Re-Authenticating a VM with an Encrypted Root Device or Boot Disk

Because encryption keys are never stored locally, a VM with an encrypted boot partition requires access to Cryptographic Security Platform Vault when booting or the attempt will fail. If Cryptographic Security Platform Vault is not available when the system is booted, the VM repeatedly attempts to contact Cryptographic Security Platform Vault for 30 seconds. If contact cannot be established after that time, the VM presents a console menu with a number of options.

This procedure describes how to re-authenticate a Linux VM with an encrypted root device or a Windows VM with an encrypted boot disk using the console menu on the VM. If you want to re-authenticate a regular VM, see Re-Authenticating a Standard VM.

Note: The following procedure only works with root or boot-encrypted VMs because they continually try to reach Cryptographic Security Platform Vault until they are authenticated. Regular VMs stop trying to contact Cryptographic Security Platform Vault after a small number of attempts.

Procedure 

  1. Access the VM through your hypervisor.

    If you are unable to view the console directly, for example in environments such as Amazon Web Services (AWS), you can access the console using an SSH client. This requires the id_rsa key file generated during the Policy Agent installation. Copy the id_rsa file to the server and then reboot.

    Tip: If you need another copy of the id_rsa key file, you can download it from the Cryptographic Security Platform Vault for VM Encryption webGUI by selecting the VM on the Workloads > VMs tab and then selecting Actions > Download Bootloader SSH Key.

  2. The Policy Agent should automatically display the console when it has failed to authenticate with Cryptographic Security Platform Vault for at least 30 seconds. From this console menu, select Authenticate for Linux or Reauthenticate for Windows.
  3. When prompted, enter a one time passphrase of exactly 16 alphanumeric characters that you can use to validate the reauthentication request in the Cryptographic Security Platform Vault for VM Encryption webGUI.

  4. Reauthenticate the VM using the Cryptographic Security Platform Vault for VM Encryption webGUI.

    1. Log into the Cryptographic Security Platform Vault for VM Encryption using an account with Cloud Admin privileges.
    2. In the top menu bar, click Workloads.
    3. Select the VM in the table and then select Actions > Authenticate.
    4. Enter the one-time passphrase at the prompt.
  5. Return to the VM and make sure that it can now communicate with Cryptographic Security Platform Vault and the boot process succeeds.

  6. If reauthenticating the VM from the console does not work, you can try to rescue the authentication from the Cryptographic Security Platform Vault for VM Encryption webGUI. Rescue authentication can only be used on encrypted boot drives and it should only be used after you have tried reauthenticating from the console menu on the VM.

    To use rescue authentication, make sure the VM is selected in the Cryptographic Security Platform Vault for VM Encryption webGUI then select Actions > Rescue Authentication. At the VM's next heartbeat, Cryptographic Security Platform Vault authenticates the VM.