Decrypting a Disk Using the CLI

The following procedure explains how to decrypt a disk and remove it from KeyControl. If you want to remove the disk but you don't care about the contents of the disk, see Removing a Disk from KeyControl.

The following procedure applies to all types of Windows disks and to Linux data disks. You cannot, however, decrypt a Linux system device (such as /root, /swap, or /home) using this procedure. Instead, use the htroot decrypt command as described in Decrypting a Linux System Device.

Before You Begin 

You cannot decrypt a disk if it has an Access Control Policy associated with it. Make sure that no such policy association exists before you decrypt the disk. For details, see Viewing the Access Control Status for a Disk.

Procedure 

1. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.
2. If this is a Linux system and you have not enabled Online Encryption for this VM, unmount the disk you want to decrypt. For more information about enabling Online Encryption, see Linux Online Encryption Prerequisites and Considerations.

3. Enter the hcl decrypt [-s] [-y] diskname command, where:

   • -s (Linux only) tells DataControl to only process allocated blocks which can improve performance dramatically. DataControl uses system-provided utilities to determine the allocated blocks on the disk. This option is supported for ext2, ext3, and ext4 file systems. It is not supported on XFS. (To change the speed for Windows, see Changing the Encryption/Decryption Speed on Windows.)

     Important:

     This option does not work if online encryption has been enabled for the VM, even if you unmount the drive during the process. If online encryption has been enabled or if the disk is mounted, using the -s option will cause the command to fail.

   • -y makes the command non-interactive.
   • diskname is the name of the disk that you want to encrypt. For Linux, use the short form of the disk name. (For example, sdb1 instead of /dev/sdb1.) For Windows, specify the drive letter or folder mount associated with the disk. (For example, f: or g:\data).

   DataControl decrypts the disk and unregisters it with KeyControl. Any keys associated with the disk are deleted.

   For Linux, you can now mount the disk in the standard manner and access its contents in plain text. For Windows, all drives and folder mounts are immediately accessible in plain text.

   For example:

   # hcl decrypt -s sdb1
   
   All the data on /dev/mapper/clear_sdb1 will be decrypted
   The clear text data will be available on /dev/sdb1
   This operation may take long time
   Do you want to proceed? (y/n) y
   total device size 1044193 KB
   Processing: 100% 	Time left: 00:00:00
   Completed decryption of sdb1 successfully
   Removed device sdb1