Decrypting a Disk Using the webGUI

The following procedure applies to all types of Windows disks and to Linux data disks. You cannot, however, decrypt a Linux system device (such as /root, swap, or /home) using this procedure. Instead, use the htroot decrypt command as described in Decrypting a Linux System Device.

Before You Begin 

You cannot decrypt a disk if it has an Access Control Policy associated with it. Make sure that no such policy association exists before you decrypt the disk. For details, see Viewing the Access Control Status for a Disk.

Procedure 

  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
  2. In the top menu bar, click Cloud.
  3. Click the VMs tab and select the VM you want to work with from the list.
  4. Click the Expand button (>) at the end of the row to access the details for the specific VM.

  5. On the Details tab for the VM, make sure that:

    • The Auto Encryption property is either Disabled or the Automatic Data Encryption Policy does not include the disk you want to decrypt.
    • The Decryption Allowed property is set to Yes. If this field is set to No, click No, select Yes from the drop-down list, then click Save.

    Tip: If you want to decrypt the disks on multiple VMs in this Cloud VM Set, you can change these properties at the Cloud VM Set level and propagate the changes to all VMs in the Cloud VM Set. For more information, see Changing Cloud VM Set Properties.

  6. Click on the Encrypted Disks tab.

  7. Select the disk you want to decrypt and select Actions > Decrypt Disk from the VM-specific Actions menu.

    KeyControl Vault displays a message that the decrypt request was successfully created and adds a Decrypt Disk task for the VM that will begin on the VM's next heartbeat. The length of time the operation will take depends on the amount of data already present on the disk and the encryption settings configured for this system.

    You can track the progress of the decrypt task on the Dashboard in the Tasks tile.

    When the decrypt request begins processing, KeyControl Vault sets the state to Active/Decrypt. When the encryption process has finished, KeyControl Vault moves the disk back to the Unencrypted Disks tab and changes the state to Available.