|
v 4.1 |
Copyright © 2017 HyTrust, Inc. All Rights Reserved. |
Follow us: |
The following procedure can be used for any Linux root and swap drives, including those that reside in Microsoft Azure or Amazon Web Services.
Before You Begin
Procedure
Enter the command htroot encrypt and follow the prompts. For example:
# htroot encrypt
Starting encrypt
Debug console can be used to monitor the progress of root device encryption
The following packages are required for debug console:
dropbear
Do you want to enable debug console? (y/N) y
| Note: | The HyTrust Debug Console allows ssh access to the server while the encryption process is running so you can check the status of the encryption process. After encryption is complete, the Debug Console provides limited access to the encrypted VM. If the encrypted VM fails to boot because it cannot retrieve the appropriate keys from KeyControl, you can use the Debug Console to restore communication with KeyControl. We highly recommend you enable this console. For more information, see Checking the Root Drive Encryption Status. |
Current Root device/ Boot device setup
--------------------------------------------------------------------------------
Root device vg_sdcentos68-lv_root
Root device path /dev/mapper/vg_sdcentos68-lv_root
Boot partition device path /dev/sda1
Boot partition device uuid a47efb76-ed3a-4ae4-bfd9-e80f64c1f79c
swap device vg_sdcentos68-lv_swap
swap device path /dev/mapper/vg_sdcentos68-lv_swap
--------------------------------------------------------------------------------
Is this information correct? (y/N) y
Do you want to encrypt swap? (y/N) y
| Note: | If you are going to encrypt the swap, you must do it now. You cannot encrypt the swap after the boot device has already been encrypted. |
Following network interfaces are available
--------------------------------------------------------------------------------
eth0 00:50:56:8d:fa:4d
eth1 00:50:56:8d:5c:a2 192.168.15.3
eth2 00:50:56:8d:af:73
--------------------------------------------------------------------------------
Preferred Network Interface is (eth1), which is used while authenticating with KeyControl
Select the primary network interface (eth1): eth1
This machine seems to be using DHCP to setup the primary network
With encrypted root device, KeyControl needs to be contacted during
boot to get the encryption keys. IP address can be obtained using
DHCP or can be statically configured now
Use DHCP during boot? (y/N) N
--------------------------------------------------------------------------------
ip addr show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:8d:5c:a2 brd ff:ff:ff:ff:ff:ff
inet 192.168.15.3/16 brd 192.168.255.255 scope global eth1
inet6 fe80::250:56ff:fe8d:5ca2/64 scope link
valid_lft forever preferred_lft forever
ip route show
169.254.0.0/16 dev eth1 scope link metric 1003
192.168.0.0/16 dev eth1 proto kernel scope link src 192.168.15.3
default via 192.168.100.1 dev eth1
cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search lan.coriolis.co.in
nameserver 192.168.100.1
--------------------------------------------------------------------------------
Setting up static IP for use during boot
Check Network Parameters
--------------------------------------------------------------------------------
IP address: 192.168.15.3
Gateway address: 192.168.100.1
Netmask: 255.255.0.0
DNS server address: 192.168.100.1
DNS domain: lan.coriolis.co.in
Is this correct? (y/N) y
Setting up system for root device encryption.
This operation may take a long time
Do you want to proceed? (y/N) y
Re-structuring HyTrust specific directories
Uploaded keyfile /usr/share/dracut/modules.d/91hcs/root/.ssh/id_rsa to KC
You can download the key from KC using "hicli cvm rdekey"
Please copy the keyfile /usr/share/dracut/modules.d/91hcs/root/.ssh/id_rsa to another machine
This file will be used to access debug console using ssh
example: # ssh -i id_rsa root@server.ip.addr
Have you copied the key file? (y/N) y
| Note: | htroot generates the id_rsa key file if you responded yes to the debug console prompt at the beginning of the command. If you do not copy the id_rsa key file at this point, you can download it later from the KeyControl webGUI. |
Updating initrd Changing /etc/fstab to mount file system / from /dev/mapper/clear_htroot Changing /etc/fstab to mount the swap from /dev/mapper/clear_htswap The system has been updated to encrypt the root device during nextboot; please reboot the system now Do you want to reboot the system now? (y/N) y Broadcast message from root@13 (/dev/pts/0) at 17:20 ... The system is going down for reboot NOW! Connection to be closed by remote host.
After you have responded to the prompts, confirm that htroot can reboot the server to continue. When the server has rebooted, it authenticates itself with KeyControl to get the required encryption keys and then starts the encryption process. The time required to encrypt the drive depends on the size of the root disk and the type of storage you have.
You can see the encryption progress on the VM console through vSphere, Azure, or AWS. In addition, if you selected y when asked if you wanted to enable the HyTrust Debug Console, you can view the progress through the Debug Console as described in Checking the Root Drive Encryption Status.
After the encryption process completes, you can log in as normal. To verify that the encryption was successful, log in as an Administrator and enter the hcl status command. You should see the root and swap devices listed under Registered Devices.
For example, if this is the hcl status command output before the encryption:
#hcl status Summary --------------------------------------------------- KeyControl: 10.238.32.74:443 KeyControl list: 10.238.32.74:443 Status: Connected Registered Devices --------------------------------------------------- Disk Name Clear Cipher Status --------------------------------------------------- Available Devices --------------------------------------------------- Disk Name Device Node Size (in MB) --------------------------------------------------- Other Devices --------------------------------------------------- Disk Name Device Node Status --------------------------------------------------- sda3 /dev/sda3 Mounted (swap) sda2 /dev/sda2 Mounted (/boot) sda1 /dev/sda1 Mounted (/)
After encryption, the boot drive (sda3) and the swap drive (sda2) should move from Other Devices to the Registered Devices section:
Registered Devices --------------------------------------------------- sda3 /dev/mapper/clear_htswap AES-256 Attached '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT sda2 /dev/mapper/clear_htroot AES-256 Attached '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
| Warning: | The hcl status command shows the clear text path to the root and swap drives (/dev/mapper/clear_htroot and /dev/mapper/clear_htswap). You should only connect to the drives using these clear text paths. Accessing the encrypted drives through the direct paths (/dev/sda3 and /dev/sda2) could cause data corruption. |
|
v 4.1 |
Copyright © 2017 HyTrust, Inc. All Rights Reserved. |
Follow us: |
