentication for CTE GuardPoints
    - Exempting some users from authentication with a Whitelist
    - Setting up Multifactor Authentication with a One-Time-Password
    - Setting up Multifactor Authentication with a Time Out
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
  - Enabling or Disabling Enhanced Ransomware Protection
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Container Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- CTE and systemd
  - Overview of CTE and systemd
  - CTE Agent Control Changes on systemd
  - CTE Configuration Changes Required on systemd
    - About systemd Dependency Changes for Unit Configuration Files
    - Location of Application Unit Configuration Files
    - Adding Dependencies to systemd Unit Configuration Files
    - Adding Applications to the secfs-fs-barrier.service File
    - Drop-in Files for systemd
    - Adding Dependencies to the `saslauthd.service` File
  - SystemD Protection
  - Manually Stopping Application or Service
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - Benchmark Tool for Measuring Throughput
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - fsfreeze and xfs_freeze
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - User Cache Lookup Improvements
  - vmutil
  - vmd utility
  - vmsec Utility
- CipherTrust in-Place Data Transformation for Linux
  - Introduction to in-Place Data Transformation (IDT)
  - Requirements for IDT-Capable GuardPoints
  - The CTE Private Region and IDT Device Header
  - IDT-Capable GuardPoint Encryption Keys
  - Guarding an IDT-Capable Device on Linux
    - Initializing an IDT-Capable Device
    - Guard the Linux Device with an IDT-Capable GuardPoint
    - Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
  - Changing the Encryption Key on Linux IDT-Capable Devices
  - Guarding an IDT-Capable Device with Multiple IO Paths on Linux
  - Linux System and IDT-Capable GuardPoint Administration
  - Resizing Guarded IDT Devices
    - Resizing Guarded IDT Devices
  - Alerts and Errors on Linux
- Upgrading CTE on Linux
- Uninstalling CTE from Linux
- Migrating Agents from CTE-U to CTE
CTE Agent Windows Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Windows
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Windows with CipherTrust Manager
    - Interactive Installation on Windows
    - Silent Installation on Windows
      - Silent Installation Using the exe File
      - Silent Installation Using the MSI File
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Registering CTE After Installation is Complete
    - Setting the CM log for Ransomware Protection
    - Guarding a Device with CipherTrust Manager
    - Installation Prerequisites
    - Connecting to CipherTrust Manager through a Proxy Server
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Compatible MFA Providers
      - Using STA for Multifactor Authentication for CTE GuardPoints
      - Using Okta for Multifactor Authentication for CTE GuardPoints
      - Using Keycloak for Multifactor Authentication for CTE GuardPoints
      - Using Cisco DUO for Multifactor Authentication for CTE GuardPoints
      - Using Microsoft Azure Entra ID Multifactor Authentication for CTE GuardPoints
    - Use Cases for MFA on CTE
    - Exempting some users or processes from authentication with a Whitelist
    - Remote Authentication for Multifactor Authentication
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
  - Choosing a Login Name Type
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Guarding Data on CIFS Servers and Clients
- Special Cases for CTE Policies
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - FileTable Support on Windows
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Return Codes
  - agentinfo Utility
  - Backup Utility
  - voradmin secfs Commands
  - vmsec Utility
  - vmutil
- Upgrading CTE on Windows
  - Silent Upgrade
  - CTE Scheduled Upgrade
  - Workaround for MSI CTE Typical, Silent, and Scheduled Upgrades
- Uninstalling CTE from Windows
- Troubleshooting and Best Practices
CTE Agent AIX User and Configuration Guide
- Overview
- Getting Started with CTE for AIX
  - Installation Workflow
  - AIX Package Installation
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for AIX with CipherTrust Manager
    - Installation and Registration Options
    - Installation Prerequisites
    - Interactive Installation on AIX
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Silent Installation on AIX
    - Guarding a Device with CTE and CipherTrust Manager
    - Connecting to CipherTrust Manager through a Proxy Server
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Backing up DB2 Databases after Encryption
  - Blocking ptrace system calls to prevent process injection attacks
- Logs
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - secfsd and Raw Devices
  - Using Client Settings with Shell Scripts
  - vmsec Utility
    - vmsec Examples
    - Configuring Dynamic Host Settings for AIX
  - vmutil
  - vmd utility
- Upgrading CTE on AIX
- Uninstalling CTE from AIX
CTE Agent Data Transformation
- Data Transformation Overview
  - The Data Transformation Process
  - CTE Terminology
  - CTE Components
  - CTE Policies
  - Considerations with Bulk Data Transformation
  - Data Transformation Techniques
    - Copy and Restore Transformation Method
    - The CTE dataxform Utility Transformation Method
  - CTE Protection Policies
  - Overview of the dataxform Utility
    - Multithreading in the dataxform Utility
    - dataxform Space Requirements
    - dataxform Execution Time
    - dataxform and Sparse Files
    - dataxform and Linked Files
  - Automatic Data Transformation
  - Best Practices When Using dataxform
  - Summary
- Initial Data Encryption
  - Data Encryption Overview
  - Using the Copy or Restore Encryption Method on File Systems
  - Using the Copy or Restore Encryption Method on Block Devices
  - Using Data Transformation to Encrypt Your Data with CipherTrust Manager
- Rekeying
  - Rekeying Overview
  - Rekeying with Data Transformation
  - Rekeying Using the Manual Copy Method
- Appendix: Transformation References
  - Common Data Transformation Examples
    - Verifying that a Guarded Directory Can be Rekeyed with Data Transformation
    - Estimating the Data Transformation Runtime Period
    - Manually Running Data Transformation on Specific Files
    - Running Automatic Data Transformation
  - Cleaning Up a Previous Data Transformation Session
  - Checking for Hard-Link Files Inside the GuardPoint with Data Transformation
  - Monitoring Data Transformation
    - Data Transformation Logs
    - Using the Message Log Window
    - Using vordxf Files
    - Using dataxform_status Files
    - Using dataxform_auto_config
    - Using dataxform_auto_lock
  - Recovering a Failed or Incomplete Data Transformation Session
  - Automatic and Manual GuardPoints
  - Guarding non-system-sensitive sub-directories
  - Data Transformation Examples and Full Command Syntax
    - Data Transformation Command Syntax Examples
    - Data Transformation Command Parameters
  - Unencrypting Data
CTE Agent Live Data Transformation
- Introduction to LDT
  - Overview of LDT
  - Versioned Keys in LDT
  - LDT Policies
  - LDT Runtime Flow
  - LDT Administrator Roles
  - Resiliency
- Getting Started
  - Using LDT
  - Backup/Restore
  - Restrictions
- Installing LDT
  - System Requirements
  - Installing the LDT License
  - Installing and Registering the CTE Agent Software on Linux
  - Installing and Registering the CTE Agent Software on Windows
  - Setting the Linux Kernel Time Zone
  - Enabling LDT on a Protected Host
- Using LDT
  - Creating and Viewing Versioned Keys
  - Creating LDT Policies or converting a Standard Policy to an LDT Policy
  - Quality of Service
    - How to Set QoS
    - QoS Best Practices
      - General Best Practices for QoS
      - Select and Set Rekey I/O Rate
  - Creating an LDT GuardPoint
  - Rotating Encryption Keys (Rekey)
    - Manual Key Rotation
    - Creating a Key Rotation Schedule
    - Checking the Rekey Status
    - Obtaining Information About Keys Applied to Files
    - Showing GuardPoints During Rekey (Linux)
    - Suspending and Resuming Rekey and/or Scan Phase
    - Automatic Suspend and Resume of LDT Operations Due to Insufficient Disk Space
    - Rotating Encryption Keys While a Rekey is in Progress (Relaunch)
  - File System Operations
    - Renaming Files and Directories
      - Renaming Directories on Linux
      - Caveats
      - Example
      - Considerations
    - Deleting a File
    - File Handling (Windows Only)
    - Enabling GuardPoints in Read-Only mounted file systems (Linux)
    - Copying Files Into a GuardPoint
    - Behavior of Hard Links Inside and Outside of GuardPoints (Windows)
  - Excluding Files or Directories from Rekey
    - About the Exclusion Attribute for Files Matching an Exclusion Key Rule
    - Requirements for Exclusion Key Rules
    - Usage Notes and Limitations for Configuring Exclusion Key Rules
    - Examples of Exclusion Key Rules
    - Listing All Files Included in an Exclusion Key Rule (Linux)
    - Listing All Files Included in an Exclusion Key Rule (Windows)
    - Dynamic Resource Sets
  - Using LDT with SAP HANA Fibre Channel Systems (Linux Only)
- LDT Administration
  - LDT Metadata in Extended Attributes
    - Listing Extended Attributes
    - MDS File (Linux)
    - Planning for LDT Attribute Storage
    - Using voradmin To Estimate Disk Space Required for LDT
    - Displaying Metadata
    - Verifying Metadata (Windows only)
  - DFS(R) and Replication (Windows)
  - Backing Up and Restoring LDT GuardPoints
    - Clear Text Backup and Restore
    - Encrypted Backup and Restore
    - LDT Policy for Encrypted Backup and Restore
    - Backup/Restore of Metadata Store File in GuardPoints Undergoing Rekey
    - Restore an Encrypted Backup
    - Restoring Non-LDT Backup Data to an LDT GuardPoint
    - Using fsfreeze (Linux only)
    - LDT Backups Using a File System or Storage-Level Snapshot Tool
    - Windows Backup and Snapshots
    - LDT Backup and Restore Troubleshooting
  - LDT Command-Line Administration: voradmin command
  - Migrating a GuardPoint to a Different LDT Policy
  - Removing LDT and Security Encryption
    - Migrating a GuardPoint Out of LDT
    - Deleting LDT Metadata (Linux)
    - Deleting LDT Metadata (Windows)
    - Removing LDT from a Host
  - Uninstalling the Agent while LDT is Rekeying GuardPoints
  - Detecting Loss of NAS connection to an LDT GuardPoint Group
- Using LDT with CIFS/NFS shares
  - Introduction to LDT over CIFS
  - LDT over CIFS/NFS High-Level Overview
  - LDT Communication Groups and LDT GuardPoint Groups
    - Designation of Primary role and Primary Set in an LDT GuardPoint Group
    - Responsibilities of the Primary host
    - Failover for the LDT Communication Group Master and the LDT GuardPoint Group
    - LDT GuardPoint Group Commands
  - Sharing LDT NFS/CIFS GuardPoints between Linux and Windows
  - Limitations
  - Prerequisites
    - Supported Versions
  - Administrating LDT over CIFS/NFS with CipherTrust Manager
    - Adding a CIFS Connector for CipherTrust Manager
    - LDT AccessOnly nodes
      - CTE Windows Deployment for LDT AccessOnly nodes
      - Configuring LDT for CIFS shares Mapped to Multiple IP addresses
    - Policy and GuardPoint Management
      - Creating a GuardPoint on a CIFS Share Drive on CipherTrust Manager
      - Pausing and Resuming LDT per host and per GuardPoint
      - Migrating GuardPoints over NFS from or to an LDT Policy
      - Multiple GuardPoint Pathnames
    - Key Rotation Commitment
    - LDT Metadata Management Over NFS/CIFS Shares
    - Backup and Restore LDT on NFS GuardPoints
  - Upgrading CTE agent in an LDT Communication Group
    - Upgrading the LDT Agents in an LDT Communication Group from 7.2.0 to 7.3.0
    - New Terminology
    - Upgrading CTE agents in an LDT Communication Group from 7.4.0 to 7.5.0 and post 7.5.0
  - Quality of Service for LDT CIFS/NFS GuardPoints
  - Alerts
  - Troubleshooting
- Troubleshooting LDT
  - Monitoring and Statistics
    - Obtaining Statistics with GuardPoint Status
    - Obtaining LDT Statistics at the Command Line
    - Obtaining a Rekey Report
    - Monitoring Ongoing LDT Operations at the Command Line (Windows only)
  - Protecting LDT GuardPoints against Failure in Underlying File Systems (Linux)
    - Recovery Alerts
  - Alerts Playbook
    - Failure to Enable GuardPoints
    - Failure to Suspend or Resume LDT Operation
    - Insufficient Resources
    - Failed to Update LDT Attribute
    - Rekey Stopped
    - Incomplete Key Rotation
    - Skipped Key Rotation
    - Failed to Update LDT Metadata During Scan Phase
    - File system inconsistencies after system crash
  - Error Messages
  - Warning and Info Messages
  - Recommendations and Considerations
    - All Platform Recommendations and Considerations
    - Windows Recommendations and Considerations
CTE Terminology

Connecting to CipherTrust Manager through a Proxy Server

You can configure a CTE client to communicate with a CipherTrust Manager through a proxy agent. This would be useful for isolating the CTE clients from the internet because a single proxy system can act as a gateway between the CTE clients and the remote CipherTrust Manager.

Only simple HTTP proxy servers are supported with this release, using the HTTP CONNECT request method.

Note

Although the connection between the CTE client and the proxy server uses HTTP and not HTTPS, there is no security risk since all of the data transferred through the proxy uses a TLS connection between the CTE client and the CipherTrust Manager. If a secure connection is required between the CTE client and the proxy server, you can achieve this by using an SSH tunnel.

Defining a CipherTrust Manager proxy for CTE

To prevent any issues with existing proxy configurations, the CTE client only accepts a proxy definition in the following format:

    CTE_CM_PROXY=<proxy definition>

Example

    CTE_CM_PROXY=proxy-usa.thales.com:8080

Content of Proxy definition

The proxy definition requires a minimum of two fields, and may also contain additional authorization fields if basic access authentication is required by the proxy server.

See Basic access authentication for more information.

Required fields:

Proxy host name or IP address, for example:
- Host name: myproxy.datacenter.net
- IP address IPv4: 192.168.0.1
- IP address IPv6: [fe80::b47c:38cf:5635:766e]
Proxy host port number, for example:
- Port number must be between 1 and 65535
Hostname/IP address and Port number must be separated using a colon, for example:
- 10.0.0.1:9999
- [fe80::b47c:38cf:5635:766e]:8080
Optional fields are for basic authentication, and contain a username and password, separated by a colon, for example: proxyuser:secret. This combined value is added at the start of the proxy definition, separated from the host name using an the @ sign, for example:
```
CTE_CM_PROXY=proxyuser:secret@10.0.0.1:9999
```

Windows Systems

To provide the proxy definition:

Click Search in the task bar.
Type: Environment Variables.
Click Advanced > Environment variables.
In the System Variables field, click New.
For Variable Name, type: CTE_CM_PROXY
For Variable Value, type the appropriate definition.

Linux and AIX Systems

To provide the proxy definition:

Define the proxy with an environment variable before installation and/or registration, for example:
```
export CTE_CM_PROXY=10.0.0.1:9999
```
When installing and/or registering using silent mode, define the proxy using an entry in the silent control file, for example:
```
CTE_CM_PROXY=10.0.0.1:9999
```
Define the proxy using a configuration file named cm_proxy.cfg located here:
- CTE: /etc/vormetric
- CTE-U: /etc/cte
This file is created, if required, during registration, and used subsequently by the vmd and vmutil programs.

Changing the proxy definition

If you need to modify an existing proxy setup:

Update/delete the controlling variable:
- Windows: Change/remove the environment variable on a Windows systems
- Linux/AIX: Update/remove the cm_proxy.cfg file content on Linux and AIX systems.
Linux: Restart the vmd service.

Windows: Restart the Thales etray application.

Using CTE with a Proxy

Once you have defined the proxy, normal CTE operations such as registration, or browsing from the CipherTrust Manager, continue as normal. For example, when registering, provide the CipherTrust Manager address as you would when no proxy is in use.

When CTE connects to a CipherTrust Manager, all connections are established through the proxy server. This is true for any type of connection: single node, cluster member, load balancer, etc. This occurs when the vmd service connects to a CipherTrust Manager node, cluster member, or load balancer, and when CTE uploads log files to CipherTrust Manager. If you monitor the traffic on the proxy server, all you will see are HTTP CONNECT messages with the target CipherTrust Manager address in the message, for example:

CONNECT 10.171.47.14:443 HTTP/1.1

The content of any of the following messages cannot be seen by the proxy server since they are TLS encoded. The proxy server acts as a transparent tunnel to all such traffic.

Agenthealth (Linux and AIX only)

When the agenthealth script run, the proxy configurations is checked, and displays in the output as in the following example:

VMD is running ................................... OK
SECFSD is running ................................ OK
Checking proxy setup ............................. OK
Proxy 10.171.4.2:9999 reachable .................. OK
10.171.37.226 port 443 reachable via proxy ....... OK
10.171.44.239 port 443 reachable via proxy ....... OK
10.171.47.14 port 443 reachable via proxy ........ OK
10.171.39.126 port 443 reachable via proxy ....... OK
Can communicate to at least one server ........... OK
Time of last update from server .................. 2025-07-25 03:56:24.148

AgentInfo

Linux or AIX: When the agentinfoscript is run on Linux or AIX, the content of any cm_proxy.cfg file is captured.
Windows: Examine the environment variable, CTE_CM_PROXY, through any command line window.

Validating a Proxy Definition

You can use the check_host utility to perform parsing and validation of a provided proxy definition, and to output the component fields. The full syntax of the command allows any URL components to be extracted, but for proxy validation only the host name, port, user name, and password fields are relevant. These are selected using the flags h, p, u, and w. For example:

Example 1

agent/vmd/bin/check_host -f hpuw -u proxyuser:secret@testproxy.com:9999

Response

USER=proxyuser
PASSWORD=secret
HOST=testproxy.com
PORT=9999

Example 2

agent/vmd/bin/check_host -f hpuw -u testproxy.com:9999

Response

HOST=testproxy.com
PORT=9999

Example 2 shows that the optional fields can be omitted. However, any valid, but unwanted fields, or invalid fields, generate error, for example:

Example 1

agent/vmd/bin/check_host -f hpuw -u testproxy.com:9999/test

Response

Invalid URL testproxy.com:9999/test : Path in url not expected

Example 2

agent/vmd/bin/check_host -f hpuw -u testproxy.com:

Response

Invalid URL testproxy.com: Port number was not a decimal number between 0 and 65535

Ensuring that all required fields are output is the users responsibility. For example, the following is valid but not usable as there was no PORT in the output:

agent/vmd/bin/check_host -f hpuw -u testproxy.com

Response

HOST=testproxy.com

Suggest A Change

Connecting to CipherTrust Manager through a Proxy Server

Defining a CipherTrust Manager proxy for CTE

Content of Proxy definition

Required fields:

Windows Systems

Linux and AIX Systems

Changing the proxy definition

Using CTE with a Proxy

Agenthealth (Linux and AIX only)

AgentInfo

Validating a Proxy Definition

Example 1

Example 2

Example 1

Example 2

On this page