Removing Access Controls from a Disk

You need to remove the Access Control Policy from a disk if you want to decrypt that disk. For Linux, you also need to remove the policy if you want to move the disk from one VM to another or if you want to back up your KeyControl configuration.

For Windows, you can remove an Access Control Policy from an individual Windows disk while leaving the others protected. In Linux, removing the Access Control Policy from one disk removes it from all disks on the VM. In addition, a Linux VM must be rebooted in order for to fully remove the access controls. This reboot happens automatically at the VM's next heartbeat after you complete this procedure.

Important:

For Linux, it is essential that you use this procedure to cleanly remove the Access Control Policy from the VM. Do not simply revoke the authentication or remove the VM from KeyControl without first removing the Access Control Policy and rebooting the VM. Doing so may cause erroneous alerts and audit log messages.

Before You Begin 

Make sure password-based SSH login is enabled for the VM. If it is not, the process will fail and the Access Control Policy will not be removed from the disks on the VM.

Procedure 

1. Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges.
2. In the top menu bar, click Cloud.
3. Click the VMs tab.

4. Click the Expand button (>) at the end of the row associated with the VM whose disks you want to change.

   KeyControl displays the details for the VM along with a VM-specific Actions button that allows you to manage the selected VM without affecting other VMs registered with KeyControl.

5. In the Details area, click the Encrypted Disks tab.

6. Click on the data disk from which you want to remove the Access Control Policy and select Actions > Remove Policy from Disk from the VM-specific Actions button.

   At the selected VM's next heartbeat, the HyTrust DataControl Policy Agent removes the Access Control Policy from the selected Windows disk or Linux VM. If it is a Linux VM, the Policy Agent also reboots the VM to complete the removal process.

What to Do Next 

If you want to force an update so that the Access Control Policy is removed before the next scheduled heartbeat, you can log into the VM as an administrator and use the hcl heartbeat command.

Important:

For a Linux disk, the hcl heartbeat command may take a few minutes to complete while the policy is being removed. If you use this command, make sure you wait for it to complete because interrupting the policy removal process may cause issues on the VM. The Policy Agent automatically reboots the VM as soon as the hcl heartbeat command has finished.