Checking the Root Drive Encryption Status

If Online Encryption is enabled for this VM, you can check the encryption status at any time by logging into the VM as root and using the hcl status command. If Online Encryption is not enabled, you can check the encryption status on the VM console through vSphere, Azure, or AWS.

If you need to troubleshoot the encryption process, you can check the encryption status using the HyTrust Debug Console if you enabled that while running the htroot setup command, as described in Encrypting Linux System Devices.)

1. If you need a copy of the id_rsa key file for the VM:

   1. Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges.
   2. Navigate to the Cloud > VMs tab and select the VM whose key file you want to download.
   3. Select Actions > Download Bootloader SSH Key.

2. Open an ssh session by entering the command ssh -i id_rsa root@vm_name, where id_rsa is the name of the id_rsa file and vm_name is the IP address or hostname. For example:

   $ ssh -i Downloads/ht-centos75.key root@ht-centos75
   
   The authenticity of host 'ht-centos75 (192.168.15.239)' can't be established.
   RSA key fingerprint is SHA256:v1TDb5PTlGsncaPf6r9C0Z6ybtqVLxeGXf7XDnh3ItM.
   Are you sure you want to continue connecting (yes/no)? yes
   Warning: Permanently added 'ht-centos75,192.168.15.239' (RSA) to the list of known hosts.
   
   HyTrust Debug Console
   
   1. Show HT encryption log file
   2. Authenticate
   3. Show Network info
   4. Restart Network
   5. Advanced access
   6. logout (exit Debug Console) 

3. Select option 1 and look for the status sections. For example, here are a few of the lines towards the end of the output:

   Starting HyTrust root encryption ------------
   
   Entered init script with args
   Starting debug shell
   Detected boot device uuid c01c3240-664b-412a-8440-dd0fa132eae5 device path /dev/sda1
   Check file system on device path /dev/sda1
   File system check on /dev/sda1 complete
   Mounted /dev/sda1
   Starting networking
   Network started on primary network interface
   Started debug console server
   Guest VM Status
   KeyControl: sdkc:443
   Waiting for connection to KeyControl
   
   Waiting for connection to KeyControl
   KeyControl: sdkc:443
   Connected
   network : ens160 00:50:56:a2:64:84 192.168.15.239
   Connected to KeyControl
   Starting root device encryption: sda2
   
   -------------- KeyControl and status ------------------
   sdkc:443
   Connected
   -------------- Encryption / Decryption status ---------
   root device encryption
   Processing: 100% Time left: 00:00:00
   swap device sda3 encryption
   Processing: 100% Time left: 00:00:00
   system device sdb1 encryption
   Processing: 51% Time left: 00:13:39

   We can see that we are connected to KeyControl and that encryption is in progress. At this point, the root and swap devices have been fully encrypted and sdb1 encryption (/home in this example) is 51% complete with just under 14 minutes left.