Removing a VM from KeyControl

The following procedure describes how to decrypt the data on a VM and then remove it from KeyControl so that it no longer appears in the KeyControl inventory and it no longer counts against the Cloud VM Limit defined in your KeyControl license. The data on the VM remains, however, and you can re-authorize the VM with KeyControl at any time.

If you want to decommission a VM and destroy it immediately without ever accessing the data, see Decommissioning and Destroying a VM.

Before You Begin 

You cannot decrypt a disk if it has an Access Control Policy associated with it. Make sure that no such policy association exists before you decrypt the disk. For details, see Viewing the Access Control Status for a Disk.

Procedure 

1. Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges.
2. In the top menu bar, click Cloud.
3. Click the VMs tab and select the VM you want to work with from the list.
4. Click the Expand button (>) at the end of the row to access the details for the specific VM.
5. In the Details area, click the Encrypted Disks tab.

6. Select the encrypted disk. If more than one disk is encrypted:

   1. In the top right-hand corner, click Multi-Select.
   2. Click on the first encrypted disk.
   3. Shift+Click on the last encrypted disk.

7. Select Actions > Decrypt Disk from the VM-specific Actions menu.

   KeyControl displays a message that the decrypt requests were successfully created and adds a Decrypt Disk task for the VM that will begin on the VM's next heartbeat. The length of time the operation will take depends on the amount of data present on the disk and the encryption settings configured for this system.

   You can track the progress of the decrypt task on the Dashboard in the Tasks tile.

   When the decrypt request begins processing, KeyControl sets the state to Active/Decrypt. When the encryption process has finished, KeyControl moves the disk back to the Unencrypted Disks tab and changes the state to Available.

8. Periodically check the Encrypted Disks tab for the VM until that tab shows that no encrypted disks remain in the VM. Do not proceed with this procedure until decryption is complete for all disks.
9. Select the VM you want to remove and click Actions > Revoke Authentication from the main Actions menu.

10. Confirm the action at the prompt.

    KeyControl revokes access to the VM and automatically displays the Unauthenticated VMs tab.

11. Select the VM and click Actions > Remove.

    KeyControl removes the VM from its inventory, returns the associated KeyControl license to the license pool, and destroys all encryption keys associated with that VM.

12. Log into the VM as an administrator and uninstall the HyTrust DataControl Policy Agent. For details, see Uninstalling the Policy Agent on Linux or Uninstalling the Policy Agent on Windows.