Decrypting a Disk Using the CLI
The following procedure explains how to decrypt a disk and remove it from KeyControl Vault. If you want to remove the disk but you don't care about the contents of the disk, see Removing a Disk from KeyControl Vault.
The following procedure applies to all types of Windows disks and to Linux data disks. You cannot, however, decrypt a Linux system device (such as /root, swap, or /home) using this procedure. Instead, use the htroot decrypt command as described in Decrypting a Linux System Device.
Before You Begin
You cannot decrypt a disk if it has an Access Control Policy associated with it. Make sure that no such policy association exists before you decrypt the disk. For details, see Viewing the Access Control Status for a Disk.
Tip: Depending on the size of the encrypted disk, the decryption process can take a long time to run. If the decryption process is interrupted on Windows, it will be resumed automatically when the disk comes back online. If the process is interrupted on Linux, you need to manually reissue the hcl decrypt command to resume the process. We recommend you use the Linux nohup or screen command to avoid terminal-related interruptions during decryption.
Procedure
- Log into the KeyControl webGUI using an account with Cloud Admin privileges.
-
On the Details tab for the VM, make sure that:
- The Auto Encryption property is either Disabled or the Automatic Data Encryption Policy does not include the disk you want to decrypt.
- The Decryption Allowed property is set to Yes. If this field is set to No, click No, select Yes from the drop-down list, then click Save.
Tip: If you want to decrypt the disks on multiple VMs in this Cloud VM Set, you can change these properties at the Cloud VM Set level and propagate the changes to all VMs in the Cloud VM Set. For more information, see Changing Cloud VM Set Properties.
- For Linux, log into the VM as
root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell. - If this is a Linux system and you have not enabled Online Encryption for this VM, unmount the disk you want to decrypt. For more information about enabling Online Encryption, see Linux Online Encryption Prerequisites and Considerations.
-
Enter the
hcl decrypt [-s] [-y] disknamecommand, where:-
-s(Linux only) tells DataControl to only process allocated blocks which can improve performance dramatically. DataControl uses system-provided utilities to determine the allocated blocks on the disk. This option is supported for ext2, ext3, and ext4 file systems. It is not supported on XFS. (To change the speed for Windows, see Changing the Encryption/Decryption Speed on Windows.)Important: This option does not work if online encryption has been enabled for the VM, even if you unmount the drive during the process. If online encryption has been enabled or if the disk is mounted, using the
-soption will cause the command to fail. -ymakes the command non-interactive.disknameis the name of the disk that you want to encrypt. For Linux, use the short form of the disk name. (For example,sdb1instead of/dev/sdb1.) For Windows, specify the drive letter or folder mount associated with the disk. (For example,f:org:\data).
DataControl decrypts the disk and unregisters it with KeyControl Vault. Any keys associated with the disk are deleted.
For Linux, you can now mount the disk in the standard manner and access its contents in plain text. For Windows, all drives and folder mounts are immediately accessible in plain text.
For example:
# hcl decrypt -s sdb1 All the data on /dev/mapper/clear_sdb1 will be decrypted The clear text data will be available on /dev/sdb1 This operation may take long time Do you want to proceed? (y/n) y total device size 1044193 KB Processing: 100% Time left: 00:00:00 Completed decryption of sdb1 successfully Removed device sdb1
-
