Decrypting a Linux System Device

If you encrypted a Linux system device (such as /root, /swap, or /home) with the htroot encrypt command, you need to decrypt that system device with the htroot decrypt command.

Important: This procedure applies to Linux system devices only. If you want to decrypt a Linux data drive, see Decrypting a Disk Using the webGUI or Decrypting a Disk Using the CLI.

During this procedure, the VM will need to be rebooted to start the decryption process. If you have enabled Online Encryption for this VM, the VM will come back online immediately and the Policy Agent will decrypt the system devices as a background process. In this case, users can continue to access the data while it is being decrypted as long as the VM remains online. If the VM reboots during this process, the VM will remain inaccessible for normal operations until the Policy Agent has finished decrypting all of the specified system devices.

If Online Encryption is not enabled, the VM will remain inaccessible for normal operations until the decryption process completes.

For more information about Online Encryption, see Linux Online Encryption Prerequisites and Considerations.

Before You Begin 

You cannot decrypt a disk if it has an Access Control Policy associated with it. Make sure that no such policy association exists before you decrypt the disk. For details, see Viewing the Access Control Status for a Disk.

Procedure 

  1. Log into the VM as root.

  2. If you want to check the available disks on this VM, enter the hcl status command. The Registered Devices section shows all devices that have been encrypted on the VM, with the short form of the disk name in the first column. You will need this short name in order to decrypt the device.

    ClosedExample 
    # hcl status

Summary
--------------------------------------------------------------------------------
KeyControl: sdkc:443
KeyControl list: sdkc:443
Status: Connected
Last heartbeat: Tue Jul 31 12:06:22 2018 (successful)
AES_NI: enabled
HTCRYPT: Not Installed

Registered Devices
--------------------------------------------------------------------------------
Disk Name          Cipher       Status                   Clear
--------------------------------------------------------------------------------
sda3               AES-256      Attached                 /dev/mapper/clear_D4044351-4C2C-4582-8935-479B5238B23A (swap)
 '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
sda2               AES-256      Attached                 /dev/mapper/clear_htroot (/)
 '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT

Encrypted Folders
--------------------------------------------------------------------------------
Folder Name        fsid                               Cipher       Status
--------------------------------------------------------------------------------

Available Devices
--------------------------------------------------------------------------------
Disk Name            Device Node                      Size (in MB)
--------------------------------------------------------------------------------
sdc2                 /dev/sdc2                        119
sdc1                 /dev/sdc1                        118

Other Devices
--------------------------------------------------------------------------------
Disk Name            Device Node                      Status
--------------------------------------------------------------------------------
sda1                 /dev/sda1                        Mounted (/boot)
sdd                  /dev/sdd                         LVM (vg-sdd)

  3. If you want to check the encrption status of the system devices, enter the htroot status command. You cannot decrypt a device that is in the process of being encrypted or rekeyed.

    # htroot status

HyTrust boot loader setup is complete

Root device "/dev/sda2" is encrypted
swap device "/dev/sda3" is encrypted

  4. Enter the htroot decrypt <diskname1,diskname2,... | -a> command, where each diskname is the short form of the disk name. (For example, sda2 instead of /dev/sda2.) To specify multiple disks, use a comma-seperated list. To decrypt all available system devices, specify -a instead of a list of disk names. (If you specify -a, DataControl only decrypts the system devices. It does not decrypt any encrypted data devices.)

    For example:

    # htroot decrypt -a

Setting up system for root device decryption.
This operation may take a long time

Do you want to proceed? (y/N) y
Changing /etc/fstab to mount file system / from UUID=03d7a977-72b1-48bc-b1f0-3bc78f61a815
Changing /etc/fstab to mount the swap from UUID=9217649b-e08c-4703-9d51-c7000b3321a8
The system has been updated to decrypt the Linux root device/s during next boot; please reboot the system now
Do you want to reboot the system now? (y/N) y

  5. Confirm the server reboot to continue. When the server has rebooted, it authenticates itself with KeyControl to get the required keys and then starts the decryption process. The time required to decrypt the devices depends on their size and the type of storage you have.

 

HyTrust DataControl v 4.2.1

Copyright © 2018 HyTrust, Inc. All Rights Reserved.

Follow us: