Example: Encrypting a Linux LVM Volume
In Linux, Logical Volume Manager (LVM) is a device mapper target that provides logical volume management for the Linux kernel. You can use the same hcl add and hcl encrypt commands to register an LVM volume withKeyControl, but the Policy Agent cannot stamp a GUID on LVM volumes the way it can with MBR partitions such as sdb1. Therefore an LVM cannot be migrated across VMs because that process requires a GUID.
The following examples show the process of encrypting a volume with existing data and registering a new LVM volume.
Tip: Depending on the size of the disk, the encryption process can take a long time to run. If the process is interrupted, you need to manually restart the process. We recommend you use the Linux nohup or screen command to avoid terminal-related interruptions during encryption.
Encrypting an LVM Volume with an Existing File System
hcl encrypt allows you to encrypt an LVM volume while preserving any data that already exists on the volume. For example:
# umount /dev/hytrust-vg/datalv # hcl encrypt hytrust--vg-datalv -o All the data on hytrust--vg-datalv will be encrypted The cleartext data will be available on /dev/mapper/clear_hytrust--vg-datalv This operation may take long time. Do you want to proceed? (y/n) y hytrust--vg-datalv (/dev/dm-2) appears to contain an existing filesystem (ext2) Do you want to proceed? (y/n) y WARNING: device hytrust--vg-datalv will be added but will not have unique ID that ensures detection if disks are reordered or moved. Encrypted device hytrust--vg-datalv (/dev/dm-2) attached; decrypted contents visible at /dev/mapper/clear_hytrust--vg-datalv total device size 102400 K Processing: 100% Time left: 00:00:00 Completed encryption of hytrust--vg-datalv successfully
Registering a New LVM Volume
hcl add allows you to add a new volume to KeyControl, or to erase any data from an existing volume before the volume is encrypted. For example:
# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
datalv hytrust-vg -wi-a----- 100.00m
root sub1504-vg -wi-ao---- 6.73g
swap_1 sub1504-vg -wi-ao---- 1020.00m
# hcl status
Summary
--------------------------------------------------------------------------------
KeyControl: skc1:443
KeyControl list: skc1:443
Status: Connected
Registered Devices
--------------------------------------------------------------------------------
Disk Name Cipher Status Clear
--------------------------------------------------------------------------------
Available Devices
--------------------------------------------------------------------------------
Disk Name Device Node Size (in MB)
--------------------------------------------------------------------------------
hytrust--vg-datalv /dev/dm-2 100
Other Devices
--------------------------------------------------------------------------------
Disk Name Device Node Status
--------------------------------------------------------------------------------
sda1 /dev/sda1 Mounted (/boot)
sdb /dev/sdb LVM (hytrust-vg)
sda5 /dev/sda5 LVM (sub1504-vg)
sub1504--vg-root /dev/dm-0 Mounted (/)
sub1504--vg-swap_1 /dev/dm-1 Mounted (swap)
# hcl add hytrust--vg-datalv
WARNING: device hytrust--vg-datalv will be added but will not have unique ID that ensures detection if disks are reordered or moved.
WARNING: This operation will destroy the contents of the disk.
If you wish to preserve them, run "hcl encrypt" instead.
Do you want to proceed? (y/n) y
Encrypted device hytrust--vg-datalv (/dev/dm-2) attached; decrypted contents visible at /dev/mapper/clear_hytrust--vg-datalv
Creating file system ext3 on /dev/mapper/clear_hytrust--vg-datalv
--------------------------------------------------------------------------------
mke2fs 1.42.12 (29-Aug-2014)
Creating filesystem with 102400 1k blocks and 25688 inodes
Filesystem UUID: d3d987b4-4773-4e15-995d-a1669603db0a
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
--------------------------------------------------------------------------------
# hcl status
Summary
--------------------------------------------------------------------------------
KeyControl: skc1:443
KeyControl list: skc1:443
Status: Connected
Registered Devices
--------------------------------------------------------------------------------
Disk Name Cipher Status Clear
--------------------------------------------------------------------------------
AES-XTS-512 Attached hytrust--vg-datalv/dev/mapper/clear_hytrust--vg-datalv
'--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
Available Devices
--------------------------------------------------------------------------------
Disk Name Device Node Size (in MB)
--------------------------------------------------------------------------------
Other Devices
--------------------------------------------------------------------------------
Disk Name Device Node Status
--------------------------------------------------------------------------------
sda1 /dev/sda1 Mounted (/boot)
sdb /dev/sdb LVM (hytrust-vg)
sda5 /dev/sda5 LVM (sub1504-vg)
sub1504--vg-root /dev/dm-0 Mounted (/)
sub1504--vg-swap_1 /dev/dm-1 Mounted (swap)
# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
datalv hytrust-vg -wi-a----- 100.00m
root sub1504-vg -wi-ao---- 6.73g
swap_1 sub1504-vg -wi-ao---- 1020.00m
# hcl status
Summary
--------------------------------------------------------------------------------
KeyControl: skc1:443
KeyControl list: skc1:443
Status: Connected
Registered Devices
--------------------------------------------------------------------------------
Disk Name Cipher Status Clear
--------------------------------------------------------------------------------
Available Devices
--------------------------------------------------------------------------------
Disk Name Device Node Size (in MB)
--------------------------------------------------------------------------------
hytrust--vg-datalv /dev/dm-2 100
Other Devices
--------------------------------------------------------------------------------
Disk Name Device Node Status
--------------------------------------------------------------------------------
sda1 /dev/sda1 Mounted (/boot)
sdb /dev/sdb LVM (hytrust-vg)
sda5 /dev/sda5 LVM (sub1504-vg)
sub1504--vg-root /dev/dm-0 Mounted (/)
sub1504--vg-swap_1 /dev/dm-1 Mounted (swap)
# hcl add hytrust--vg-datalv
WARNING: device hytrust--vg-datalv will be added but will not have unique ID that ensures detection if disks are reordered or moved.
WARNING: This operation will destroy the contents of the disk.
If you wish to preserve them, run "hcl encrypt" instead.
Do you want to proceed? (y/n) y
Encrypted device hytrust--vg-datalv (/dev/dm-2) attached; decrypted contents visible at /dev/mapper/clear_hytrust--vg-datalv
Creating file system ext3 on /dev/mapper/clear_hytrust--vg-datalv
--------------------------------------------------------------------------------
mke2fs 1.42.12 (29-Aug-2014)
Creating filesystem with 102400 1k blocks and 25688 inodes
Filesystem UUID: d3d987b4-4773-4e15-995d-a1669603db0a
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
--------------------------------------------------------------------------------
# hcl status
Summary
--------------------------------------------------------------------------------
KeyControl: skc1:443
KeyControl list: skc1:443
Status: Connected
Registered Devices
--------------------------------------------------------------------------------
Disk Name Cipher Status Clear
--------------------------------------------------------------------------------
AES-XTS-512 Attached hytrust--vg-datalv/dev/mapper/clear_hytrust--vg-datalv
'--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
Available Devices
--------------------------------------------------------------------------------
Disk Name Device Node Size (in MB)
--------------------------------------------------------------------------------
Other Devices
--------------------------------------------------------------------------------
Disk Name Device Node Status
--------------------------------------------------------------------------------
sda1 /dev/sda1 Mounted (/boot)
sdb /dev/sdb LVM (hytrust-vg)
sda5 /dev/sda5 LVM (sub1504-vg)
sub1504--vg-root /dev/dm-0 Mounted (/)
sub1504--vg-swap_1 /dev/dm-1 Mounted (swap)
The file system can now be created on the clear-text device.
# mkfs /dev/mapper/clear_hytrust--vg-datalv
mke2fs 1.42.12 (29-Aug-2014)
/dev/mapper/clear_hytrust--vg-datalv contains a ext3 file system
created on Tue May 3 17:54:22 2016
Proceed anyway? (y,n) y
Creating filesystem with 102400 1k blocks and 25688 inodes
Filesystem UUID: f4a9c9ca-d451-4d20-9a32-6cdf5de844d8
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
# mkdir /tmp/mnt
# mount /dev/mapper/clear_hytrust--vg-datalv /tmp/mnt
# hcl rm hytrust--vg-datalv
WARNING: Removal of devices will cause any data stored on them to be permanently lost.
Do you want to proceed? (y/n) y
Removed device hytrust--vg-datalv
