Automatic Data Encryption

When you create a Cloud VM Set, you can specify that, when a VM is registered with the Cloud VM Set, KeyControl will automatically tell the Policy Agent on that VM to encrypt the available drives on the VM. If you enable this feature, you can also specify an Automatic Data Encryption Policy that tells KeyControl which drives to include or exclude by default.

For example, If you enable Automatic Data Encryption and you want to:

Automatically encrypt all available drives on the VM except the C: drive, you would set the Automatic Data Encryption Policy to Exclude the C: drive.
Automatically encrypt only the C: drive, you would set the Automatic Data Encryption Policy to Include the C: drive.
Automatically encrypt all available drives on the VM including the C: drive, you would set the Automatic Data Encryption Policy to Encrypt All Devices.

You can specify as many paths in the Automatic Data Encryption Policy as you want, and you can specify a mixture of Windows drives and Linux device names. You cannot, however, set some paths as included and some as excluded. The Automatic Data Encryption Policy must be configured to either exclude all of the specified paths or include all of the specified paths.

When you register a VM with the Cloud VM Set, the VM inherits the Automatic Data Encryption settings from the Cloud VM Set. You can override the default settings for an individual VM at any time, allowing you to customize the Automatic Data Encryption feature on a VM-by-VM basis.

Prerequisites and Considerations

Automatic Data Encryption only works for Linux and Windows devices that meet the qualifications described in Linux Encryption Prerequisites and Windows Encryption Prerequisites.
Automatic Data Encryption only works for Linux devices that are not mounted. Therefore, you cannot use Automatic Data Encryption to encrypt Linux system devices such as /root, swap, or /home.
If you want to encrypt a Windows boot drive, you must install the HyTrust Bootloader option with the Policy Agent on that VM. Auto encryption on the boot drive will fail if the Bootloader is not installed. For details, see Windows Boot Drive Encryption.
If you change the Automatic Data Encryption Policy for a Cloud VM Set, you can choose whether to propagate the changes to the VMs already registered with the set. If you do so, any changes you made on the individual VMs will be overwritten by the settings in the Cloud VM Set. All customizations on the individual VMs will be lost.
If you change the Automatic Data Encryption Policy to include a device that was not included before, KeyControl automatically schedules a task to encrypt the newly- added device.
After a device has been encrypted (either manually or through an Automatic Data Encryption Policy), KeyControl will not automatically decrypt it, even if you change the Automatic Data Encryption Policy to exclude that device. Once encrypted, all devices must be decrypted manually.
If you try to decrypt a device that is specified as Included in the Automatic Data Encryption Policy, the decryption task will fail. You must first remove the device from the Automatic Data Encryption Policy before you can decrypt it. If you remove the device from the policy at the VM-level, that device can only be decrypted on that VM. If you remove the device from the policy on the Cloud VM Set level and you propagate the changes from the Cloud VM Set to the registered VMs, then you can decrypt that device on any registered VM.