Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

CTE Administration

Backup and Restore

Please Note:

Administration
CipherTrust Manager Administration
- Authentication
  - Authentication Settings for NAE, KMIP, Web, and Preboot Interfaces
  - Users
  - Certificate Based Authentication for Users
  - Managing Your Own User Account Settings
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Attribute-based Access Control Permissions for Resources
  - Backup
  - Certificate Authority
  - Client Management
  - Cluster
  - Keys
  - Connection Managers
  - Proxies & Allowed Proxies
  - DNS Hosts
  - Domains
  - Groups & Groupmaps
  - Interfaces
  - Connections
  - Logs
  - Log Forwarders
  - Quorum
  - Records
  - Users
  - Scheduler
  - Servers
  - SNMP
  - Policies
  - Migrations
  - Licensing
  - HSM
  - Miscellaneous
  - Network
  - ProtectApp
  - Secrets
- Password Policy
- Key Policies
- Changing Passwords
- Domain Management
- Groups
- Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - Debug Logs
  - Log Forwarding
  - Prometheus Metrics Endpoint
- Policies
- Banners
- Basic Interface Configuration
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Deployment
- Scheduler
- Connection Manager
  - Connections
  - Labels in Connection Manager
  - AWS
  - Google
  - Secure Copy Protocols (SCP/SFTP)
  - Azure
  - Hadoop Knox
  - Loki
  - Salesforce
  - Luna Network HSM
  - Elasticsearch
  - SAP Data Custodian
  - CIFS/SMB
  - Syslog
  - Oracle Cloud Infrastructure
  - DSM Connection
  - OIDC
  - LDAP
  - Attestation Authority Connection
  - CM Connection/External CM
    - Managing CM Connections using GUI
    - Configuring CM Connections using ksctl
      - Managing External CM Server Connections using ksctl
      - Managing CM Connections using ksctl
  - Akeyless Gateway
- Browsing LDAP Users and Groups
- System Upgrade/Downgrade
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- System Info
- System Properties
- Network Diagnostics
- Integrating Logging with Splunk App
- Return Material Authorization (RMA) Guidance
- Secrets Management
- Reports
- Key Templates
Application Data Protection Administration
- Central Management Workflow
- Interfaces
- Using DPG with Central Management
  - Managing DPG Applications
  - DPG policies
- Using CRDP with Central Management
  - Managing CRDP Applications
- Using CDP for Teradata VCL with Central Management
  - Managing CDP for Teradata VCL Applications
- Using CADP for Java with Central Management
  - Managing CADP for Java Applications
- Using BDT with Central Management
  - Managing BDT Applications
  - Managing Data Sources
  - Managing Job Configuration
    - Running Job from Application
    - Running Job from Job Configuration
  - Job Status
- Managing Character Sets
  - Creating character set
  - Deleting character set
- Managing User Set
  - Viewing user set
  - Creating user set
  - Deleting user set
- Managing Masking Formats
  - Viewing masking format
  - Creating masking formats
  - Deleting masking format
  - Modifying masking format
- Managing Access Policy
  - Viewing access policy
  - Creating access policy
  - Modifying access policy
  - Deleting access policy
- Managing Protection Policy
  - Viewing protection policy
  - Creating protection policy
  - Modifying protection policy
  - Deleting protection policy
  - Protection Policy Versioning Details
  - IV for FPE/AES
  - Key States
  - Tweak algorithm and tweak data compatibility details
- Tasks
  - How to delete stale clients
  - View updated status of clients
  - Auto Renewal of Client Certificates
  - Fetch Latest Data from CipherTrust Manager
- Heartbeat Configuration
- Single Pane of Glass
BDT Administration
- Protection Profiles
- BDT Policies
- BDT Containers
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Performance Summary
  - Allowing AD Users to Manage Azure Vaults
  - Configuring Connection to Azure Using Private Link
  - Downloading Azure Metadata
- AWS External Key Store Resources
  - Managing External Key Store Resources
  - AWS XKS Performance Summary
- External CipherTrust Resources
  - Managing External CipherTrust Domains
  - Managing External CipherTrust Keys
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
  - Performance Summary
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
  - Google EKM Performance Summary
  - Managing Google EKM Cryptospaces
  - Managing Google EKM Cryptospace Endpoints
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Communication with KACLS
  - CSE Guest Access Support for Google Meet and Google Drive
  - Google CSE support for Google's end-to-end encrypted email
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Viewing Google Workspace CSE Records
  - Performance Summary
    - Google Calendar
    - Google Drive
    - Google Meet
    - Gmail
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Performance Summary
  - Downloading SAP Metadata
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
  - OCI EKMS Performance Summary
- Migrate from CCKM Appliance
- Backup and Restore
- Key Material Export and Upload
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Tasks
  - View Job History
  - Delete Views and Triggers
  - Create Views and Trigger
  - Delete Old Data
  - Create Domain Index
  - Encrypt a Column
  - Decrypt a Column
  - Configure Migration Server
- SSL Connection Over JDBC
  - SSL Connection Over JDBC for Oracle
  - SSL Connection Over JDBC for DB2
- Troubleshooting
CTE UserSpace Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
  - Fetching Latest Capabilities from Clients
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Confidential Computing
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Collecting Agent Information
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
  - Managing FAM Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing Designated Primary Set Connection
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
  - Collecting Kubernetes Agent Information
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Permissions
- Quorum Control
- Confidential Computing
- Ransomware Protection
- File Activity Monitoring (FAM)
- Unique to Client Keys
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
DDC Administration
- DDC Overview
- Concepts
  - User Groups
  - Locations
  - Information Types
  - Classification Profiles
  - Scans
  - Reports
  - Agents
- Discovering Sensitive Information
  - Local Data Stores
  - Network Storage Data Stores
  - Big Data Data Stores
  - Server Data Stores
  - Clouds
    - AWS S3
    - Azure Blobs
    - Azure Table
    - Google Workspace: GDrive
    - Google Workspace: Gmail
    - Office 365: Exchange Online
    - Office 365: OneDrive for Business
    - Office 365: SharePoint Online
    - Salesforce
  - Databases
    - IBM Db2
    - MongoDB
    - Microsoft SQL
    - MySQL
    - Oracle
    - PostgreSQL
    - SAP HANA
- Logging
- Operations
- Troubleshooting
- Appendix
- Deployment Security
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
- Migrating ProtectFile to CipherTrust Transparent Encryption
Secrets Management Administration
- Configure Secrets Management
- Create and Protect Akeyless Secrets
- Configuring Hashicorp Vault Proxy with CSM
- Integrating External Secrets Operator (ESO) K8s plugin with CipherTrust Secrets Manager (Akeyless)
- CSM Integration with Luna Network HSM
- CSM Akeyless Gateway Version Files for CipherTrust Manager
- Managing Akeyless Gateway Versions for CSM

CipherTrust Manager
Administration
CTE Administration
Backup and Restore

Backup and Restore

CipherTrust Manager provides options to back up CTE policies and restore them to other CipherTrust Manager appliances. A CipherTrust Manager administrator with backup and restore permissions can fully or partially export CTE policies from one domain and import them into a different domain on the same CipherTrust Manager or a different CipherTrust Manager. The data under the backed up (exported) policies will remain encrypted.

This section covers the following topics:

Assumptions
Backing up and Restoring Keys and CTE Policies
Signing Files in Restored Signature Sets

Perform the steps in the given order.

Assumptions

Before restoring CTE policies into the same or a different CipherTrust Manager:
- Restore all the keys associated with CTE policies.
- Restore the backup keys.
The policy backup file contains policies with the associated resources, including:
- Security rules
- Key rules
- LDT rules
- IDT rules
- Policy elements (user sets, process sets, resource sets, and signature sets)
The backed up policy data does not include:
- Keys that are associated with key rules. However, if the backup of keys and CTE policies is taken together, then the linked keys are included in the backup.
- Signatures associated with signature sets

Note

If the system, where the policies are being restored, contains any conflicting policy or policy elements:

Policies with the same name are skipped.
All policies using the conflicting policy elements are skipped.

Backing up and Restoring Keys and CTE Policies

Tip

CTE policies and keys used can be backed up separately (in different backup files) or together (in a single backup file.) If they are backed up separately, the key backup must be restored before the CTE policies.

Keys and CTE Policies are Backed up Together

When you want to back up the keys and CTE policies together:

Back up the keys and CTE policies.
1. Create a domain scoped backup key. You can also use an existing backup key. This key is needed to encrypt the backup file.
2. Download the domain scoped backup key. Ignore this step if you have already downloaded the key.
3. Create a domain scoped backup of keys and CTE policies.
4. Download the domain scoped backup of keys and CTE policies.
  A backup file of keys and CTE policies will be downloaded. You need to restore this backup file to the destination CipherTrust Manager where you want to restore the backed up keys and CTE policies.
Now, transfer the downloaded backup key and the backup file to the destination CipherTrust Manager, as described below.
Restore the backup file.

Keys and CTE Policies are Backed up Separately

When you want to back up the keys and CTE policies separately:

Back up the CTE keys.
1. Create a domain scoped backup key. You can also use an existing backup key. This key is needed to encrypt the exported backup file.
2. Download the domain scoped backup key. Ignore this step if you have already downloaded the key.
3. Create a domain scoped key backup.
4. Download the domain scoped key backup.
  A backup file of keys will be downloaded. You need to restore this backup file to the destination CipherTrust Manager where you want to restore the backed up keys.
Now, transfer the downloaded backup key and the backup file to the destination CipherTrust Manager, as described below.
Back up the CTE policies.
1. Create a domain scoped backup key. You can also use an existing backup key. This key is needed to encrypt the exported backup file.
2. Download the domain scoped backup key. Ignore this step if you have already downloaded the key.
3. Create a domain scoped CTE policy backup.
4. Download the domain scoped CTE policy backup.
  A backup file of CTE policies will be downloaded. You need to restore this backup file to the destination CipherTrust Manager where you want to restore the backed up policies.
Now, transfer the downloaded backup key and the backup file to the destination CipherTrust Manager, as described below.
Import the downloaded backup file.

Signing Files in Restored Signature Sets

The restored policy backup contains imported signature sets. As the signatures linked with the signature sets are not included in the backup, you need to sign the files in the signature sets. Refer to Signing Files in a Signature Set for details.

On this page

CipherTrust Manager

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com