The following procedure describes how to use the CLI to encrypt a Linux data partition or a Windows boot drive, folder mount, or data drive. During this procedure you can elect to reformat the drive and remove any existing data or keep and encrypt the existing data.
Note: | You cannot encrypt a Linux system device (such as /root , /swap , or /home ) using this procedure. Instead, follow the procedure described in Encrypting Linux System Devices. |
Before You Begin
For Linux disks:
If an entry for the Linux device you intend to encrypt already exists in the Filesystem Table (/etc/fstab
), you need to remove that entry until the encryption process is complete and the HyTrust-created clear text path to the device is available. If you reboot the device after encryption with the /etc/fstab
entry still pointing to the original device path, the system may hang because the encrypted version of the device will fail the filesystem check. For details, see Automatically Mounting Linux Filesystems.
For Windows disks:
Procedure
root
. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.If you want to reformat the disk and, optionally, create a new filesystem, enter the command hcl add [-F fstype | "none"] [-n] [-c cipher] [-m mapped_device] [-p parent-disk] [-e days_to_expire] [-z "NO USE"|"SHRED"] [-o] [-y] [-x] diskname
-F
(Linux only) allows you to specify the filesystem you want to use. The default is ext3
. If you do not want DataControl to format the disk, specify "none"
for this option.
Tip: | To use XFS (Extents File System), specify "xfs". For more information, see Example: Adding and Encrypting a Linux Disk with XFS. |
-n
indicates that the disk should not be attached immediately. Use this option if you want to prepare the disk but not bring it online until later.-c
is the encryption cipher that DataControl should use for the disk. The default cipher is AES-XTS-512. To view a list of available ciphers, use the hcl ciphers
command. For details, see Encryption Key Sizes and Algorithms.-m
(Linux only) sets the default clear text path, which is constructed based on the current path to the disk. For example, if the disk is /dev/sdb1
, the default clear text path would be /dev/mapper/clear_sdb1
. To set the clear text path to /dev/hytrust/clear_sdb1
, you would use –m /dev/hytrust/clear_sdb1
.-p
indicates that this is a snapshot of the encrypted LVM (Logical Volume Management) volume, or MBR partition copy/snapshot, whose parent is named in parent-disk
. Use the hcl status
command to determine the exact format for the parent disk name. For more information, see Example: Encrypting a Linux LVM Volume.
Warning: | If the snapshot was taken before the parent volume was registered with KeyControl, the snapshot will not have encrypted data. |
-e
allows you to specify the number of days the key should be active before it expires. If you omit this option, the key never expires. What happens when a key expires is controlled by the -z
option.-z
controls what happens when the key expiry date is reached. You can specify:
"NO USE"
— The key is deactivated but retained. It can then be reactivated by setting a future date in the Expiry Date field in the KeyControl webGUI. This is the default."SHRED"
— The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never need to access the selected disk again.-o
overrides the default setting that prevents you from encrypting a non-partitioned disk. You should always use partitioned disks because we can easily identify them and find the associated keys.
Warning: | We recommend you do NOT use this option, or access to your encrypted data will be lost if the disk name changes. |
-y
makes the command non-interactive.-x
(Windows only) tells DataControl to check for the existence of a pagefile on the designated drive . If one is found, the command is aborted.diskname
is the name of the disk that you want to encrypt. For Linux, use the short form of the disk name. (For example, sdb1
instead of /dev/sdb1
.) For Windows, specify the drive letter or folder mount associated with the disk. (For example, f:
or g:\data
).# hcl add sdb1 WARNING: This operation will destroy the contents of the disk. If you wish to preserve them, run "hcl encrypt" instead. Do you want to proceed? (y/n) y In case of error remove the disk using "hcl rm" and run "hcl add" again Encrypted device sdb1 (/dev/sdb1) attached; decrypted contents visible at /dev/mapper/clear_sdb1 Creating file system ext3 on /dev/mapper/clear_sdb1 --------------------------------------------------- mke2fs 1.41.11 (14-Mar-2017) ... This filesystem will be automatically checked every 22 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. ---------------------------------------------------
If you want to retain and encrypt the data that currently exists on the disk, enter the command hcl encrypt [-s] [-c cipher] [-e days_to_expire] [-z "NO USE"|"SHRED"] [-o] [-y] [-x] diskname
-s
(Linux only) tells DataControl to only process allocated blocks which can improve performance dramatically. DataControl uses system-provided utilities to determine the allocated blocks on the disk. This option is supported for ext2, ext3, and ext4 file systems. It is not supported on XFS. (To change the speed for Windows, see Changing the Encryption/Decryption Speed on Windows.)
Important: | This option does not work if online encryption has been enabled for the VM, even if you unmount the drive during the process. If online encryption has been enabled or if the disk is mounted, using the -s option will cause the command to fail. |
-c
is the encryption cipher that DataControl should use for the disk. The default cipher is AES-XTS-512. To view a list of available ciphers, use the hcl ciphers
command. For details, see Encryption Key Sizes and Algorithms.-e
allows you to specify the number of days the key should be active before it expires. If you omit this option, the key never expires. What happens when a key expires is controlled by the -z
option.-z
controls what happens when the key expiry date is reached. You can specify:
"NO USE"
— The key is deactivated but retained. It can then be reactivated by setting a future date in the Expiry Date field in the KeyControl webGUI. This is the default."SHRED"
— The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never need to access the selected disk again.-o
overrides the default setting that prevents you from encrypting a non-partitioned disk. You should always use partitioned disks because we can easily identify them and find the associated keys.
Warning: | We recommend you do NOT use this option, or access to your encrypted data will be lost if the disk name changes. |
-y
makes the command non-interactive.-x
(Windows only) tells DataControl to check for the existence of a pagefile on the designated drive . If one is found, the command is aborted.diskname
is the name of the disk that you want to encrypt. For Linux, use the short form of the disk name. (For example, sdb1
instead of /dev/sdb1
.) For Windows, specify the drive letter or folder mount associated with the disk. (For example, f:
or g:\data
).# hcl encrypt sdb1 All the data on sdb1 will be encrypted The cleartext data will be available on /dev/mapper/clear_sdb1 This operation may take long time Do you want to proceed? (y/n) y Encrypted device sdb1 (/dev/sdb1) attached; decrypted contents visible at /dev/mapper/clear_sdb1 total device size 1044193 KB Processing: 100% Time left: 00:00:00 Completed encryption of sdb1 successfully
For Linux, the progress of the command is displayed automatically. For Windows, use the hcl status
command to check the progress.
Note: | If the encryption process is interrupted for some reason, you must repeat this procedure and re-issue the hcl add or hcl encrypt command. The encryption process will start at the point where it was interrupted.If the encryption fails for a Windows disk with the message that there are too many partitions on the disk, see Detecting and Removing a Windows Snapshot Partition. |
What to Do Next
If you removed the /etc/fstab
entry for the device, you can recreate that entry using the clear text path created during encryption. For details, see Automatically Mounting Linux Filesystems.