--- title: "Thales CTE With Wasabi" slug: "how-to-use-thales-cte-with-wasabi" updated: 2026-05-31T00:21:04Z published: 2026-05-31T00:21:04Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt > Use this file to discover all available pages before exploring further. # Thales CTE With Wasabi Wasabi has been validated for use with [Thales](https://cpl.thalesgroup.com/) CipherTrust Transparent Encryption (CTE). Thales CTE delivers data-at-rest encryption with centralized key management, privileged user access control and detailed data access audit logging. ### 1. Prerequisites - Active [Wasabi Cloud Storage Account](https://wasabi.com/sign-up) - Wasabi Bucket - See our [Bucket Creation Guide](https://docs.wasabi.com/docs/working-with-buckets-and-objects) - Access & Secret Key Pair - See our [Access Keys Guide](https://docs.wasabi.com/docs/creating-a-user-account-and-access-key) - Active Cipher Trust Manager - Access to CTE 7.3 Software - Red Hat Enterprise Linux 7 or 8 Instance ### 2. Reference Architecture ![Thales_CTE_Architecture.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15494061701019.png) ### 3. Create CTE User and Group 3.1 Create a CTE User account in your Wasabi Cloud Console. Click on "Users" in the left hand pane and then click on "Create User" on the right hand side. ![User_Creation.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15497515998747.png) 3.2 Name the user, then select "Programmatic (create API key)" and then click on "Next" ![cte-user.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15497573229595.png) 3.3 Next click on "+ Create A New Group" and name the group "cte" and then click on "Next" at the bottom. ![create_group.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15497612608923.png) 3.4 Add "WasabiFullAccess" and "AmazonS3FullAccess" policies to the group and then click "Next". ![add_policies.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15497710182683.png) 3.5 Verify the information and then click on "Create User". ![create_user.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15497718089371.png) 3.6 Download and save your newly created API Key Set for the user which will be used by the CTE Agent. ![user_api_keys.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15497880255515.png) ### 4. Test Access to Wasabi 4.1 Copy file to bucket ```plaintext aws s3 cp hello.txt s3://cte-wasabi-demo/ --endpoint-url=https://s3.us-east-1.wasabisys.com ``` 4.2 Verify file exists in Wasabi - via cli ```plaintext aws s3 ls s3://cte-wasabi-demo/ --endpoint-url=https://s3.us-east-1.wasabisys.com ``` ***Note****: This configuration example discusses the use of Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in our*[*Wasabi Service URLs*](https://docs.wasabi.com/docs/what-are-the-service-urls-for-wasabis-different-storage-regions)*.* - via Console ![file_bucket_verification.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498140849051.png) ### 5. Install AWS CLI 5.1 Run the following commands to install the AWS CLI ```plaintext curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install ``` 5.2 Configure AWS CLI with the Wasabi User Credentials and Region where the bucket resides ```plaintext aws configure ``` ![aws_configure.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498459485467.png) ***Note****: This configuration example discusses the use of Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in our*[*Wasabi Service URLs*](https://docs.wasabi.com/docs/what-are-the-service-urls-for-wasabis-different-storage-regions)*.* 5.3 Add CTE cosCA.crt location to the configuration file ```plaintext sudo vim .aws/config ca_bundle = /opt/vormetric/DataSecurityExpert/agent/squid/etc/cosCA.crt ``` ![CTE_cosCA.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498497817499.png) ### 6. CipherTrust Manager Config 6.1 Add Registration Token - From the CM Console, expand "Access Management" and then click on "Registration Tokens" ![CT_M_Tokens.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498604907675.png) 6.2 Click "+ Add Registration Token" ![add_registration_token.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498693629723.png) 6.3 Click on "Begin" ![click_begin.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498699493787.png) 6.4 Enter the name prefix and click on "Next" ![new_token_name.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498766073883.png) 6.5 Click on "Local" under CA Type and then click on "Create Token" ![new_token_ca.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498835809179.png) 6.6 Copy Token for later use and then click on "Add Token" ![click_add_token.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498836202651.png) ![registration_tokens.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15498836608667.png) ### 7. Create Key 7.1 Click on the keys menu and then click on "+Add Key" ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15499787429531.png) 7.2 Enter the following details and then click on "Add Key" - Key Name - name of the key - Check the box "XTS/CBC CS1 - Select "Encrypt" and "Decrypt" boxes ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15499885331355.png) ### 8. Create CTE Policy 8.1 From the Products Menu click on "Transparent Encryption" ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15499932990235.png) 8.2 Expand "Policies" in the left hand pane, click on "Policies" and then click "+ Create Policy" ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15499989381147.png) 8.3 Click on "+ Add Security Rule" ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15500026009627.png) 8.4 Enter the policy details and click on "Next" - Name - name of the policy - Policy Type - Cloud Object Storage ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15500089186715.png) 8.5 Create a Security Rule - Action - Set to all_ops - Effect - Set to Permit, ApplKey. Audit is optional Click on "Add" and then "Next" ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15500131646235.png) 8.6 Create a Key Rule by clicking on "+ Create Key Rule" ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15500236056475.png) 8.7 Click on the "Select" button for the "Key Name" section ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15500234259995.png) 8.8 Select the key created earlier in previous steps. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15500280766747.png) 8.9 Click on "Add" ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15500285257883.png) 8.10 Click on "Save" and now your policy is created. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15500337135771.png) ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15500329752859.png) ### 9. Install CTE Agent on Linux ***Note****- Required Linux Packages -*[*https://www.thalesdocs.com/ctp/cte-con/cte/latest/integrations/lin-int/lin-int-cos/lin-int-packages/index.html*](https://www.thalesdocs.com/ctp/cte-con/cte/latest/integrations/lin-int/lin-int-cos/lin-int-packages/index.html) 9.1 Run the following commands: ```plaintext sudo yum install boost-regex boost-system boost-thread libcurl libtool-ltdl libxml2 epel-release -y sudo yum install cryptopp log4cpp -y sudo yum install python3 python3-pip -y sudo pip3 install boto3 future sudo yum install lsof sudo yum install policycoreutils-python-utils ``` ### 10. Install CTE with COS Service ***Note****- CTE for Cloud Object Storage Documentation found here*[*https://www.thalesdocs.com/ctp/cte-con/cte/latest/integrations/lin-int/lin-int-cos/index.html*](https://www.thalesdocs.com/ctp/cte-con/cte/latest/integrations/lin-int/lin-int-cos/index.html) 10.1 Copy the CTE binary to the RHEL instance 10.2 Login as Root and Install l CTE Agent ```plaintext ./vee-fs-7.3.0-135-rh8-x86_64.bin ``` 10.3. Enter the details of your environment. Be sure to answer Y to Cloud Object Storage ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15499629511579.png) ### 11. Configure CTE COS 11.1 Add Wasabi Credentials to the CTE COS S3 ```plaintext voradmin cos s3 cred add BZUACKKCBOERAVKTG15M i52OdrknYzq0nbsq5ptEpmUYHUw0y2BRelibLPwZ voradmin cos s3 chunk BZUACKKCBOERAVKTG15M i52OdrknYzq0nbsq5ptEpmUYHUw0y2BRelibLPwZ 8 ``` ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15499415866267.png) ### 12. Configure CTE GuardPoint 12.1 From the Transparent Encryption Section expand "Clients" and click on "Clients" in the left hand pane. ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15524286866971.png) 12.2 Click on the client name and then click on "+ Create GuardPoint" ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15527087104283.png) 12.3 Enter GuardPoint Settings and then click on "Create" - Policy - Select policy created earlier - Type - Auto Cloud Storage - URL - URL of the Wasabi bucket ![Cloud_GuardPoint_Settings.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15527448039963.png) 12.4 After a few moments the GuardPoint will become active ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15527178681755.png) 12.5 You can verify the status of the GuardPoint from the RHEL instance with the following command: ```plaintext sudo secfsd -status guard ``` ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15527308339227.png) ### 13. Configure the AWS CLI Network Proxy 13.1 All communications between client applications and the AWS server must be done through the COS proxy and the environment variable HTTPS_PROXY or https_proxy should be set. If both variables are defined, then the AWS CLI will use https_proxy. ```plaintext Export HTTPS_PROXY=localhost:3128 ``` ### 14. Test CTE COS 14.1 Copy file from RHEL instance to the Wasabi bucket ```plaintext aws s3 cp hello.txt s3://cte-wasabi-demo/ --endpoint-url=https://s3.us-east-1.wasabisys.com ``` ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15499165223579.png) ***Note****: This configuration example discusses the use of Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in our*[*Wasabi Service URLs*](https://docs.wasabi.com/docs/what-are-the-service-urls-for-wasabis-different-storage-regions)*.* 14.2 At this point you should see ciphertext if accessing the file from the Wasabi console. - Download File and open ![test_cte_cos_file.jpg](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/15499114050203.png) ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-UZQNPNPX.png)