Encrypting a Disk Using the CLI

The following procedure describes how to use the CLI to encrypt a Linux data partition or a Windows boot drive, folder mount, or data drive. During this procedure you can elect to reformat the drive and remove any existing data or keep and encrypt the existing data.

You cannot encrypt a Linux system device (such as /root, swap, or /home) using this procedure. Instead, follow the procedure described in Encrypting Linux System Devices.

Before You Begin 

For Linux disks:

• If this is a Linux data disk, make sure you have partitioned the disk and that the disk meets the qualifications described in Linux Encryption Prerequisites.

• If an entry for the Linux device you intend to encrypt already exists in the Filesystem Table (/etc/fstab), you need to remove that entry until the encryption process is complete and the HyTrust-created clear text path to the device is available. If you reboot the device after encryption with the /etc/fstab entry still pointing to the original device path, the system may hang because the encrypted version of the device will fail the filesystem check. For details, see Automatically Mounting Linux Filesystems.

• If you want to encrypt the existing data while the disk remains online and accessible, make sure you enable Online Encryption on the VM as described in Enabling Linux Online Encryption with the CLI and Enabling Linux Online Encryption with the webGUI. For details about Online Encryption, see Linux Online Encryption Prerequisites and Considerations.

For Windows disks:

• If this is a Windows data drive, make sure the disk you want to encrypt meets the prerequisites described in Windows Encryption Prerequisites.
• If this is a Windows boot partition, make sure the partition has been set up as described in Windows Boot Drive Encryption. Note: The boot partition may not appear as an available disk until after the HyTrust Bootloader is installed.

Tip:

Depending on the size of the disk, the encryption process can take a long time to run. If the process is interrupted on Windows, it will be resumed automatically when the disk comes back online. If the process is interrupted on Linux, you need to manually restart the process. We recommend you use the Linux nohup or screen command to avoid terminal-related interruptions during encryption.

Procedure 

1. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.

2. If you want to reformat the disk and, optionally, create a new filesystem, enter the command hcl add [-F fstype | "none"] [-n] [-c cipher] [-m mapped_device] [-p parent-disk] [-e days_to_expire] [-z "NO USE"|"SHRED"] [-o] [-y] [-x] diskname

   Details

   • -F (Linux only) allows you to specify the filesystem you want to use. If you do not specify a filesystem, the hcl add command uses the same filesystem as root. If that information is not available, the hcl add command uses ext4. If you do not want DataControl to format the disk, specify "none" for this option.

     Tip:

     To use XFS (Extents File System), specify "xfs". For more information, see Example: Adding and Encrypting a Linux Disk with XFS.

   • -n indicates that the disk should not be attached immediately. Use this option if you want to prepare the disk but not bring it online until later.
   • -c is the encryption cipher that DataControl should use for the disk. The default cipher is AES-XTS-512. To view a list of available ciphers, use the hcl ciphers command. For details, see Encryption Key Sizes and Algorithms.
   • -m (Linux only) sets the default clear text path, which is constructed based on the current path to the disk. For example, if the disk is /dev/sdb1, the default clear text path would be /dev/mapper/clear_sdb1. To set the clear text path to /dev/hytrust/clear_sdb1, you would use –m /dev/hytrust/clear_sdb1.

   • -p indicates that this is a snapshot of the encrypted LVM (Logical Volume Management) volume, or MBR partition copy/snapshot, whose parent is named in parent-disk. Use the hcl status command to determine the exact format for the parent disk name. For more information, see Example: Encrypting a Linux LVM Volume.

     Warning:

     If the snapshot was taken before the parent volume was registered with KeyControl, the snapshot will not have encrypted data.

   • -e allows you to specify the number of days the key should be active before it expires. If you omit this option, the key never expires. What happens when a key expires is controlled by the -z option.

   • -z controls what happens when the key expiry date is reached. You can specify:

     • "NO USE" — The key is deactivated but retained. It can then be reactivated by setting a future date in the Expiry Date field in the KeyControl webGUI. This is the default.
     • "SHRED" — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never need to access the selected disk again.

   • -o overrides the default setting that prevents you from encrypting a non-partitioned disk. You should always use partitioned disks because we can easily identify them and find the associated keys.

     Warning:

     We recommend you do NOT use this option, or access to your encrypted data will be lost if the disk name changes.

   • -y makes the command non-interactive.
   • -x (Windows only) tells DataControl to check for the existence of a pagefile on the designated drive . If one is found, the command is aborted.
   • diskname is the name of the disk that you want to encrypt. For Linux, use the short form of the disk name. (For example, sdb1 instead of /dev/sdb1.) For Windows, specify the drive letter or folder mount associated with the disk. (For example, f: or g:\data).
   Example

   # hcl add sdb1
   WARNING: This operation will destroy the contents of the disk.
   If you wish to preserve them, run "hcl encrypt" instead.
   Do you want to proceed? (y/n) y
   
   In case of error remove the disk using "hcl rm" and run "hcl add" again
   
   Encrypted device sdb1 (/dev/sdb1) attached; decrypted contents visible at /dev/mapper/clear_sdb1
   
   Creating file system ext3 on /dev/mapper/clear_sdb1
   ---------------------------------------------------
   mke2fs 1.41.11 (14-Mar-2017)
   ...
   This filesystem will be automatically checked every 22 mounts or
   180 days, whichever comes first.  Use tune2fs -c or -i to override.
   ---------------------------------------------------

3. If you want to retain and encrypt the data that currently exists on the disk, enter the command hcl encrypt [-s] [-c cipher] [-e days_to_expire] [-z "NO USE"|"SHRED"] [-o] [-y] [-x] diskname

   Details

   • -s (Linux only) tells DataControl to only process allocated blocks which can improve performance dramatically. DataControl uses system-provided utilities to determine the allocated blocks on the disk. This option is supported for ext2, ext3, and ext4 file systems. It is not supported on XFS. (To change the speed for Windows, see Changing the Encryption/Decryption Speed on Windows.)

     Important:

     This option does not work if online encryption has been enabled for the VM, even if you unmount the drive during the process. If online encryption has been enabled or if the disk is mounted, using the -s option will cause the command to fail.

   • -c is the encryption cipher that DataControl should use for the disk. The default cipher is AES-XTS-512. To view a list of available ciphers, use the hcl ciphers command. For details, see Encryption Key Sizes and Algorithms.
   • -e allows you to specify the number of days the key should be active before it expires. If you omit this option, the key never expires. What happens when a key expires is controlled by the -z option.

   • -z controls what happens when the key expiry date is reached. You can specify:

     • "NO USE" — The key is deactivated but retained. It can then be reactivated by setting a future date in the Expiry Date field in the KeyControl webGUI. This is the default.
     • "SHRED" — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never need to access the selected disk again.

   • -o overrides the default setting that prevents you from encrypting a non-partitioned disk. You should always use partitioned disks because we can easily identify them and find the associated keys.

     Warning:

     We recommend you do NOT use this option, or access to your encrypted data will be lost if the disk name changes.

   • -y makes the command non-interactive.
   • -x (Windows only) tells DataControl to check for the existence of a pagefile on the designated drive . If one is found, the command is aborted.
   • diskname is the name of the disk that you want to encrypt. For Linux, use the short form of the disk name. (For example, sdb1 instead of /dev/sdb1.) For Windows, specify the drive letter or folder mount associated with the disk. (For example, f: or g:\data).
   Example

   # hcl encrypt sdb1
   All the data on sdb1 will be encrypted
   The cleartext data will be available on /dev/mapper/clear_sdb1
   This operation may take long time
   Do you want to proceed? (y/n) y
   
   Encrypted device sdb1 (/dev/sdb1) attached; decrypted contents visible at /dev/mapper/clear_sdb1
   
   total device size 1044193 KB
   
   Processing: 100% 	Time left: 00:00:00
   Completed encryption of sdb1 successfully

4. For Linux, the progress of the command is displayed automatically. For Windows, use the hcl status command to check the progress.

   Notes:

   • If the hcl encrypt command is interrupted for any reason, you can re-issue the same hcl encrypt command. The encryption process will start at the point where it was interrupted.
   • If the encryption fails for a Windows disk with the message that there are too many partitions on the disk, see Detecting and Removing a Windows Snapshot Partition.

What to Do Next 

If you removed the /etc/fstab entry for the device, you can recreate that entry using the clear text path created during encryption. For details, see Automatically Mounting Linux Filesystems.