Example: Adding and Encrypting a Linux Disk with XFS
Tip: Depending on the size of the disk, the encryption process can take a long time to run. If the process is interrupted, you need to manually restart the process. We recommend you use the Linux nohup or screen command to avoid terminal-related interruptions during encryption.
Encrypting an Existing XFS Disk
In following example we create an XFS filesystem and then use hcl encrypt to register that filesystem with KeyControl Vault. The example that follows shows how to do this in a single step using hcl add.
# mkfs -t xfs /dev/sdc1
meta-data=/dev/sdc1 isize=256 agcount=4, agsize=62436 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=249744, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=853, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
# mount | grep sdc1
/dev/sdc1 on /mnt type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
# cp /etc/* /mnt
# find /mnt -type f -exec md5sum {} \; | md5sum
5cf56f73de26edf599cb3a8c5887ebe0 -
# umount /mnt
# hcl encrypt /dev/sdc1
All the data on /dev/sdc1 will be encrypted
The cleartext data will be available on /dev/mapper/clear_sdc1
This operation may take long time
Do you want to proceed? (y/n) y
total device size 998976 KB
Processing: 100% Time left: 00:00:00
rekey finished
Completed encryption of /dev/sdc1 successfully
# mount /dev/mapper/clear_sdc1 /mnt
# mount | grep sdc1
/dev/mapper/clear_sdc1 on /mnt type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
# find /mnt -type f -exec md5sum {} \; | md5sum
5cf56f73de26edf599cb3a8c5887ebe0 -# mkfs -t xfs /dev/sdc1
meta-data=/dev/sdc1 isize=256 agcount=4, agsize=62436 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=249744, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=853, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
# mount | grep sdc1
/dev/sdc1 on /mnt type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
# cp /etc/* /mnt
# find /mnt -type f -exec md5sum {} \; | md5sum
5cf56f73de26edf599cb3a8c5887ebe0 -
# umount /mnt
# hcl encrypt /dev/sdc1
All the data on /dev/sdc1 will be encrypted
The cleartext data will be available on /dev/mapper/clear_sdc1
This operation may take long time
Do you want to proceed? (y/n) y
total device size 998976 KB
Processing: 100% Time left: 00:00:00
rekey finished
Completed encryption of /dev/sdc1 successfully
# mount /dev/mapper/clear_sdc1 /mnt
# mount | grep sdc1
/dev/mapper/clear_sdc1 on /mnt type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
# find /mnt -type f -exec md5sum {} \; | md5sum
5cf56f73de26edf599cb3a8c5887ebe0 -
Adding a New Disk with XFS
In following example we use hcl add to create an XFS filesystem on the disk and then register the disk with KeyControl Vault.
# hcl add -F xfs /dev/sdc1
/dev/sdc1 (/dev/sdc1) appears to contain an existing filesystem (ext3)
Do you want to proceed? (y/n) y
WARNING: This operation will destroy the contents of the disk.
If you wish to preserve them, run "hcl encrypt" instead.
Do you want to proceed? (y/n) y
In case of error remove the disk using "hcl rm" and run "hcl add" again
Encrypted device sdc1 (/dev/sdc1) attached; decrypted contents visible at /dev/mapper/clear_sdc1
Creating file system xfs on /dev/mapper/clear_sdc1
--------------------------------------------------------------------------------
meta-data=/dev/mapper/clear_sdc1 isize=256 agcount=4, agsize=62436 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=249744, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=853, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
-----------------------------------------------------------------------
# mount /dev/mapper/clear_sdc1 /mnt
# mount | grep sdc1
/dev/mapper/clear_sdc1 on /mnt type xfs
(rw,relatime,seclabel,attr2,inode64,noquota)
# hcl add -F xfs /dev/sdc1
/dev/sdc1 (/dev/sdc1) appears to contain an existing filesystem (ext3)
Do you want to proceed? (y/n) y
WARNING: This operation will destroy the contents of the disk.
If you wish to preserve them, run "hcl encrypt" instead.
Do you want to proceed? (y/n) y
In case of error remove the disk using "hcl rm" and run "hcl add" again
Encrypted device sdc1 (/dev/sdc1) attached; decrypted contents visible at /dev/mapper/clear_sdc1
Creating file system xfs on /dev/mapper/clear_sdc1
--------------------------------------------------------------------------------
meta-data=/dev/mapper/clear_sdc1 isize=256 agcount=4, agsize=62436 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=249744, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=853, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
-----------------------------------------------------------------------
# mount /dev/mapper/clear_sdc1 /mnt
# mount | grep sdc1
/dev/mapper/clear_sdc1 on /mnt type xfs
(rw,relatime,seclabel,attr2,inode64,noquota)
