Encrypting Linux System Devices

The following procedure can be used for any Linux system device (such as /root, /swap, or /home), including those that reside in Microsoft Azure or Amazon Web Services. The example used in this procedure shows how to encrypt the /root, /swap, and /home devices at the same time, but you can also encrypt any system device separately at any time.

During this procedure, the VM will need to be rebooted to start the encryption process. If you have enabled Online Encryption for this VM, the VM will come back online immediately and the Policy Agent will encrypt the system devices as a background process. In this case, users can continue to access the data while it is being encrypted.

If Online Encryption is not enabled, the VM will remain inaccessible for normal operations until the encryption process completes.

For more information about Online Encryption, see Linux Online Encryption Prerequisites and Considerations.

Important: Do not encrypt a data drive with the htroot command. If you do so,DataControl will treat the data drive as a system device, which means that the data drive cannot be detached, it will appear in KeyControl as a "root" device, and it must be rebooted when you want to encrypt, decrypt, or rekey it. To encrypt a data drive, see Encrypting a Disk Using the CLI or Encrypting a Disk Using the webGUI.

Before You Begin

Because issues during root device encryption can hang the VM, it is critical to make sure everything is properly configured before you start. For details, see Linux Encryption Prerequisites and Verifying the Current VM Configuration.
If there is a KEK associated with the Cloud VM Set to which this VM belongs, make sure that the hardware security module (HSM) in which the KEK is stored is accessible to KeyControl. During the encryption process, the VM must be rebooted. If the KEK is unavailable when the VM attempts to reboot, the reboot will fail until KeyControl can access the KEK in the HSM. For details, see KEKs with Cloud VM Sets and Hardware Security Modules with KeyControl.

Procedure

Log into the VM as root.

Enter the htroot status command to verify whether the HyTrust Bootloader has already been installed on this VM.

# htroot status

HyTrust Bootloader setup is not done.
You can complete Bootloader setup using "htroot setup"

Root device "/dev/sda2" is not encrypted
swap device "/dev/sda3" is not encrypted

If htroot status reports that the Bootloader setup is not done, enter the htroot setup command. If htroot setup reports that the Bootloader set up is complete, go to the next step.

# htroot setup
Debug console can be used to monitor the progress of root device encryption
The following packages are required for debug console:
	dropbear
Do you want to enable debug console? (y/N) y

Note: The HyTrust Debug Console allows ssh access to the server while the encryption process is running so you can check the status of the encryption process. After encryption is complete, the Debug Console provides limited access to the encrypted VM. If the encrypted VM fails to boot because it cannot retrieve the appropriate keys from KeyControl, you can use the Debug Console to restore communication with KeyControl. We highly recommend you enable this console. For more information, see Checking the Root Drive Encryption Status.

Checking connection to software repositories (yum check-update)

Connection to software repositories seems to be working fine

The following packages are required for root encryption:
					
       cryptsetup
       dropbear
					
Attempt to install required packages? (y/N) y
					
Package dropbear can be found in the EPEL repository.
More information on EPEL can be found at https://fedoraproject.org/wiki/EPEL
					
NOTE: If you wish to configure EPEL using a private mirror
(e.g. using Red Hat Satellite) then please exit htroot and
configure the repository before re-running.
					
Attempt to install EPEL release? (y/N) y
					
Installing EPEL from CentOS Extras repo...............................
ok
Installing cryptsetup.................................................
ok
Installing dropbear...................................................
ok
					
Uploaded keyfile /usr/lib/dracut/modules.d/91hcs/root/.ssh/id_rsa to KeyControl
You can download the key from KeyControl using WebGUI
					
Alternatively, copy the keyfile /usr/lib/dracut/modules.d/91hcs/root/.ssh/id_rsa to another
machine
This file will be used to access debug console using ssh
example: # ssh -i id_rsa root@server.ip.addr
					
Press Enter to continue...
					
					
Current Boot device setup
--------------------------------------------------------------------------------
Boot partition device path /dev/sda1
Boot partition device uuid c01c3240-664b-412a-8440-dd0fa132eae5
--------------------------------------------------------------------------------
					
Is this information correct? (y/N) y
Following network interfaces are available
					
--------------------------------------------------------------------------------
ens160 00:50:56:a2:64:84 192.168.15.239
--------------------------------------------------------------------------------
Preferred Network Interface is (ens160), which is used while authenticating with KeyControl
					
Select the primary network interface (ens160):
With encrypted root device, KeyControl needs to be contacted during
boot to get the encryption keys. IP address can be obtained using
DHCP or can be statically configured now
Use DHCP during boot? (y/N) y
					
Re-structuring HyTrust specific directories
Updating initrd
					
HyTrust Bootloader setup completed successfully
Run "htroot encrypt" to encrypt Linux root devices
					
# htroot status
					
HyTrust Bootloader setup is complete
					
Root device "/dev/sda2" is not encrypted
swap device "/dev/sda3" is not encrypted

Enter the htroot encrypt command and select which system devices you want to encrypt. You can encrypt the devices at any time and in any order. Similarly, once the devices have been encrypted, they can be rekeyed or decrypted at any time and in any order.

The following example shows how to encrypt the root, swap, and /home devices at the same time.

# htroot encrypt

Setting up system for root device encryption.
--------------------------------------------------------------------------------
Do you want to encrypt root device "sda2 (/dev/sda2)"? (y/N) y
Changing /etc/fstab to mount file system / from /dev/mapper/clear_htroot

Setting up system for swap device encryption.
--------------------------------------------------------------------------------
Do you want to encrypt swap device "sda3 (/dev/sda3)"? (y/N) y
Changing /etc/fstab to mount the swap from /dev/mapper/clear_B081FD59-A74A-4F85-8D1BAA42212F3607

Do you want to encrypt any other file systems, like /var, /usr ?
--------------------------------------------------------------------------------
Please provide comma (,) separated list of mount points: /home
Do you want to encrypt block device "sdb1 (/dev/sdb1, /home)"? (y/N) y
Changing /etc/fstab to mount file system /home from /dev/mapper/clear_EE57B642-2A00-49C8-9AC1-
31D300DB6D07

Updating initrd
The system has been updated to encrypt the Linux root device/s during next boot; please reboot
the system now
Do you want to reboot the system now? (y/N) y

Confirm the server reboot to continue. When the server has rebooted, it authenticates itself with KeyControl to get the required encryption keys and then starts the encryption process. The time required to encrypt the devices depends on their size and the type of storage you have.

If you have enabled Online Encryption for this VM, the VM reboots immediately and the Policy Agent encrypts the devices as a background process. In this case, you can check the encryption status at any time using the hcl status command.
If Online Encryption is not enabled, the VM remains offline until the encryption process completes. In this case, you can see the encryption progress on the VM console through vSphere, Azure, or AWS. In addition, if you selected y when asked if you wanted to enable the HyTrust Debug Console, you can view the progress through the Debug Console as described in Checking the Root Drive Encryption Status.

When it is finished, you can verify that the encryption succeeded using the htroot status command. For example:

# htroot status

HyTrust boot loader setup is complete

Root device "/dev/sda2" is encrypted
swap device "/dev/sda3" is encrypted
system device "/dev/sdb1 (/home)" is encrypted

After the encryption process completes, you can log in as normal. If you log in as root and enter the hcl status command, you will see that the system devices you encrypted are listed under Registered Devices. For example:

# hcl status

Summary
--------------------------------------------------------------------------------
KeyControl: sdkc:443
KeyControl list: sdkc:443
Status: Connected
Last heartbeat: Wed Jul 4 12:24:22 2018 (successful)
AES_NI: enabled
Certificate Expiration: Jul 4 06:22:12 2019 GMT
HTCRYPT: Not Installed

Registered Devices
--------------------------------------------------------------------------------
Disk Name          Cipher       Status                   Clear
--------------------------------------------------------------------------------
sbd1              AES-XTS-512  Attached                 /dev/mapper/clear_EE57B642-2A00-49C8-9AC1-31D300DB6D07 (/home)
 '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
sda3               AES-256     Attached                 /dev/mapper/clear_B081FD59-A74A-4F85-8D1B-AA42212F3607 (/swap)
 '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
sda2               AES-XTS-512  Attached                /dev/mapper/clear_htroot
 '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT

Warning: The hcl status command shows the clear text path to the encrypted system devices. (The clear text path is highlighted in the example above). You should only connect to the devices using these clear text paths. Accessing the encrypted devices through the direct paths such as /dev/sda3 or /dev/sda2 could cause data corruption.

HyTrust DataControl v 4.2.1