Data Encryption Overview

This chapter describes support for encryption within individual Virtual Machines (VMs) wherever they reside (data center, private, public or hybrid clouds). For virtual machines, Entrust's encryption works independently of the type of the hypervisor platform (Type 1, Type 2, etc.) as well as the hypervisor vendor (VMware, Microsoft, Citrix, Red Hat, etc.) and Cloud environment (Amazon AWS, ENKI, Microsoft Azure, etc.) or cloud frameworks such as OpenStack. Throughout the chapter, we will refer to the virtualized case and reference the agent being managed by Cryptographic Security Platform Vault as a "VM."

Once the VM has been registered, you can manage it through the Cryptographic Security Platform Vault webGUI or the hicli.

In order to encrypt a VM, complete the following tasks:

Step	Task	Description
1	Install Cryptographic Security Platform Vault and configure the Cryptographic Security Platform Vault cluster.	See Installation Overview.
2	If desired, create one or more custom Cloud Admin Groups in addition to the default Cloud Admin Group.	See Creating a Custom Cloud Admin Group. This step requires a Cryptographic Security Platform Vault account with Security Admin privileges.
3	Create one or more users with Cloud Admin privileges and assign them to the appropriate Cloud Admin groups.	See Creating a New Cryptographic Security Platform Vault-Managed User Account. This step requires a Cryptographic Security Platform Vault account with Security Admin privileges.
4	Create one or more Cloud VM Sets.	See Creating a Cloud VM Set for the Cryptographic Security Platform Vault for VM Encryption. This step requires an account with Cloud Admin privileges.
5	Install the Entrust Policy Agent on the VM you want to encrypt and register it with Cryptographic Security Platform Vault.	For Linux, see Linux Policy Agent Installation. For Windows, see Windows Policy Agent Installation.
6	Encrypt the data on the VM.	See one of the following: Linux Encryption Overview. Windows Encryption Prerequisites. Linux Root, Swap, and System Device Encryption. Windows Boot Drive Encryption.

Note:

An encryption can be interrupted, but cannot be canceled or reversed. To reverse an encryption is to allow the encryption to complete, then to start a decryption.

If an encryption, decryption, or rekey operation is interrupted, the following table describes the expected behavior.

Operating System	Mode	Disk Type	Behavior on Interrupted Operation
Linux	Offline	Root Drive	Automatically picks up from where it was interrupted.
Linux	Offline	Data Drive	You must reissue the command that was interrupted to resume the operation.
Linux	Online	Root Drive	Automatically picks up from where it was interrupted.
Linux	Online	Data Drive	Automatically picks up from where it was interrupted.
Windows	Online	Boot Drive	Automatically picks up from where it was interrupted
Windows	Online	Data Drive	Automatically picks up from where it was interrupted