Encrypting a Drive Shared by Multiple Nodes

In addition to creating a KeyControl cluster to support failover, you can use Microsoft’s Windows Failover Clusters. For an overview of Failover Clusters in Windows Server 2008 R2, see http://technet.microsoft.com/en-us/library/cc730692.aspx. What follows are specific instructions for the HyTrust DataControl implementation of Failover Clusters.

The examples in the following procedure assume that you are using drive G: for your CIFS export from your Windows failover cluster nodes winhost1 and winhost2, and that G: on winhost1 appears as hard disk 3 and on winhost2 it appears as hard disk 4.

1. Log into both winhost1 and winhost2 as an Administrator.

2. Disconnect all existing clients that are currently using this share. To confirm that all clients have disconnected, run net session /list from the command prompt of both winhost1 and winhost2. The command should not show any existing sessions.

3. On both winhost1 and winhost2, run the command hcl status to get information about the state of your connection with the KeyControl node, the number of devices available to encrypt, and so on.

4. Determine which node is the current owner of the shared disk and:

   • If you want to preserve the data that exists on the disk, run the command hcl encrypt G: on that node. KeyControl encrypts the drive and the existing data.
   • If you want to reformat the disk, run the command hcl add G:. KeyControl reformats the disk using NTFS and erases any existing data.

   In both cases, KeyControl adds a unique GUID (Globally Unique Identifier) to G: and makes G: available as an encrypted drive.

5. Run hcl status on both nodes again. You should see the same GUID being reported for hard disk 3 on winhost1 and for hard disk 4 on winhost2.

6. On winhost1, run hcl encrypt G: from the command prompt to begin encrypting existing data on the drive.

   • Depending on the size of the drive, this will take a few minutes to complete.
   • During the encryption, G: will no longer be visible and the CIFS export service will show as offline in the failover cluster manager.
   • Once hcl encrypt G: completes, its contents will be visible.
   • G: should now also show up under the disks owned by winhost1 in the KeyControl node.
7. Run hcl detach -a on winhost1. This will unmap drive G: from winhost1 in preparation for the next step.
8. Use the failover cluster manager to move the CIFS service (and thus ownership of G:) from winhost1 to winhost2. Note that G: will appear to be unformatted to winhost2 and you will be prompted to format it. Ignore this prompt.
9. On winhost2, run hcl import G:. This should complete very quickly since hcl recognizes that this is an encrypted disk whose key is already registered with the KeyControl node.
10. G: should now be readable on winhost2.

What to Do Next 

Set up automatic failover and failback. For details, see Dependencies for Failover and Failback and Enabling Failover and Failback.