Removing a VM from KeyControl Vault

The following procedure describes how to decrypt the data on a VM and then remove it from KeyControl Vault so that it no longer appears in the KeyControl Vault inventory and it no longer counts against the Cloud VM Limit defined in your KeyControl Vault license. The data on the VM remains, however, and you can re-authorize the VM with KeyControl Vault at any time.

If you want to decommission a VM and destroy it immediately without ever accessing the data, see Decommissioning and Destroying a VM.

Before You Begin 

You cannot decrypt a disk if it has an Access Control Policy associated with it. Make sure that no such policy association exists before you decrypt the disk. For details, see Viewing the Access Control Status for a Disk.

Procedure 

  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
  2. In the top menu bar, click Cloud.
  3. Click the VMs tab and select the VM you want to work with from the list.
  4. Click the Expand button (>) at the end of the row to access the details for the specific VM.

  5. On the Details tab for the VM, make sure that:

    • The Auto Encryption property is either Disabled or the Automatic Data Encryption Policy does not include the disk you want to decrypt.
    • The Decryption Allowed property is set to Yes. If this field is set to No, click No, select Yes from the drop-down list, then click Save.

    Tip: If you want to decrypt the disks on multiple VMs in this Cloud VM Set, you can change these properties at the Cloud VM Set level and propagate the changes to all VMs in the Cloud VM Set. For more information, see Changing Cloud VM Set Properties.

  6. Click the Encrypted Disks tab.

  7. Select the encrypted disk. If more than one disk is encrypted:

    1. In the top right-hand corner, click Multi-Select.
    2. Click on the first encrypted disk.
    3. Shift+Click on the last encrypted disk.

  8. Select Actions > Decrypt Disk from the VM-specific Actions menu.

    KeyControl Vault displays a message that the decrypt requests were successfully created and adds a Decrypt Disk task for the VM that will begin on the VM's next heartbeat. The length of time the operation will take depends on the amount of data present on the disk and the encryption settings configured for this system.

    You can track the progress of the decrypt task on the Dashboard in the Tasks tile.

    When the decrypt request begins processing, KeyControl Vault sets the state to Active/Decrypt. When the encryption process has finished, KeyControl Vault moves the disk back to the Unencrypted Disks tab and changes the state to Available.

  9. Periodically check the Encrypted Disks tab for the VM until that tab shows that no encrypted disks remain in the VM. Do not proceed with this procedure until decryption is complete for all disks.
  10. Select the VM you want to remove and click Actions > Revoke Authentication from the main Actions menu.

  11. Confirm the action at the prompt.

    KeyControl Vault revokes access to the VM and automatically displays the Unauthenticated VMs tab.

  12. Select the VM and click Actions > Remove.

    KeyControl Vault removes the VM from its inventory, returns the associated KeyControl Vault license to the license pool, and destroys all encryption keys associated with that VM.

  13. Log into the VM as an administrator and uninstall the Entrust DataControl Policy Agent. For details, see Uninstalling the Policy Agent on Linux or Uninstalling the Policy Agent on Windows.