Decrypting a Linux System Device

If you encrypted a Linux system device (such as /root, swap, or /home) with the htroot encrypt command, you need to decrypt that system device with the htroot decrypt command.

Important: This procedure applies to Linux system devices only. If you want to decrypt a Linux data drive, see Decrypting a Disk Using the webGUI or Decrypting a Disk Using the CLI.

During this procedure, the VM will need to be rebooted to start the decryption process. If you have enabled Online Encryption for this VM, the VM will come back online immediately and the Policy Agent will decrypt the system devices as a background process. In this case, users can continue to access the data while it is being decrypted as long as the VM remains online. If the VM reboots during this process, the VM will remain inaccessible for normal operations until the Policy Agent has finished decrypting all of the specified system devices.

If Online Encryption is not enabled, the VM will remain inaccessible for normal operations until the decryption process completes.

For more information about Online Encryption, see Linux Online Encryption Prerequisites and Considerations.

Before You Begin 

You cannot decrypt a disk if it has an Access Control Policy associated with it. Make sure that no such policy association exists before you decrypt the disk. For details, see Viewing the Access Control Status for a Disk.

Procedure 

  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.

  2. On the Details tab for the VM, make sure that:

    • The Auto Encryption property is either Disabled or the Automatic Data Encryption Policy does not include the disk you want to decrypt.
    • The Decryption Allowed property is set to Yes. If this field is set to No, click No, select Yes from the drop-down list, then click Save.

    Tip: If you want to decrypt the disks on multiple VMs in this Cloud VM Set, you can change these properties at the Cloud VM Set level and propagate the changes to all VMs in the Cloud VM Set. For more information, see Changing Cloud VM Set Properties.

  3. Log into the VM as root.

  4. If you want to check the available disks on this VM, enter the hcl status command. The Registered Devices section shows all devices that have been encrypted on the VM, with the short form of the disk name in the first column. You will need this short name in order to decrypt the device. 

    # hcl status

Summary
--------------------------------------------------------------------------------
KeyControl: sdkc:443
KeyControl list: sdkc:443
Status: Connected
Last heartbeat: Tue Jul 31 12:06:22 2018 (successful)
AES_NI: enabled
Certificate Expiration: Sep 11 22:16:13 2020 GMT
HTCRYPT: Not Installed

Registered Devices
--------------------------------------------------------------------------------
Disk Name          Cipher        Status                   Clear
--------------------------------------------------------------------------------
sda3               AES-XTS-512   Attached                 /dev/mapper/clear_D4044351-4C2C-4582-8935-479B5238B23A (swap)
 '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
sda2               AES-XTS-512   Attached                 /dev/mapper/clear_htroot (/)
 '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT

Available Devices
--------------------------------------------------------------------------------
Disk Name            Device Node                      Size (in MB)
--------------------------------------------------------------------------------
sdc2                 /dev/sdc2                        119
sdc1                 /dev/sdc1                        118

Other Devices
--------------------------------------------------------------------------------
Disk Name            Device Node                      Status
--------------------------------------------------------------------------------
sda1                 /dev/sda1                        Mounted (/boot)
sdd                  /dev/sdd                         LVM (vg-sdd)

  5. If you want to check the encryption status of the system devices, enter the htroot status command. You cannot decrypt a device that is in the process of being encrypted or rekeyed.

    # htroot status

HyTrust boot loader setup is complete

Root device "/dev/sda2" is encrypted
swap device "/dev/sda3" is encrypted

  6. Enter the htroot decrypt <diskname1,diskname2,... | -a> command, where each diskname is the short form of the disk name. (For example, sda2 instead of /dev/sda2.) To specify multiple disks, use a comma-seperated list. To decrypt all available system devices, specify -a instead of a list of disk names. (If you specify -a, DataControl only decrypts the system devices. It does not decrypt any encrypted data devices.)

    For example:

    # htroot decrypt -a

Setting up system for root device decryption.
This operation may take a long time

Do you want to proceed? (y/N) y
Changing /etc/fstab to mount file system / from UUID=03d7a977-72b1-48bc-b1f0-3bc78f61a815
Changing /etc/fstab to mount the swap from UUID=9217649b-e08c-4703-9d51-c7000b3321a8
The system has been updated to decrypt the Linux root device/s during next boot; please reboot the system now
Do you want to reboot the system now? (y/N) y

  7. Confirm the server reboot to continue. When the server has rebooted, it authenticates itself with KeyControl Vault to get the required keys and then starts the decryption process. The time required to decrypt the devices depends on their size and the type of storage you have.

    • If you have enabled Online Encryption for this VM, the VM reboots immediately and the Policy Agent decrypts the devices as a background process. In this case, you can check the decryption status at any time using the hcl status command.
    • If Online Encryption is not enabled, the VM remains offline until the decryption process completes. In this case, you can see the decryption progress on the VM console through vSphere, Azure, or AWS.